Allow ArcGIS Server to Authenticate and Authorize users across an Active Directory Forest Trust

2623
8
05-21-2014 03:32 PM
Status: Open
PF1
by
Occasional Contributor II

Many organizations use the Microsoft Active Directory (AD) product for users identity store (name, info, password), to authenticate those users credetials (verify they provided the correct credentials) and then subsequently authorize those users to perform various actions (based on role or group membership).  

The Esri ArcGIS Server 10.2 release started working with multiple domains inside 1 AD forest.   I can have users in different domains authenticate and be authorized to GIS resources with 1 deployment of the Esri ArcGIS Server 'site'.  

Large organizations often times build 'forest trusts' between different Active Directory deployments.  This allows organizations to authenticate and subsequently authorize users from a different corporate identity stores access to resouces within the organizations control without having to establish an Identity Life Cycle Management process with those other identities. 

Many 3rd party products that use 'Windows Domain' based authentication/authorization schemes support Active Directory forest tust models out of the box.  It appears that Esri ArcGIS Server completly igores the trust.  The web-tier (web-adaptor) can be configured to authenticate users across an AD trust (for example, using Integrated Windows Authentication).  The ArcGIS Server that handels the authorization (what service the user is allowed access to) does not know what to do with users that are in the trusted AD forest.  The only alternative I see is to build a custom identity provider that queries all domains within each forest, which is not really an out of the box solution.  

Thanks for the consideration.  

8 Comments
JohnEdwards
This would be hugely beneficial to our organization.  Our entire security model for accessing services (using ArcGIS Server 10) is based on domain trusts (cross-forest) among several independant Active Directory systems.  This configuration does in fact work but not in 10.1 and above.

I would ask that this type of Active Directory support be returned to the product.

Thanks.
ChrisHalcomb
I just got back from the ESRI UC 2014 and not one ESRI employee could help or understood this issue!
JeremyGould
We are in need of this as well. 
PF1
by
Hi @chalcomb, 

Please review the Microsoft articles Forest trusts and When to create a forest trust for more information.  Basically, we have an explicit 1-way forest trust for external partners similar to: 
 
A one-way, forest trust between two forests allows members of the trusted forest to utilize resources located in the trusting forest. However, the trust operates in only one direction. For example, when a one-way, forest trust is created between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources located in forest B, but members of forest B cannot access resources located in forest A using the same trust.

so in the example above, Forest A would be our internal Active Directory forest and Forest B would be our external 'partners' active directory forest.  We would like external partners and internal staff to acecss the same arcgis server web-services (only those chosen for partner access).  We would NOT like our external partners to access our internally protected resources (hence the 1-way trust).  

Does that provide some more clarity?  I think an Esri systems engineer or a systems architect  (such as Ismael Chivite or Andrew Sakowicz) could provide some insight on the issue.  
AliceRhodes

Is this something that ESRI are planning to look at for upcoming releases? I can see that this original request was sent in 2014 but is still not supported. At the moment this is the AD set up we have for some of our organisation and unfortunately it means they cannot access our applications. What is interesting however is that it does sometimes work, allowing users access to services and applications, however this is not consistent and as it isn't supported we can't progress this any further.

ScottFierro2

To this day this is still unsupported. ESRI's answer for these scenarios for about the last year has been to use Portal or ArcGIS Online to assist with "complex authentication" needs. I built a workaround soon to be published that allows this all to work but ESRI still will state that it is unsupported which is valid because there are 2 somewhat annoying trickle down impacts of implementing this workaround. We have vetted it in 10.2, 10.3.1 and 10.5 and it worked in all of them with the same behaviors. Can also confirm that while it works and can be used if used in conjunction with Collector there are significant performance hits on feature service load times due to the use of Web-Tier authentication over GIS-Tier. The publication is undergoing edits now and is planned to be released by UC. If you'd like a PDF copy sooner send me an email and I can get it over.

ThomasColson

Would love to see details of your work-around. Having many problems with PTL ArcGIS Svr AD authentication, you may have a solution in your document. 

ScottFierro2