Community

Changing Admin ArcGIS account password

2284
4
12-17-2019 09:48 AM
Kara_Shindle
by
Occasional Contributor III
‎12-17-2019 09:48 AM

I'm looking for info on being able to change the Admin ArcGIS account setup when we installed ArcGIS Server & Web Adapter.  I took over for my predecessor and I'd like to update the account to a more secure password.  This is at the behest of our IT Department, since this account doesn't follow the standard 3 month password reset procedures.

I've heard that this affects multiple things and I want to make sure that I am taking care of everything and not breaking connections, as I have several services consumed by the public.

Thus far, I've read that changing the Administrator Account password will result in the following:

  • All services will be restarted when the account is changed
  • The Web Adaptor will possibly need reconfigured (not sure how yet)

Is there anything else I need to be aware of that this will affect?

We have an enterprise license, but are not actually fully set up, so we only have Server & the Web Adaptor at this time.  

Edit:  The goal is to move to a full enterprise setup next year, approval pending.

4 Replies
MichaelVolz
by
Esteemed Contributor
‎12-17-2019 09:52 AM

Do you think that this account will ever need to follow the SOP at your org for change every 3 months?

I would also be curious how this goes if you have the full enterprise stack with Portal and Data Store.

0 Kudos
Kara_Shindle
by
Occasional Contributor III
‎12-17-2019 10:00 AM

I know they'd like it to.  ESRI came to visit us to talk about Enterprise implementation, and they advised against this account following the 3 month SOP.  Said it would cause all sorts of issues, which is part of why I am asking this question.

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-17-2019 10:35 AM

Hi Kara Shindle‌,

This is a great question, and there are actually a few different answers to it depending on your perspective and which accounts you're discussing - OS tier accounts or GIS tier accounts in ArcGIS for Server (specifically).

Let's start with OS tier accounts, since I'm assuming that these is what your IT mandates 3 month rotation. 

In terms of OS accounts, the best answer you could have been provided would have been to use a gMSA (Group Managed Service Account). A gMSA is a special account used on Windows domains where password management is handled by the OS, passwords are generated on the fly based on key exchange, and is never actually known by a user. 

Using a gMSA can be done already in 10.7.1 and earlier. The use of a gMSA account precludes the need to reset passwords at all. See:

How To: Configure ArcGIS Enterprise to use a group-managed Service Account 

More: At 10.8, gMSA is supported at install time. Prior to 10.8, the software needs to be installed under a 'standard' account, then later moved to a gMSA. 

You are correct that updating the ArcGIS Account (the os/domain account that 'owns' the ArcGIS processes) will cause a restart of the ArcGIS Server processes - that must happen when rights to files on disk used by a process change. The Configure ArcGIS Account utility handles permission updates for you.

In terms of the web adaptor, that process is typically run under the context of the IIS application pool identity. Updating the ArcGIS account will not change the application pool identity and does not itself require updating the web adaptor. 

From the other perspetive, there's the GIS tier. That's the built-in user and role store that ships with ArcGIS Server. 

If those passwords should be rotated, I'd recommend integrating ArcGIS Server with your Windows Active Directory, which allows for centralized administration.

We'd also typically recommend disabling the Primary Site Administrator (PSA) account. This is the account that's typically used when configuring the web adaptor. Disabling the PSA will not break communication between the Web Adaptor and the GIS Server. Disabling the PSA would prevent you from changing the user and role store from the built in store to the enterprise store (active directory). You should promote one or more trusted domain accounts to the ArcGIS Server administrator role prior to disabling the PSA. 

Another consideration you may need to think about is if using older patterns like embedded passwords in proxy pages that web applications may use to communicate with the GIS Server.

Other than that, I haven't personally run into issues when updating service accounts or built-in accounts. If others out there in GeoNet-land have considerations I haven't thought about for password update workflows, I'd appreciate the dialog in the continued comments. 

Best,

Randall

Esri Software Security and Privacy, Esri PSIRT

0 Kudos
ThomasColson
by MVP Frequent Contributor
MVP Frequent Contributor
‎12-17-2019 10:59 AM

gSMA's are the only path forward here. 

0 Kudos