ArcGIS Server 10.1 with Forest with Multiple Domains

JoseSousa · ‎08-15-2012

Hi,

Is it possible to configure ArcGIS Server for 10.1 with AD authentication in a organization with a forest made of multiple domains?
If so, is there any help guide on how to accomplish that?

Thanks,
Jose

MatejVrtich1 · ‎01-07-2014

Hi,

We have ArcGIS Server 10.2.1 now and it should support nested groups and domain forest since version 10.2.

We have tried the configuration with nested groups, but did not succeed.
What is the recommended configuration to allow logins to ArcGIS Server 10.2.1 from multiple domains?

Thanks,
Matej

JustinRodriguez · ‎01-08-2014

Hello Matej,
Have you checked out this web help?

Using nested groups in a Windows Active Directory identity store
http://resources.arcgis.com/en/help/main/10.2/index.html#/Using_nested_groups_in_a_Windows_Active_Di...

Thanks-
Justin

Hi,

We have ArcGIS Server 10.2.1 now and it should support nested groups and domain forest since version 10.2.

We have tried the configuration with nested groups, but did not succeed.
What is the recommended configuration to allow logins to ArcGIS Server 10.2.1 from multiple domains?

Thanks,
Matej

MatejVrtich1 · ‎01-08-2014

Hi Justin,

Yes, we configured ArcGIS Server to use the AGSMembershipProvider.AGSADMembershipProvider and AGSMembershipProvider.AGSADRoleProvider according the web help.
However, having done that, we still cannot login to ArcGIS Server using credentials from the second domain.

Let me describe our configuration.
We have AGS running in domain A.
Users from domain A can login to ArcGIS Server (using either Windows authentication or the membership and role providers mentioned above).
We have domain B and we need to allow users from domain B to login to ArcGIS Server.
So we created group A in domain A with nested group B from domain B.
Users from domain B which need access to ArcGIS Server are members of group B which is member of group A.
Using this configuration, users from domain B still cannot login to ArcGIS Server.

Thanks,
Matej

JustinRodriguez · ‎01-09-2014

Thank you for the reply,
Based on your description, there could be a couple of problems going on here.

1. Can you just grant a security group from Domain B privileges directly from ArcGIS for Server? From an ArcGIS Security standpoint, there shouldn't be any need to nest security groups the way you are doing it (I understand there might be other reasons though). It would be an excellent test.

2. Is your Domain Controller for Domain A a global catalog server for Domain B? This would be a requirement as well.

-Thank you very much

Justin R

Hi Justin,

Yes, we configured ArcGIS Server to use the AGSMembershipProvider.AGSADMembershipProvider and AGSMembershipProvider.AGSADRoleProvider according the web help.
However, having done that, we still cannot login to ArcGIS Server using credentials from the second domain.

Let me describe our configuration.
We have AGS running in domain A.
Users from domain A can login to ArcGIS Server (using either Windows authentication or the membership and role providers mentioned above).
We have domain B and we need to allow users from domain B to login to ArcGIS Server.
So we created group A in domain A with nested group B from domain B.
Users from domain B which need access to ArcGIS Server are members of group B which is member of group A.
Using this configuration, users from domain B still cannot login to ArcGIS Server.

Thanks,
Matej

MatejVrtich1 · ‎01-16-2014

Hi Justin,

Sorry for the delay but I was gathering more information about the underlying configuration.

The configuration is as follows:
Domain A and Domain B are not in the same domain forest.
Eeach domain serves as a global catalog for themselves.
There is one way selective trust between Domain A and Domain B.

Is there any way how to use this configuration with ArcGIS for Server?

Thanks,
Matej

JustinRodriguez · ‎01-17-2014

Hi Justin,

Sorry for the delay but I was gathering more information about the underlying configuration.

The configuration is as follows:
Domain A and Domain B are not in the same domain forest.
Eeach domain serves as a global catalog for themselves.
There is one way selective trust between Domain A and Domain B.

Is there any way how to use this configuration with ArcGIS for Server?

Thanks,
Matej

Hello Matej,
Unfortunately our product requires the Domain Controllers to be Global Catalog Servers of each other. If this is not done, our Software cannot support this configuration.

With that being said, there is a Microsoft Domain Tool that may allow you to get around this issue.. The tool is call ADLDS. This workflow would not be supportable by ESRI Tech Support, but I know that some clients have successfully used it to correct the issue in an environment with two way or one way trusts. I hope that helps you. Take care-

Justin Rodriguez

MatejVrtich1 · ‎01-20-2014

Hi Justin,

Thank you for the tip using the AD LDS.
As I understand this, the AD LDS will be the central repository of users and groups which will be replicated from Domain A and Domain B. ArcGIS for Server will use the AD LDS as the identity provider.

Using this AD LDS, do you think it should be possible to use the Integrated Windows Authentication instead of Token authentication to authenticate users of ArcGIS for Server?

Thanks,
Matej

JoshuaDalton · ‎08-13-2014

Matej, were you able to deploy AD LDS to resolve this issue? If so, can you explain how you went about configuring ad-lds and some instructions that helped you do so?

Lynchburg_GISDivision · ‎12-16-2015

We are also looking into ADLDS as an option. If anyone can provide details and additional information, we'd truly appreciate it!

LakshmananVenkatesan · ‎04-26-2016

Hi Folks,

Sorry for late into the party, does any one has resolved this issue or has any documentation on this?

Even at 10.4 - It seems if domains (A and B) in different forest ArcGIS server does not support this config.