Select to view content in your preferred language

ArcGIS Server 10.2 security to use AD

4025
7
10-01-2013 08:19 AM
by Anonymous User
Not applicable
Original User: Steve Clark

I am running into a glitch or sequencing problem in configuring ArcGIS Server 10.2 security to use Windows AD.

Here are the steps I've done:
1. Web Adaptor installed and configured
2. arcgis site in IIS has been set to anonymous=disabled, windows=enabled
3. logged into manager on our web adaptor as the primary site admin (arcgis)
4. In Security->Settings, configured for Users and roles in an existing enterprise system
5. Chose Windows Domain
6. entered in a domain account/password (used mine and another time, the global arcgis server account set up in the web adaptor)
7. Chose Web Tier
8. When I clicked Finished, it went back to the login screen

Attempting to log in again, using my account or the server account gave me an Unauthorized User screen. Logging in as the PSA just hangs.

To undo, I went back to IIS and undid step 2 and then logged into one of my arcgis servers and reset the Security Configuration back to default.

Was this the wrong order? I would assume that after step 8, it would allow me to configure the AD group allowed for Admin access. But since I couldn't do that, everyone was locked out. Help?
0 Kudos
7 Replies
RickThiel
Regular Contributor
Hi Steve,

If you want to use your organization's Active Directory, you should choose LDAP instead.  The Windows Domain, which you chose, will only allow you to select users or roles on the local server.  I just setup my Active Directory for 10.2 yesterday.  After a few configuration setting trial/errors it now works great.  I supplied a screen shot:

[ATTACH=CONFIG]28051[/ATTACH]

Let me know if you have any other questions.

-_Rick
0 Kudos
by Anonymous User
Not applicable
Original User: bubbahey25

What I do is use Windows Domain and I create the roles and users in Server Manager.
0 Kudos
RickThiel
Regular Contributor
  Hi Steve,  
 
If you want to use your organization's Active Directory, you should choose LDAP instead. The Windows Domain, which you chose, will only allow you to select users or roles on the local server. I just setup my Active Directory for 10.2 yesterday. After a few configuration setting trial/errors it now works great. I supplied a screen shot:  
 
Let me know if you have any other questions.  
 
-_Rick 


UPDATE!

I apologize... this information might not be correct for you. If you want to use Windows Integrated Authentication, it would be better to use Windows Domain.

I'm not sure when it would be beneficial to use LDAP. I do know that it may cause you some problems when you want to publish services.
0 Kudos
by Anonymous User
Not applicable
Original User: nosajeeel

Steve,

I also had this same problem, did you ever find a solution to the issue.

Jason
0 Kudos
SteveClark
Deactivated User
Sorry for the delay in getting back to this. I finally had a chance to work on this and here's what I was able to do. Based on Rick's first suggestion, I did go ahead use the LDAP parameters with help from http://resources.arcgis.com/en/help/main/10.1/index.html#//01540000050w000000. I was able to see all of our AD roles (despite the awkward interface). I assigned one of the roles to Administrator (which I and a few others are a member of) and left all of the many other roles as User. However, it did not work as expected - the point was for any member of that role to be able to login to ArcGIS Server Manager with their own credentials and manage the site just like logging in as arcgis would. Still something missing...
0 Kudos
by Anonymous User
Not applicable
Original User: vmshort

Did you manage to solve this? We have exactly the same problem.

Thank you
0 Kudos
WilliamCraft
MVP Regular Contributor
Are you still seeing 401 Unauthorized Access when requesting via the web adaptor despite changing your configuration the way you described?  If so, are you certain that your LDAP settings are correct in that you have not restricted ArcGIS Server to see only a particular LDAP container of users (i.e., CN=ad_containername\department1_users)?  In other words, might it be possible that you have filtered for only specific domain user accounts to appear in AGS by the way in which you specified the LDAP string information?  Perhaps your domain account and the "global" account you mentioned (which I assume is a domain account) are not part of the pool of users that AGS can see.
0 Kudos