ArcGIS Server 10.2 security to use AD

Anonymous User · ‎10-01-2013

Original User: Steve Clark

I am running into a glitch or sequencing problem in configuring ArcGIS Server 10.2 security to use Windows AD.

Here are the steps I've done:
1. Web Adaptor installed and configured
2. arcgis site in IIS has been set to anonymous=disabled, windows=enabled
3. logged into manager on our web adaptor as the primary site admin (arcgis)
4. In Security->Settings, configured for Users and roles in an existing enterprise system
5. Chose Windows Domain
6. entered in a domain account/password (used mine and another time, the global arcgis server account set up in the web adaptor)
7. Chose Web Tier
8. When I clicked Finished, it went back to the login screen

Attempting to log in again, using my account or the server account gave me an Unauthorized User screen. Logging in as the PSA just hangs.

To undo, I went back to IIS and undid step 2 and then logged into one of my arcgis servers and reset the Security Configuration back to default.

Was this the wrong order? I would assume that after step 8, it would allow me to configure the AD group allowed for Admin access. But since I couldn't do that, everyone was locked out. Help?

RickThiel · ‎10-04-2013

Hi Steve,

If you want to use your organization's Active Directory, you should choose LDAP instead. The Windows Domain, which you chose, will only allow you to select users or roles on the local server. I just setup my Active Directory for 10.2 yesterday. After a few configuration setting trial/errors it now works great. I supplied a screen shot:

[ATTACH=CONFIG]28051[/ATTACH]

Let me know if you have any other questions.

-_Rick

Anonymous User · ‎10-08-2013

Original User: bubbahey25

What I do is use Windows Domain and I create the roles and users in Server Manager.

RickThiel · ‎10-15-2013

Hi Steve,

If you want to use your organization's Active Directory, you should choose LDAP instead. The Windows Domain, which you chose, will only allow you to select users or roles on the local server. I just setup my Active Directory for 10.2 yesterday. After a few configuration setting trial/errors it now works great. I supplied a screen shot:

Let me know if you have any other questions.

-_Rick

UPDATE!

I apologize... this information might not be correct for you. If you want to use Windows Integrated Authentication, it would be better to use Windows Domain.

I'm not sure when it would be beneficial to use LDAP. I do know that it may cause you some problems when you want to publish services.

Anonymous User · ‎11-27-2013

Original User: nosajeeel

Steve,

I also had this same problem, did you ever find a solution to the issue.

Jason

SteveClark · ‎12-02-2013

Sorry for the delay in getting back to this. I finally had a chance to work on this and here's what I was able to do. Based on Rick's first suggestion, I did go ahead use the LDAP parameters with help from http://resources.arcgis.com/en/help/main/10.1/index.html#//01540000050w000000. I was able to see all of our AD roles (despite the awkward interface). I assigned one of the roles to Administrator (which I and a few others are a member of) and left all of the many other roles as User. However, it did not work as expected - the point was for any member of that role to be able to login to ArcGIS Server Manager with their own credentials and manage the site just like logging in as arcgis would. Still something missing...

Anonymous User · ‎12-05-2013

Original User: vmshort

Did you manage to solve this? We have exactly the same problem.

Thank you

WilliamCraft · ‎12-06-2013

Are you still seeing 401 Unauthorized Access when requesting via the web adaptor despite changing your configuration the way you described? If so, are you certain that your LDAP settings are correct in that you have not restricted ArcGIS Server to see only a particular LDAP container of users (i.e., CN=ad_containername\department1_users)? In other words, might it be possible that you have filtered for only specific domain user accounts to appear in AGS by the way in which you specified the LDAP string information? Perhaps your domain account and the "global" account you mentioned (which I assume is a domain account) are not part of the pool of users that AGS can see.