Skip To Content

Configure web-tier authentication with Integrated Windows Authentication and PKI

When using Active Directory to authenticate users, you can use a public key infrastructure (PKI) to secure access to ArcGIS Server.

To use Integrated Windows Authentication and PKI, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your ArcGIS Server site.

Note:

If you want to federate your ArcGIS Server site with a portal and want to use Active Directory and PKI with the server, you'll need to disable PKI-based client certificate authentication on your ArcGIS Server site and enable anonymous access before federating it with the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. You can then configure Active Directory and PKI with the portal.

Configure your server with Active Directory

Configure ArcGIS Server security to use Active Directory users and roles

To support Integrated Windows Authentication, configure ArcGIS Server to retrieve users and roles from a Windows Active Directory server.

  1. Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Log in to Manager.
  2. Click Security > Settings.
  3. Click the Edit button Edit next to Configuration Settings.
  4. On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
  5. On the Enterprise Store Type page, choose the Windows Domain option and click Next.
  6. On the Windows Domain Credentials page, provide the credentials for an account that has permissions to determine the groups in which users reside. Click Next.
    Note:

    It is recommended that you specify an account with a password that does not expire. If this is not possible, you'll need to repeat the steps in this section each time the password is changed.

  7. On the Authentication Tier page, choose Web Tier.
  8. Review the summary of your selections. Click Finish to apply and save the security configuration.

Review users and roles

After configuring an Active Directory domain as the user and role store, review the users and roles to make sure they were retrieved correctly. To add, edit, or delete users and roles, you need to use the tools available on the Active Directory server.

  1. In Manager, click Security > Users.
  2. Verify users have been retrieved as expected from the Windows domain server. If Active Directory has multiple domains, users from the domain that the GIS server machine belongs to are displayed. To view users from other domains, provide the search string [domain name]\ in the Find User field and click the Search button Search.
  3. Click Roles to review roles retrieved from the Windows domain server. If Active Directory has multiple domains, roles from the domain that the GIS server machine belongs to are displayed. To view roles from other domains, provide the search string [domain name]\ in the Find Role field and click the Search button Search.
  4. Verify the roles have been retrieved as expected.

Configure administrator and publisher privileges for Active Directory users

Out of the box, ArcGIS Server only allows the primary site administrator access to the server. If you'll be using Active Directory users to administer ArcGIS Server or publish services, you need to follow the steps below.

  1. In ArcGIS Server Manager, click the Security tab and open the Users page.
  2. Using the Find User tool, locate the user to whom you want to assign administrator or publisher privileges. Review the roles of which this user is a member and choose the role that will be assigned administrator or publisher privileges.
  3. Open the Roles page and use the Find Role tool to locate the role chosen in the previous step.
  4. Click the Edit button Edit next to the role.
  5. For the Role Type parameter, choose either Publisher or Administrator.
  6. Click Save to apply your changes.

Install and enable Active Directory Client Certificate Mapping Authentication

Active Directory Client Certificate Mapping is not available in the default installation of IIS. You must install and enable the feature.

Install Client Certificate Mapping Authentication

The instructions for installing the feature vary according to your operating system.

Windows Server 2016

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Expand the Web Server and Security roles.
  4. In the Security role section, select Client Certificate Mapping Authentication and click Next.
  5. Click Next through the Select Features tab and click Install.

Windows Server 2008 R2 and 2012/R2

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Scroll to the Role Services section and click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication and click Next.
  5. Click Install.

Windows 7, 8, and 8.1

  1. Open Control Panel and click Programs and Features > Turn Windows Features on or off.
  2. Expand Internet Information Services > World Wide Web Services > Security and select Client Certificate Mapping Authentication.
  3. Click OK.

Enable Active Directory Client Certificate Mapping Authentication

After you install Active Directory Client Certificate Mapping, enable the feature by following the steps below.

  1. Start Internet Information Services (IIS) Manager.
  2. In the Connections node, click the name of your web server.
  3. Double-click Authentication in the Features View window.
  4. Verify that Active Directory Client Certificate Authentication is displayed. If the feature is not displayed or unavailable, you may need to restart your web server to complete the installation of the Active Directory Client Certificate Authentication feature.
  5. Double-click Active Directory Client Certificate Authentication and choose Enable in the Actions window.

A message displays indicating that SSL must be enabled to use Active Directory Client Certificate Authentication. You'll address this in the next section.

Configure ArcGIS Web Adaptor to require SSL and client certificates

  1. Start Internet Information Services (IIS) Manager.
  2. Expand the Connections node and select your Web Adaptor site.
  3. Double-click Authentication in the Features View window.
  4. Disable all forms of authentication.
  5. Select your ArcGIS Web Adaptor from the Connections list again.
  6. Double-click SSL Settings.
  7. Enable the Require SSL option, and choose the Require option under Client certificates.
  8. Click Apply to save your changes.

Verify you can access the site using Active Directory and PKI

  1. Open the services directory. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/rest/services.
  2. Verify that you are prompted for your security credentials and can access the website.