topic Re: Active Directory Roles - Administrators in ArcGIS Enterprise Questions

Active Directory Roles - Administrators

BrianLeroux — Tue, 10 Jul 2012 17:34:51 GMT

I am trying to set up my initial roles in 10.1 using an Active Directory role store. I logged in as the PSA and serched for a AD group that I am in and gave it Administrative rights. I log out of manager and try to log in with my domain account and get "You must enter an account that is a member of either the Administrator or Publisher roles for this site." I tried using domain\UserName with the same result. I also tried giving this role access to the entire site. Any Ideas why I can't log into manager using an AD Role?

Additional info:
ArcGIS Server 10.1, IIS 7, & Web Adaptor all installed on same server. I have the default services running and can set security on the services using Active Directory Roles.

Re: Active Directory Roles - Administrators

PF1 — Tue, 10 Jul 2012 18:26:59 GMT

What is handling the authentication? Is it set to 'web tier' or 'GIS server'?

Did you configure the user/role store for 'Windows Domain' or 'LDAP'?

Did you change any authentication paramaters on the IIS->Default Web Site->arcgis (like disabling anonymous and enabling windows authentication)

Also - did you configure the web-adaptor after you configured security in the GIS 'site'? If so did you check the box allowing users to manage the site through the web-adaptor?

Some of those answers might help solve your problem.

Re: Active Directory Roles - Administrators

BrianLeroux — Tue, 10 Jul 2012 18:39:05 GMT

Thanks for the reply.
I am using the Web Tier Authentication.

The User/Role Store is set to Windows Domain.

I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS

I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.

Re: Active Directory Roles - Administrators

PF1 — Tue, 10 Jul 2012 18:53:49 GMT

Thanks for the reply.
I am using the Web Tier Authentication.

The User/Role Store is set to Windows Domain.

I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS

I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.

You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier. Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor

Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD).

If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config

You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet.

Hopefully that will help out. I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication. See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly.

HTH

Re: Active Directory Roles - Administrators

BrianLeroux — Tue, 10 Jul 2012 19:02:31 GMT

You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier. Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor

Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD).

If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config

You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet.

Hopefully that will help out. I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication. See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly.

HTH

I am not sure the web adapter configuration is an issue as I had it set to web tier when using the arcgis role store and am using now that i switched to AD. I also used the exact same password when I changed it. However I will give it a try just in case.

GIS setup is much simpler than yours so I am not sure how much I will be able to help in the way of performance but I would be glad to share my experience once I am up and running.

Re: Active Directory Roles - Administrators

BrianLeroux — Wed, 11 Jul 2012 11:40:33 GMT

I reconfigued the web adaptor and still no luck. As it stands when I am set to use users & Roles from Windows Active Directory I am not able to log in to manager with a domain account after making a AD group Admins on the GIS server. I have tried going through the web adaptor and directy to the server at port 6080. Any other suggestions are appreciated.

Update- When using ArGIS Admin Users - Security - Get Privileges I enter my user name and is shows me only as having ACCESS and not Administer even know I made a AD group I am in an Administrative group. When I check Privileges on the group I am in it shows the Access level as Administer. Stumped...

Re: Active Directory Roles - Administrators

BrianLeroux — Mon, 16 Jul 2012 17:33:53 GMT

Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues?

Re: Active Directory Roles - Administrators

PF1 — Tue, 17 Jul 2012 22:06:01 GMT

Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues?

I can confirm this issue for us. We are using Windows user/role store with GIS Server authentication.

My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups).

One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups. I was going to use my second account as a publisher to test that functionality.

I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager

We attributed this to the 'publisher role' originally, thinking that is what was slowing it down. I added his account (and my second account) to the administrators role and it is still awfully slow.

We added the AD service account as a publisher and it runs very fast. We also changed that account to be an administrator and it also runs very fast! This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator).

I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved.

The good news: we found a great fix that we like better so far.

We've now configured the security of the site the following:

User Store: Windows Domain

Role Store: ArcGIS Server Built-in

Auth. Tier: GIS Server

Auth. Mode: ArcGIS Tokens

So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator. This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain.

I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in.

Re: Active Directory Roles - Administrators

BrianLeroux — Wed, 18 Jul 2012 11:29:52 GMT

I can confirm this issue for us. We are using Windows user/role store with GIS Server authentication.

My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups).

One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups. I was going to use my second account as a publisher to test that functionality.

I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager

We attributed this to the 'publisher role' originally, thinking that is what was slowing it down. I added his account (and my second account) to the administrators role and it is still awfully slow.

We added the AD service account as a publisher and it runs very fast. We also changed that account to be an administrator and it also runs very fast! This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator).

I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved.

The good news: we found a great fix that we like better so far.

We've now configured the security of the site the following:

User Store: Windows Domain

Role Store: ArcGIS Server Built-in

Auth. Tier: GIS Server

Auth. Mode: ArcGIS Tokens

So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator. This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain.

I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in.

Thanks for the info Patrick. Our initial configuration was using the Windows Domain for users and ArcGIS Built-In Role Store with Web Tier authentication. The performance was good but I wasn't doing much besides logging in and configuring ther server.

Unfortunately, this configuration did not meet my requirements as far as user maintenance is concerned. I need a config that would allow/revoke user access when they are added/removed to a group in AD. We will have over 1,500 users that change on a continuous basis and it would be a lot of effort to manage manually. Alos, our IT department wants full control over user access for auditing reasons.

I have a support ticket open with ESRI and they are researching the issue. If there is no resolution by next week I will discuss with ESRI during the UC next week.

