We recently upgraded to GIS Server 10.3 and are using active directory to secure private services. We used to be able to add users without domain. Now, new users get domain in front of their usernames, e.g., "AD\lhuggin"
The domain\ is problematic. There is no prompt for users and it is constantly forgotten, or entered as a "/" instead of "\". I can't even keep it straight. We are all in the same domain so it would be nice if we can specify this somewhere as the domain for all and not make our users include it. If I had a nickel for every email that I got saying I am trying to access our web map or explorer for GIS map and it says my password is wrong... 9.9 times out of 10, it is a problem with this new domain prefix.
Is there a workaround for this? Or plans to change it in future releases?
If you have the Web Adaptor installed, you can configure Integrated Windows Authentication:
You can then set the server name where the Web Adaptor is installed as a trusted server in ArcGIS Online. See the last bullet in the following link:
Then, when a user accesses a service in ArcGIS Online their credentials are passed automatically and they won't be prompted.
Also, you may need to add your Web Adaptor URL to your Local intranet. To do this, follow these steps:
1. Go to Start > type in 'Internet Options'
2. Security tab > click 'Local Intranet' > Sites > Advanced
3. Add your Web Adaptor URL (i.e. webadaptor.esri.com) > Add > Close > Ok
For context, the domain prefix requirement is in place at this point because many users require ArcGIS Server to support multi-forested domains. Without qualifying the account, and without a transitive trust there's no way for the server to know which domain a user belongs with.
[#NIM082956 Support ArcGIS Server security with the users and roles in multiple Active Directory trees]
Thanks for that addition, Randall
I understand that is an enhancement made for folks with mulitple domains but we are all under same domain and would like an option to specify that is configuration of GIS Server so folks don't have to type it in.
randall_williams-esristaff since you seem to be familiar with this topic I want to confirm that NIM only addresses cases in which a 2 way trust exists?
I think we also found via manual configuration options it provides failover redundancy so that if LDAP1 store goes down it goes to LDAP2 store.
We have been fighting a major issue here for 2 years now due to the ArcServer limitations of a single store. We have a 1 way trust scenario where our external users forest trusts our internal users forest but the internal doesn't trust the external. We have done several conference calls with ESRI staff, tried to find middleware to address these shortcomings and made attempts to architect solutions on our end. Thus far, about the only solution we have come across is using AD LDS and that's it's own nightmare scenario but also adds on a lot of complexity from our Administrators end to manage the LDS store, etc.
To be fair, ESRI is not the only vendor application we have run into this issue with. Just a bit frustrating because it's a valid scenario and one that Microsoft invested the time in building in to meets lots of security check boxes but so many applications can't properly allow the MS end to simply do what it's designed to do. The standard answer we always seem to get is, "sorry, you have to stand up 2 environments, doubling your resource costs and administrators work loads while also ensuring you keep both environments mirroring each other to ensure internal and external users access the same things."
Just wanted to see if you knew of any pending updates on the ESRI end for scenarios such as ours or know of work arounds we maybe have not investigated?