Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Cancel
- Home
- :
- All Communities
- :
- Products
- :
- ArcGIS Enterprise
- :
- ArcGIS Enterprise Questions
- :
- Active Directory Roles - Administrators
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Active Directory Roles - Administrators
Subscribe
6680
24
07-10-2012 10:34 AM
07-10-2012
10:34 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to set up my initial roles in 10.1 using an Active Directory role store. I logged in as the PSA and serched for a AD group that I am in and gave it Administrative rights. I log out of manager and try to log in with my domain account and get "You must enter an account that is a member of either the Administrator or Publisher roles for this site." I tried using domain\UserName with the same result. I also tried giving this role access to the entire site. Any Ideas why I can't log into manager using an AD Role?
Additional info:
ArcGIS Server 10.1, IIS 7, & Web Adaptor all installed on same server. I have the default services running and can set security on the services using Active Directory Roles.
Additional info:
ArcGIS Server 10.1, IIS 7, & Web Adaptor all installed on same server. I have the default services running and can set security on the services using Active Directory Roles.
24 Replies
07-10-2012
11:26 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is handling the authentication? Is it set to 'web tier' or 'GIS server'?
Did you configure the user/role store for 'Windows Domain' or 'LDAP'?
Did you change any authentication paramaters on the IIS->Default Web Site->arcgis (like disabling anonymous and enabling windows authentication)
Also - did you configure the web-adaptor after you configured security in the GIS 'site'? If so did you check the box allowing users to manage the site through the web-adaptor?
Some of those answers might help solve your problem.
Did you configure the user/role store for 'Windows Domain' or 'LDAP'?
Did you change any authentication paramaters on the IIS->Default Web Site->arcgis (like disabling anonymous and enabling windows authentication)
Also - did you configure the web-adaptor after you configured security in the GIS 'site'? If so did you check the box allowing users to manage the site through the web-adaptor?
Some of those answers might help solve your problem.
07-10-2012
11:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
I am using the Web Tier Authentication.
The User/Role Store is set to Windows Domain.
I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS
I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.
I am using the Web Tier Authentication.
The User/Role Store is set to Windows Domain.
I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS
I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.
07-10-2012
11:53 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
I am using the Web Tier Authentication.
The User/Role Store is set to Windows Domain.
I made the following changes on IIS. I wasn't able to access any service until I made these changes:
- Disable Anonymous access to the 'arcgis' virtual directory
- Enable Windows Authentication in the 'arcgis' virtual directory
- Move 'NTLM' to the top of the list or Providers
- Restart IIS
I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor.
You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier. Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor
Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD).
If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config
You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet.
Hopefully that will help out. I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication. See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page
I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly.
HTH
07-10-2012
12:02 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier. Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor
Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD).
If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config
You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet.
Hopefully that will help out. I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication. See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page
I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly.
HTH
I am not sure the web adapter configuration is an issue as I had it set to web tier when using the arcgis role store and am using now that i switched to AD. I also used the exact same password when I changed it. However I will give it a try just in case.
GIS setup is much simpler than yours so I am not sure how much I will be able to help in the way of performance but I would be glad to share my experience once I am up and running.
07-11-2012
04:40 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I reconfigued the web adaptor and still no luck. As it stands when I am set to use users & Roles from Windows Active Directory I am not able to log in to manager with a domain account after making a AD group Admins on the GIS server. I have tried going through the web adaptor and directy to the server at port 6080. Any other suggestions are appreciated.
Update- When using ArGIS Admin Users - Security - Get Privileges I enter my user name and is shows me only as having ACCESS and not Administer even know I made a AD group I am in an Administrative group. When I check Privileges on the group I am in it shows the Access level as Administer. Stumped...
Update- When using ArGIS Admin Users - Security - Get Privileges I enter my user name and is shows me only as having ACCESS and not Administer even know I made a AD group I am in an Administrative group. When I check Privileges on the group I am in it shows the Access level as Administer. Stumped...
07-16-2012
10:33 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues?
07-17-2012
03:06 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues?
I can confirm this issue for us. We are using Windows user/role store with GIS Server authentication.
- My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups).
- One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups. I was going to use my second account as a publisher to test that functionality.
- I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager
We added the AD service account as a publisher and it runs very fast. We also changed that account to be an administrator and it also runs very fast! This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator).
I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved.
The good news: we found a great fix that we like better so far.
We've now configured the security of the site the following:
- User Store: Windows Domain
- Role Store: ArcGIS Server Built-in
- Auth. Tier: GIS Server
- Auth. Mode: ArcGIS Tokens
So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator. This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain.
I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page
I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in.
07-18-2012
04:29 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm this issue for us. We are using Windows user/role store with GIS Server authentication.We attributed this to the 'publisher role' originally, thinking that is what was slowing it down. I added his account (and my second account) to the administrators role and it is still awfully slow.
- My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups).
- One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups. I was going to use my second account as a publisher to test that functionality.
- I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager
We added the AD service account as a publisher and it runs very fast. We also changed that account to be an administrator and it also runs very fast! This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator).
I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved.
The good news: we found a great fix that we like better so far.
We've now configured the security of the site the following:
- User Store: Windows Domain
- Role Store: ArcGIS Server Built-in
- Auth. Tier: GIS Server
- Auth. Mode: ArcGIS Tokens
So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator. This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain.
I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page
I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in.
Thanks for the info Patrick. Our initial configuration was using the Windows Domain for users and ArcGIS Built-In Role Store with Web Tier authentication. The performance was good but I wasn't doing much besides logging in and configuring ther server.
Unfortunately, this configuration did not meet my requirements as far as user maintenance is concerned. I need a config that would allow/revoke user access when they are added/removed to a group in AD. We will have over 1,500 users that change on a continuous basis and it would be a lot of effort to manage manually. Alos, our IT department wants full control over user access for auditing reasons.
I have a support ticket open with ESRI and they are researching the issue. If there is no resolution by next week I will discuss with ESRI during the UC next week.
09-12-2012
12:40 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mr. Leroux,
I have analogous user maintenance requirements.
Did opening your support ticket get any help toward resolving the issue with traversing complex & nest AD groups?
This is two months after your post and based on what I'm experiencing and reading about, ArcGIS Server 10.1 with AD/integrated security "is not" ready for "prime-time"...
Any thoughts?
Thanks,
JT
I have analogous user maintenance requirements.
Did opening your support ticket get any help toward resolving the issue with traversing complex & nest AD groups?
This is two months after your post and based on what I'm experiencing and reading about, ArcGIS Server 10.1 with AD/integrated security "is not" ready for "prime-time"...
Any thoughts?
Thanks,
JT
