Using both Windows Domain and AGS built-in authentication in ArcGIS Server 10.1

StephanieSnider · ‎04-11-2013

In ArcGIS Server 10.0, we could have multiple web instances which allowed for an instance to use Windows Domain authentication and another instance to use Database Authentication (SQL Server Express). I'm trying to figure out how I can setup this functionality in 10.1. In the GIS Server component, you can choose:

1. User/Roles from AGS built-in store
2. User/Roles from Windows (existing enterprise system)
3. Users for Windows and Roles from AGS built-in store

I want BOTH Windows (users/roles) and AGS built-in store (users/roles). How do I do that? Can I set that up by installing multiple instances of the web adaptor? On the server that will host the web adaptor(s), I was thinking I could have two IIS websites (using two different ports). One website would have the web adaptor using Windows Authen, while the second website would have a second install of the web adaptor using ArcGIS Server's built-in store for authentication.

If anyone has experience with this type of setup or has a better idea, please share your wisdom. I'd appreciate it.

JustinRodriguez · ‎04-12-2013

In ArcGIS Server 10.0, we could have multiple web instances which allowed for an instance to use Windows Domain authentication and another instance to use Database Authentication (SQL Server Express). I'm trying to figure out how I can setup this functionality in 10.1. In the GIS Server component, you can choose:

1. User/Roles from AGS built-in store
2. User/Roles from Windows (existing enterprise system)
3. Users for Windows and Roles from AGS built-in store

I want BOTH Windows (users/roles) and AGS built-in store (users/roles). How do I do that? Can I set that up by installing multiple instances of the web adaptor? On the server that will host the web adaptor(s), I was thinking I could have two IIS websites (using two different ports). One website would have the web adaptor using Windows Authen, while the second website would have a second install of the web adaptor using ArcGIS Server's built-in store for authentication.

If anyone has experience with this type of setup or has a better idea, please share your wisdom. I'd appreciate it.

Hello Everyone,
The answer is no you cannot. The security information is stored in the Config-Store. The servers share the config-store, therefore share the security settings. