Group Managed Service Account be used for Windows Integrated Authentication?

440
3
06-24-2020 09:43 PM
NeoGeo
by
Occasional Contributor III

When using web-tier authentication with integrated Windows Authentication, can a group managed service account be used for the account that is used to determine the groups in which users reside?

ESRI documentation states that one should use an account with a password that does not expire, which is not allowable by my organizations security policy with no exceptions.  In fact account expirations are barely over a month which would make maintaining an ArcGIS server a nightmare unless a group managed account could be used. ESRI docs say that a group managed service account can be used for the service account that ArcGIS server runs as and they provides a tool for doing so, but they do not say for the Windows Integrated Authentication.

Many Thanks!

0 Kudos
3 Replies
NeoGeo
by
Occasional Contributor III

For those looking for the same answer for ArcGIS Server 10.8, I initiated an ESRI tech support call, and as of 6-26-2020, the answer was that they did not support usage of a group managed service account for the account used for Integrated Windows Authentication to query users and roles, which is a maintenance nightmare for organizations with strict password expiration policies.  He said that the only alternative at this time is a SAML server, but that is not an option for us at this time due to our organization's security policies.  

Pål_Herman_Sund
Occasional Contributor

Thanks @NeoGeo I struggle a bit now in the same "domain" for a number of solutions. If You have not seen it previously take a look at https://support.esri.com/en/technical-article/000021125

0 Kudos
ThomasColson
MVP Frequent Contributor

For those that are wondering why ENH-000129687 [Enhancement] Provide the ability to use Group Managed Services Account while setting up Integrated Windows Authentication in Portal for ArcGIS in ArcGIS Enterprise. is classified as "Will Not Be Addressed" is: "This feature would require significant research and development" despite the significant workload customers have in maintaining and keeping secure a password-based service account for this purpose (or the significant amount of $ that GIS server license costs). 

0 Kudos