Re: Active Directory Roles - Administrators

troyturcott — Wed, 12 Sep 2012 19:40:52 GMT

Mr. Leroux,

I have analogous user maintenance requirements.
Did opening your support ticket get any help toward resolving the issue with traversing complex & nest AD groups?
This is two months after your post and based on what I'm experiencing and reading about, ArcGIS Server 10.1 with AD/integrated security "is not" ready for "prime-time"...

Any thoughts?

Thanks,

JT

Re: Active Directory Roles - Administrators

BrianLeroux — Thu, 13 Sep 2012 15:32:15 GMT

JT-
I am still working with ESRI to resolve my issue. We have made some progress in the troubleshooting process but have not pinned down a solution to my issue. Our "normal" AD users are created by a provisioning job and that seems to be the root cause of the issue. I was able to verify this by duplicating my account to create a test account which all of the same permissions. This new test account allows me to admin the server while my regular account that was created with our provisioning jobs will not.

So to you question, is ArcGIS Server 10.1 with AD/integrated security ready for "prime-time"?, I can't honest say yes or no until I find the cause of my issues. I can say that I do not have any issues with user security at the service level and Administration works fine when using an account that does not use our provisioning process. Once I get this issue resolved I will definately post back here with more details.

Re: Active Directory Roles - Administrators

JonathanBailey — Wed, 13 Feb 2013 13:40:15 GMT

Hi Brian,

Did you ever resolve this issue with Esri?

Thanks,

Jon.

Re: Active Directory Roles - Administrators

BrianLeroux — Wed, 13 Feb 2013 15:02:00 GMT

Yes. It turns out there was an existing bug in 10.1 that did not allow a comma in a users full name. This was fixed in SP1.

Re: Active Directory Roles - Administrators

PF1 — Wed, 13 Feb 2013 16:05:14 GMT

Yes. It turns out there was an existing bug in 10.1 that did not allow a comma in a users full name. This was fixed in SP1.

Did you have performance issues when using AD Groups before SP1? Wondering if that solved our performance issues with AD groups/roles. We had major performance impacts with users that were either in many AD groups or nested (sub) groups.

Re: Active Directory Roles - Administrators

BrianLeroux — Wed, 13 Feb 2013 19:13:49 GMT

Did you have performance issues when using AD Groups before SP1? Wondering if that solved our performance issues with AD groups/roles. We had major performance impacts with users that were either in many AD groups or nested (sub) groups.

Yes i had performance issues before SP1 but they persisted through the service pack upgrade. it turned out that the account apply the configuration settings was a user account that was a part of many nested groups casuing a major slowdown in the authentication process. We switched the domain account the server runs as which is only part of a very small amount of groups. The performance after making that change was significantly better.

Re: Active Directory Roles - Administrators

MuneerMajid — Thu, 07 Mar 2013 14:18:19 GMT

We have been experiencing similar issues for a while.. We have currently installed 10.1 on a Test Server but plan to roll it into production to replace our existing 10.0 ArcGIS Server by the month of May. But I guess we aren't making the deadlines because of the performance issues..

Local browsing to 10.1 Services whether with ArcCatalog or with IE is pretty fast on the Server itself, however as soon as you go to a client machine and pass the intranet + the Company Active Directory Groups, the performance is agonizingly slow.. And this is only while browsing through the ArcGIS Server Folder/Directories, direct URL's to any of our map services work just fine within out client applications..

We have been working with ESRI Tech Support for the last two weeks, but nothing productive has come up yet. Any suggestions here?

Regards,
Muneer Majid
Spatial & GIS Analyst
Chevron Energy Technology Company

Re: Active Directory Roles - Administrators

BrianLeroux — Thu, 07 Mar 2013 15:32:33 GMT

Hi Muneer,

We still have permormance issues but at this point it is limited to when we are managing the server. Publishing and updating services from ArcMap is very slow. Also connecting to Server Manager is very slow. However, performance is not an issue for us when consuming serivces in our Web Maps or ArcMap. Also browsing the srvices directory is fine.

We initially had perfomance issues that was resolved by changing the the domain account used to configure the server security. We initally used an admin's personal account which was a part of many nested groups. Changing this to the domain group used by the server sped things up considerably and is most likely because the number of groups this account is a memeber of is very limited (<5).

Re: Active Directory Roles - Administrators

MuneerMajid — Thu, 07 Mar 2013 18:51:30 GMT

Thanks for the information Brian..

We pretty much have the same issues that you are experiencing.. Additionally, browsing the directories is also very slow for us.. We are also using a domain Service Account and that one isnt a part of a number of nested groups..

We just finished another working sessions with ESRI Tech Support, and we tried out a number of suggestions one of which was Enabling the Kernel Mode but nothing really has helped so far.

Re: Active Directory Roles - Administrators

PF1 — Sat, 09 Mar 2013 19:36:34 GMT

We have been experiencing similar issues for a while.. We have currently installed 10.1 on a Test Server but plan to roll it into production to replace our existing 10.0 ArcGIS Server by the month of May. But I guess we aren't making the deadlines because of the performance issues..

Local browsing to 10.1 Services whether with ArcCatalog or with IE is pretty fast on the Server itself, however as soon as you go to a client machine and pass the intranet + the Company Active Directory Groups, the performance is agonizingly slow.. And this is only while browsing through the ArcGIS Server Folder/Directories, direct URL's to any of our map services work just fine within out client applications..

We have been working with ESRI Tech Support for the last two weeks, but nothing productive has come up yet. Any suggestions here?

Regards,
Muneer Majid
Spatial & GIS Analyst
Chevron Energy Technology Company

What is your config setting for user and role store? Built in or windows domain? Or hybrid?

Re: Active Directory Roles - Administrators

MuneerMajid — Mon, 11 Mar 2013 14:09:13 GMT

Hi Pat,

We have been using Windows Domain all along.. We did try switching to Build in which worked relatively faster, but we cannot use that security model on our Production Domain.

-Muneer