hlzhang525

ArcGIS Server account (domain account) vs. ???register shared folders???

Discussion created by hlzhang525 on Nov 29, 2012

Eager to seek brainstorming ideas for this scenario.

+++++++++++++
Issues on ArcGIS Server account vs. â??register shared foldersâ??

Background:

  1. The machine hostname called â??PC325â?? with Windows Server 2008 is used to host ArcGIS Server 10.1 SP1;

  2. The domain assumed is 'USGS.org';

  3. The 'generic' domain account (saying, â??USGS\arcgis1â?? or â??arcgis1 (arcgis1@USGS.orgâ??) is intended for â??ArcGISServer Accountâ??, during installation and granting permissions to rigister against â??shared foldersâ??.

The following strange things are described here forreference.

  1. When the domain account (saying, â??USGS\arcgis1â??)with CORRECT password is used to install ArcGIS Server 10.1, it displays to us with error message (â??invalidâ?? password). In other world, only when the format â??arcgis1@USGS.orgâ??is used, it gives â??successfulâ?? installation.

  2. With this â??successfulâ?? installation, it creates â??ArcGISServer Account (PC325\ arcgis1@USGS.org)â??. Certainly, it grants the â??read, writeâ?? permissions onto the default installation folder(saying, â??C:\Program Files\ArcGIS\Serverâ??). (Note, all data and GIS documents under this folder can be registered locally against ArcGIS Sever and published without any problems.)

  3. With this â??ArcGIS ServerAccount (PC325\ arcgis1@USGS.org)â??, it looks that it does NOT belong to the 'generic' domain account anymore, so that it fails to register any â??shared foldersâ?? , even though â??read/writeâ?? permissions are already granted to the domain account â??arcgis1 (arcgis1@USGS.org)â??. In other word, it (â??ArcGIS Server Account (PC325\ arcgis1@USGS.org)â?? looks not equal to â??arcgis1 (arcgis1@USGS.orgâ??).


So, the first question is: why the installation of 10.1 couldnâ??t keep the domain account like â??arcgis1 (arcgis1@USGS.org) â??or â??USGS\arcgis1â?? during installation and then grants permissions properly?

In IT Windows security, is it possible that this issue might be caused by any â??unique or specialâ?? security policies onto the 'generic' domain accounts or application servers applied by organizations?

Is it reproduced in other organizations?

Or, any solution to fix this issue to register ArcGIS Server against â??shared foldersâ???

+++++++++++++++
PS.,

Personally, with 10.1, 'register data folder' strategy as one of strict constraints for publishing GIS services is not good idea, which creates many potential security and operational issues. In fact, more and more organizations apply tight security onto the application servers (Windows, LINUX) and 'generic' domain accounts.

From our intensive hands-on practice (as one of larger organizations), with 10.0 or earlier, we do not have any big problems with 'shared remote folders' to publish GIS services (image services).



Outcomes