ArcGIS for Server 10.2.1 Security - Inclusion of Domain in username

2971
6
Jump to solution
01-23-2014 06:36 AM
KellyBoyd
New Contributor III
Hello All,
I recently upgraded my server from ArcGIS for Server 10.1 to 10.2.1 and I'm experiencing a small issue with the security settings. I use Windows Domain as my User Store and ArcGIS Server Built-in as my Role Store. When I add a new user to a role, the username is now added as "domain\username" instead of just "username" as was the case with version 10.1. All of the previous users I added while still at version 10.1 are still listed as just "username" and can still login. However, the new user I added could not login without the "domain\" in front of his username. I was able to manually edit the user-roles under the security folder in config-store to resolve this issue but I was wondering if anyone knows of a way to keep ArcGIS for Server from including the domain as part of the username so users are confused by this and we can avoid the need to manually edit users. Any assistance would be greatly appreciated.
Thanks so much,
Kelly
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
PeterBuwembo
Esri Contributor
This is as designed. At 10.1 ArcGIS for Server did not support multiple domains. Since 10.2, the support for multiple domains was implemented. This means that at 10.2 and above, when using Windows users for security, you will need to specify the domain prefix. This because if you have ArcGIS server connected to two different domain for users and roles, it needs to be able to differentiate the users.

Say you have the user "Joe Sheemore" in the domain lively the user would be lively\jsheemore. This same user can be in the domain deadly and the user name would be deadly\jsheemore. If you just specify jsheemore as in the previous version(10.1)  then ArcGIS for Server will not be able to find the user. Hence the need to specify the domain prefix.

I hope this information is helpful & good luck

View solution in original post

0 Kudos
6 Replies
TONIFAIRBANKS
New Contributor III
I am having the same problem.  Did you ever find a solution to the problem? Thanks.
0 Kudos
KellyBoyd
New Contributor III
Toni,
Unfortunately, I have not found a solution yet. Good luck!
Kelly
0 Kudos
PeterBuwembo
Esri Contributor
This is as designed. At 10.1 ArcGIS for Server did not support multiple domains. Since 10.2, the support for multiple domains was implemented. This means that at 10.2 and above, when using Windows users for security, you will need to specify the domain prefix. This because if you have ArcGIS server connected to two different domain for users and roles, it needs to be able to differentiate the users.

Say you have the user "Joe Sheemore" in the domain lively the user would be lively\jsheemore. This same user can be in the domain deadly and the user name would be deadly\jsheemore. If you just specify jsheemore as in the previous version(10.1)  then ArcGIS for Server will not be able to find the user. Hence the need to specify the domain prefix.

I hope this information is helpful & good luck

View solution in original post

0 Kudos
ShaunConway
Occasional Contributor II

I'm a little late to the party, but I was wondering if you might have any information on how to configure ArcGIS Server to support multiple domains? Currently our police department is on a separate domain and we need to allow them to access our secure services.

Thanks,

Shaun

0 Kudos
KellyBoyd
New Contributor III
Pete,
Thanks for the response!
Take care,
Kelly
0 Kudos
katherineobrien
New Contributor

Kelly Boyd-

Can you please share how you manually made the change? 

Here is our attempt at a work around but it did not work as we wanted:

  • Manually altered the files in the config store on the AGS Server that link the user with the role.  Now the user names get saved as "AD\\username".
  • Then took the AD off the username in the config file and it does show up without the AD\ in Manager, but it has no effect in how you log in. (i.e. you need to add AD if you are to get access to the correct folders).

Legacy users are still able to log into our secure services without a prefix to their username.  All new users need the prefix. 

0 Kudos