ArcGIS Server Active Directory Identity Store ClearText Password

SaqibHanif · ‎06-20-2022

Hi,

I am using ArcGIS Server 10.3 installed on Windows Server 2016. Users are being authenticated through a separate machine with Microsoft Active Directory (AD). I have configured the ArcGIS server to use HTTPS using Self-Signed Certificates. Everything is working fine but when the machine was evaluated for security vulnerabilities, I got reported that ArcGIS server is transmitting admin user credentials to the AD server in plain text using LDAP. I got confused because I have definitely not used the LDAP option in the ArcGIS Server Manager.

Please can someone explain why LDAP is being used behind the scenes. Moreover, how can I disable the transmission of admin credentials in plain text, because it is a great security threat and anyone can use man-in-middle attack to obtain this info.

Thanks.

George_Thompson · ‎06-21-2022

I would say to first upgrade to a newer version, i.e. 10.9.1. ArcGIS 10.3.x was retired almost 2 years ago (Dec 2020). There have been MANY security updates since that version.

Then check you security configurations. If you have a question / issue, I would recommend contacting Esri Technical Support.

--- George T.

Brian_Wilson · ‎06-21-2022

"Please can someone explain why LDAP is being used behind the scenes."

Just to be clear, Active Directory is Microsoft's implementation of LDAP. So when bits fly between machines, they use LDAP. A sniffer watching network traffic will see LDAP.

LDAP is completely separate from HTTP/HTTPS. Installing a certificate there or enabling "HTTPS ONLY" will have no effect on Active Directory.

Make sure TLS/SSL is enabled on your Active Directory server. Make sure the port for it is open. Unencrypted port is 389 and SSL is port 636. If the server is not listening on port 636 or the port is blocked then Esri will probably fall back to port 389/unencrypted even if it is set up to use it.