I've been hunting around for what I thought would be an easy answer. Does anyone know, or know of a resource that I can access, which lets me assign users/passwords to potential WFS or WMS users? Currently, once a service is locked for private access via ArcGIS Server Manager, the only way you can access it is via the default service mapping capability via ArcGIS Server and not WMS or WFS. I need to be able to expose my OGC web services to a limited set of user accounts.
I know that the "help" says that I'm to rely on knowing how to set up HTTP Basic or HTTP Digest for OGC service authentication since it is decoupled from ESRI's ArcGIS Server implementation. However, I'm having a difficult time finding where to find files like .htaccess.
I'm running ArcGIS Server 10.2 on an AWS EC2 linux box. The web server is server is listed as cloudflare-ngnix and I have no clue about how it works. So...I'm thinking that since this isn't a straight-forward Apache config edit operation, it is currently above my head.
Does anybody have experience setting up OGC web mapping service authorization running ArcGIS Server 10.2 within an EC2 AWS Linux environment? I'd just love a step-by-step guide.
Thanks in advance,
Hi Peter I'm working in the same issue that you also using ArcGIS Server 10.2. I can't access Arcgis services that have security restrictions using WMS/WFS protocol, only using arcgis server user connection in arcmap it's run. In my tests if I change the authentication method of GIS Server to Web using Webadaptor the problem persists. I configured Webadaptor in JBoss AS to use HTTP Basic authentication using the same LDAP server that is configured in ArcGIS Server using JBoss realms, but when I access the WMS service from ArcMap JBoss require credentials, I enter credentials in ArcMap but Webadaptor can't communicate correctly with GIS Server. If a access services direct from browser through Webadpater the same return the folowing error after authentication "Unable to decrypt user credentials from web adaptor" I stoped at this point and don't found any documentation that explains how to configure and use HTTP Basic authentication with ArcGIS Server, using token mechanism all is ok but I also need to expose WMS/WFS services without token mechanism of ArcGIS Server. I suspect that this feature of HTTP Basic authentication only runs on Webadpator using IIS but I never tried this using IIS.
If you have some news about this issue and can share I'll be very happy or when I have I'll post here.
Sorry for the delay. I was able to establish HTTP Basic authentication after a lot of work. In summary, it involved the following steps:
sudo apt-get install slapd ldap-utils
connectionURL = "ldap://localhost:389"
<display-name>Your Portal Name</display-name>
<realm-name>Your Portal Name</realm-name>
The role that is required to access the admin pages
The role that is required to access the internal pages
The role that is for customer-accessed pages
Note that text/tags within these XML configuration files that all tags are case-sensitive! So make sure that they are used exactly like the example (Lesson-learned, I did not have one letter capitalized and the whole thing wouldn't work as a result).
Sorry, this message has been a long one. My main hope is that it was instructive but also illustrative of the complexity involved. I originally thought "Basic authentication" would be easy that was definitely not the case. If you need anymore details about a particular section, we can continue the thread.
My not-so-humble opinion is that for its cost, ArcGIS Server should be designed for complete solutions including OGC services. A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed.
An advanced GIS Practitioner should not require heavy linux/tomcat/etc implementation know-how. Is there a GIS program out there that teaches all this? I don't think so. Luckily I have grown to know enough unix to make me dangerous, and i'm pretty good at googling. So I managed to accomplish implementing "Basic" authentication with ArcGIS Server with only general guidelines but not without going through a share of turmoil.
Lastly, just in case you think I actually exist to bash ESRI, I generally like and appreciate ESRI desktop applications. They are brilliant. However I see two areas that need improvement for this and other cases: complete support for OGC services (they are here to stay), and bringing up the level of support within the JAVA/linux server space compared to that provided to Microsoft environments.
At the very least, I expected a white paper to address setting up web-tiered authentication rather than bupkis.
Again, if you'd like any further help with accomplishing some or all of the above steps, then I am at your service.
All the best,
Thank you so much for your response and detailed instructions, your instructions are best of any article from ESRI about this subject
I did all steps that you explained but in JBoss, the Realm authenticate correctly users in LDAP and ArcGIS also configured and runs with LDAP. The problem in my case is that the communication between WebAdapter and GIS Server return an error and have a strange behavior because I register WebAdapter with success and use without problems until configure LDAP, but I don't know why the register don't appear in GIS Server. I'll try again this process and also try to use Tomcat to deploy WebAdapter, ASAP I'll post results here.
Peter, I completely agree with your comments in the end of your response, I'm a Java Architect and I know how this Realms and configurations really runs, the WebAdapter is only a simple proxy to ArcGIS Server, the requirements needed to make use of "Basic Authentication" in WebAdapter says "Give all work to AppServer and administrator os server and have faith" as you say "A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed." and this is not this case, the knowledge need to do this tasks are from a experienced deployer in Java Web Applications with some knowledge in security and LDAP it's not for anyone.
I think ArcGIS Server don't want to be a good OGC player, only make you product compliant to receives the OGC stamp.
Well thank you for you response Peter, I'll try change some steps that I used here and post results here ASAP.
Hi. Glad I was able to provide some help. Here are some screen shots illustrating the entries I made and have worked for me within ArcGIS Server Manager using the security configuration wizard. Some entries are perhaps more intuitive than others.
The Security screen ends up looking like:
Note, afterwards you can view users and groups in the ArcGIS Server Admin interface. You may have to reassign the "role type" to a particular role (i.e., assign 'admin' role to 'Administrator' role type), but otherwise but everything else is administered via your LDAP admin application.
Hope this helps,
I followed your steps but i would not able to configure tomcat 7 with web adapator arcgis 10.2.1 to open map services running in Arcgis Server 10.2.1 with LDAP Authentication in windows environment.
Before i move my components into server environment.I have installed tomcat 7 and web adapator in windows 7 this acts has web server with my ASP.NET MVC Application running in same machine.GIS server is an another windows 7 machine with Arcgis server with built in arcgis server roles and users from LDAP of my organisation ,i used web tier authentication here.
But i am facing difficulty in configuring Tomcat and web adapator to communication with Arcgis server in another machine.
Please can you give your suggestions.What i am doing wrong.
Thanks in advance,
How to properly configure Tomcat to allow secure acces to services, did i miss something?
Users and roles are created in ApacheDS and are visible on ArcGIS Manager. Link to free wms service works, after changing service security to private QGIS throws an error - forbidden.
Windows server 2012 R2
ArcGIS Server 10.5
Web Adaptor Java Windows 105_154008
Windows firewall - off
ArcGIS Server Security - Configuration Settings
1.User and Role Management - Users from an existing enterprise system (LDAP or Windows Domain) and roles from ArcGIS Server's built-in store
2.Enterprise Store Type - LDAP
3.LDAP User Store:
Host name: vms12
Base DN: ou=system
RDN attribute: uid
Administrator's DN: uid=admin,ou=system
4.Authentication Tier - Web Tier
C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml
C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\web.xml
The role that is required to access the HTML Manager pages
I have registered an ArcGIS Web Adaptor in Apache Tomcat with an ArcGIS Server site using Web Tier Authentication via LDAP with an Active Directory instance.
I can configure Basic Authentication successfully however with Digest enabled, attempts to log into ArcGIS Server fail. Has anyone successfully implemented Digest authentication?