Active Directory Roles - Administrators

BrianLeroux · ‎07-10-2012

I am trying to set up my initial roles in 10.1 using an Active Directory role store. I logged in as the PSA and serched for a AD group that I am in and gave it Administrative rights. I log out of manager and try to log in with my domain account and get "You must enter an account that is a member of either the Administrator or Publisher roles for this site." I tried using domain\UserName with the same result. I also tried giving this role access to the entire site. Any Ideas why I can't log into manager using an AD Role?

Additional info:
ArcGIS Server 10.1, IIS 7, & Web Adaptor all installed on same server. I have the default services running and can set security on the services using Active Directory Roles.

BrianLeroux · ‎09-13-2012

JT-
I am still working with ESRI to resolve my issue. We have made some progress in the troubleshooting process but have not pinned down a solution to my issue. Our "normal" AD users are created by a provisioning job and that seems to be the root cause of the issue. I was able to verify this by duplicating my account to create a test account which all of the same permissions. This new test account allows me to admin the server while my regular account that was created with our provisioning jobs will not.

So to you question, is ArcGIS Server 10.1 with AD/integrated security ready for "prime-time"?, I can't honest say yes or no until I find the cause of my issues. I can say that I do not have any issues with user security at the service level and Administration works fine when using an account that does not use our provisioning process. Once I get this issue resolved I will definately post back here with more details.

JonathanBailey · ‎02-13-2013

Hi Brian,

Did you ever resolve this issue with Esri?

Thanks,

Jon.

BrianLeroux · ‎02-13-2013

Yes. It turns out there was an existing bug in 10.1 that did not allow a comma in a users full name. This was fixed in SP1.

PF1 · ‎02-13-2013

Yes. It turns out there was an existing bug in 10.1 that did not allow a comma in a users full name. This was fixed in SP1.

Did you have performance issues when using AD Groups before SP1? Wondering if that solved our performance issues with AD groups/roles. We had major performance impacts with users that were either in many AD groups or nested (sub) groups.

BrianLeroux · ‎02-13-2013

Did you have performance issues when using AD Groups before SP1? Wondering if that solved our performance issues with AD groups/roles. We had major performance impacts with users that were either in many AD groups or nested (sub) groups.

Yes i had performance issues before SP1 but they persisted through the service pack upgrade. it turned out that the account apply the configuration settings was a user account that was a part of many nested groups casuing a major slowdown in the authentication process. We switched the domain account the server runs as which is only part of a very small amount of groups. The performance after making that change was significantly better.

MuneerMajid · ‎03-07-2013

We have been experiencing similar issues for a while.. We have currently installed 10.1 on a Test Server but plan to roll it into production to replace our existing 10.0 ArcGIS Server by the month of May. But I guess we aren't making the deadlines because of the performance issues..

Local browsing to 10.1 Services whether with ArcCatalog or with IE is pretty fast on the Server itself, however as soon as you go to a client machine and pass the intranet + the Company Active Directory Groups, the performance is agonizingly slow.. And this is only while browsing through the ArcGIS Server Folder/Directories, direct URL's to any of our map services work just fine within out client applications..

We have been working with ESRI Tech Support for the last two weeks, but nothing productive has come up yet. Any suggestions here?

Regards,
Muneer Majid
Spatial & GIS Analyst
Chevron Energy Technology Company

BrianLeroux · ‎03-07-2013

Hi Muneer,

We still have permormance issues but at this point it is limited to when we are managing the server. Publishing and updating services from ArcMap is very slow. Also connecting to Server Manager is very slow. However, performance is not an issue for us when consuming serivces in our Web Maps or ArcMap. Also browsing the srvices directory is fine.

We initially had perfomance issues that was resolved by changing the the domain account used to configure the server security. We initally used an admin's personal account which was a part of many nested groups. Changing this to the domain group used by the server sped things up considerably and is most likely because the number of groups this account is a memeber of is very limited (<5).

MuneerMajid · ‎03-07-2013

Thanks for the information Brian..

We pretty much have the same issues that you are experiencing.. Additionally, browsing the directories is also very slow for us.. We are also using a domain Service Account and that one isnt a part of a number of nested groups..

We just finished another working sessions with ESRI Tech Support, and we tried out a number of suggestions one of which was Enabling the Kernel Mode but nothing really has helped so far.

PF1 · ‎03-09-2013

We have been experiencing similar issues for a while.. We have currently installed 10.1 on a Test Server but plan to roll it into production to replace our existing 10.0 ArcGIS Server by the month of May. But I guess we aren't making the deadlines because of the performance issues..

Local browsing to 10.1 Services whether with ArcCatalog or with IE is pretty fast on the Server itself, however as soon as you go to a client machine and pass the intranet + the Company Active Directory Groups, the performance is agonizingly slow.. And this is only while browsing through the ArcGIS Server Folder/Directories, direct URL's to any of our map services work just fine within out client applications..

We have been working with ESRI Tech Support for the last two weeks, but nothing productive has come up yet. Any suggestions here?

Regards,
Muneer Majid
Spatial & GIS Analyst
Chevron Energy Technology Company

What is your config setting for user and role store? Built in or windows domain? Or hybrid?

MuneerMajid · ‎03-11-2013

Hi Pat,

We have been using Windows Domain all along.. We did try switching to Build in which worked relatively faster, but we cannot use that security model on our Production Domain.

-Muneer