Community

Windows Authentication?

2194
8
11-13-2012 01:27 PM
SteveClark
by
New Contributor III
‎11-13-2012 01:27 PM
I think I am missing something. We have an IIS server set up with Web Adaptor managing two ArcGIS Servers. I want to assign users and roles from AD but according to http://resources.arcgis.com/en/help/main/10.1/index.html#//015400000517000000 I would need to have Web Adaptor installed on the ArcGIS Servers as well? Or vice-versa? I understands that it performs the authentication but how to do it from Server Manager? Once I put in my credentials, set the web tier, I would hope to see the AD users and roles so I can assign them.
Preview file
69 KB
Preview file
61 KB
0 Kudos
8 Replies
by Anonymous User
Not applicable
‎11-14-2012 03:29 AM
Original User: jeff_smith

It sounds like you are very close to getting AGS configured to use Windows Authentication.  The web adaptor just needs to be installed on the IIS web server.  This is also where you enable Windows Authentication on the ArcGIS folder in IIS.

From the Server Manager you just need to adjust the security configuration to use "Users and roles from an existing enterprise system" and make sure to select to set the authentication tier to "Web Tier".  When you do this you will be asked to input a username and password that can connect to the Windows domain.

Once completed, you can then click on the padlock next to your map services or map service folder and adjust the security accordingly.  This is where you will see the list of groups in your AD.  If you want to see the list of users assigned to each group, click on Security and you can click on Users or Roles in the menu bar at the top.  Keep in mind that management of the users and roles can only be done through the AD.  If you want to be able to manage the roles, you will need to reconfigure the security to use enterprise users with the ArcGIS Server built-in roles.
0 Kudos
SteveClark
by
New Contributor III
‎11-14-2012 08:13 AM
Thank you Jeff for your reply. A couple of clarifications. I am able to set up the security configuration successfully and they do show Windows Domain for User/Role Store and Web for Authentication Tier/Mode. I used my domain account as the username/password (should I have used another account instead?). I also verified on IIS that Anonymous Authentication has been disabled and Windows Authentication enabled (are there any advance IIS settings that need to be set?).

I clicked on the padlock on the root folder in Manager and I guess I would've expected to see a list of users/roles from AD. But I get a message on top saying that "No roles have been selected. Only Administrators or Publishers will have access to this resource." and no available roles to select. What am I missing?
0 Kudos
by Anonymous User
Not applicable
‎11-14-2012 10:37 AM
Original User: jeff_smith

When you click on the padlock next to your root folder, you should see a list of groups pulled from your AD.  This should be the same list you see when you click Security > Roles from your Server Manager.  If both of these lists are empty, the username you specified when connecting to your AD may not have rights to list the users and groups in the AD.  You would need to talk to your domain admin about that.  If that is the case, you can try connecting to your AD with a different username/password when setting it up.
0 Kudos
SteveClark
by
New Contributor III
‎11-14-2012 11:30 AM
Our AD is fairly wide open and there are really no restrictions on my domain account, which does have admin rights. I should be able to see all AD users and roles, as I can outside of the arcgis server environment.

I think it goes back to the message:

"No roles have been selected. Only Administrators or Publishers will have access to this resource."

How are Administrators or Publishers set up within the Manager security? My goal is to define an AD role for each of those two.
0 Kudos
by Anonymous User
Not applicable
‎11-14-2012 11:43 AM
Original User: jeff_smith

That's fine.  It sounds like you have configured your Role store to be 'ArcGIS Server Built-in'.  If this is the case, you will need to define the roles first before you can assign them.  This is done in Server Manager by clicking on Security > Roles.  Click on the 'New Role' button on the right side of the screen and when you name your role, you can categorize it as User, Publisher, or Administrator.  You can also add users to the role from here.

Once that is done, you can then click on the padlock next to your root folder and you should see the list of roles you just created.
0 Kudos
SteveClark
by
New Contributor III
‎11-14-2012 11:57 AM
I think that's where my disconnect come from.  First, my Role Store is configured for Windows Domain. I can add a new role (and users for that role) but that's not what I am looking for. Is there a way to assign an existing AD group (e.g., a_gis_admin) as an Administrator? That group already has the AD users assigned to it.
0 Kudos
by Anonymous User
Not applicable
‎11-14-2012 12:07 PM
Original User: jeff_smith

No problem.  When using Windows Domain for your role store, you should be able to click on Security > Roles from your Server Manager and click on the edit (or pencil) icon on the right side of the screen for the role you want to change.  This will allow you to change the role type from User to Publisher or Administrator.  If the role is not listed there, you can try searching for it in the 'Find Role' box.  If you are still having trouble accessing the roles, I would recommend opening an Esri Support incident so someone can take a closer look at your AD configuration.
0 Kudos
SteveClark
by
New Contributor III
‎11-14-2012 12:17 PM
Thanks for all of your help and timely responses, Jeff, I appreciate it.
0 Kudos