Select to view content in your preferred language

Active Directory Roles - Administrators

7568
24
07-10-2012 10:34 AM
BrianLeroux
Frequent Contributor
I am trying to set up my initial roles in 10.1 using an Active Directory role store. I logged in as the PSA and serched for a AD group that I am in and gave it Administrative rights. I log out of manager and try to log in with my domain account and get "You must enter an account that is a member of either the Administrator or Publisher roles for this site." I tried using domain\UserName with the same result. I also tried giving this role access to the entire site. Any Ideas why I can't log into manager using an AD Role?

Additional info:
ArcGIS Server 10.1, IIS 7, & Web Adaptor all installed on same server. I have the default services running and can set security on the services using Active Directory Roles.
0 Kudos
24 Replies
PF1
by
Frequent Contributor
What is handling the authentication?  Is it set to 'web tier' or 'GIS server'?

Did you configure the user/role store for 'Windows Domain' or 'LDAP'?

Did you change any authentication paramaters on the IIS->Default Web Site->arcgis (like disabling anonymous and enabling windows authentication)

Also - did you configure the web-adaptor after you configured security in the GIS 'site'?  If so did you check the box allowing users to manage the site through the web-adaptor?

Some of those answers might help solve your problem.
0 Kudos
BrianLeroux
Frequent Contributor
Thanks for the reply.
I am using the Web Tier Authentication.

The User/Role Store is set to Windows Domain.

I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS

I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.
0 Kudos
PF1
by
Frequent Contributor
Thanks for the reply.
I am using the Web Tier Authentication.

The User/Role Store is set to Windows Domain.

I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS

I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.



You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier.  Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor

Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD). 

If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config

You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet.

Hopefully that will help out.  I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication.  See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly. 

HTH
0 Kudos
BrianLeroux
Frequent Contributor
You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier.  Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor

Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD). 

If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config

You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet.

Hopefully that will help out.  I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication.  See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly. 

HTH


I am not sure the web adapter configuration is an issue as I had it set to web tier when using the arcgis role store and am using now that i switched to AD. I also used the exact same password when I changed it. However I will give it a try just in case.

GIS setup is much simpler than yours so I am not sure how much I will be able to help in the way of performance but I would be glad to share my experience once I am up and running.
0 Kudos
BrianLeroux
Frequent Contributor
I reconfigued the web adaptor and still no luck. As it stands when I am set to use users & Roles from Windows Active Directory I am not able to log in to manager with a domain account after making a AD group Admins on the GIS server. I have tried going through the web adaptor and directy to the server at port 6080. Any other suggestions are appreciated.

Update- When using ArGIS Admin Users - Security - Get Privileges I enter my user name and is shows me only as having ACCESS and not Administer even know I made a AD group I am in an Administrative group. When I check Privileges on the group I am in it shows the Access level as Administer. Stumped...
0 Kudos
BrianLeroux
Frequent Contributor
Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues?
0 Kudos
PF1
by
Frequent Contributor
Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues?


I can confirm this issue for us.  We are using Windows user/role store with GIS Server authentication. 


  • My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups). 

  • One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups.  I was going to use my second account as a publisher to test that functionality. 

  • I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager

We attributed this to the 'publisher role' originally, thinking that is what was slowing it down.  I added his account (and my second account) to the administrators role and it is still awfully slow. 

We added the AD service account as a publisher and it runs very fast.  We also changed that account to be an administrator and it also runs very fast!  This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator). 

I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved. 

The good news: we found a great fix that we like better so far. 

We've now configured the security of the site the following:

  • User Store: Windows Domain

  • Role Store: ArcGIS Server Built-in

  • Auth. Tier: GIS Server

  • Auth. Mode: ArcGIS Tokens


So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator.  This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain. 

I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in.
0 Kudos
BrianLeroux
Frequent Contributor
I can confirm this issue for us.  We are using Windows user/role store with GIS Server authentication. 


  • My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups). 

  • One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups.  I was going to use my second account as a publisher to test that functionality. 

  • I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager

We attributed this to the 'publisher role' originally, thinking that is what was slowing it down.  I added his account (and my second account) to the administrators role and it is still awfully slow. 

We added the AD service account as a publisher and it runs very fast.  We also changed that account to be an administrator and it also runs very fast!  This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator). 

I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved. 

The good news: we found a great fix that we like better so far. 

We've now configured the security of the site the following:

  • User Store: Windows Domain

  • Role Store: ArcGIS Server Built-in

  • Auth. Tier: GIS Server

  • Auth. Mode: ArcGIS Tokens


So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator.  This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain. 

I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page

I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in.


Thanks for the info Patrick. Our initial configuration was using the Windows Domain for users and ArcGIS Built-In Role Store with Web Tier authentication. The performance was good but I wasn't doing much besides logging in and configuring ther server.

Unfortunately, this configuration did not meet my requirements as far as user maintenance is concerned. I need a config that would allow/revoke user access when they are added/removed to a group in AD. We will have over 1,500 users that change on a continuous basis and it would be a lot of effort to manage manually. Alos, our IT department wants full control over user access for auditing reasons.

I have a support ticket open with ESRI and they are researching the issue. If there is no resolution by next week I will discuss with ESRI during the UC next week.
0 Kudos
troyturcott
Deactivated User
Mr. Leroux,

I have analogous user maintenance requirements.
Did opening your support ticket get any help toward resolving the issue with traversing complex & nest AD groups?
This is two months after your post and based on what I'm experiencing and reading about, ArcGIS Server 10.1 with AD/integrated security "is not" ready for "prime-time"...

Any thoughts?

Thanks,

JT
0 Kudos