Thanks for the reply.
I am using the Web Tier Authentication.
The User/Role Store is set to Windows Domain.
I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS
I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.
You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier. Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor
Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD).
If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config
You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet.
Hopefully that will help out. I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication. See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page
I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly.
HTH
Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues?
I can confirm this issue for us. We are using Windows user/role store with GIS Server authentication.We attributed this to the 'publisher role' originally, thinking that is what was slowing it down. I added his account (and my second account) to the administrators role and it is still awfully slow.
- My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups).
- One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups. I was going to use my second account as a publisher to test that functionality.
- I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager
We added the AD service account as a publisher and it runs very fast. We also changed that account to be an administrator and it also runs very fast! This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator).
I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved.
The good news: we found a great fix that we like better so far.
We've now configured the security of the site the following:
- User Store: Windows Domain
- Role Store: ArcGIS Server Built-in
- Auth. Tier: GIS Server
- Auth. Mode: ArcGIS Tokens
So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator. This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain.
I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page
I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in.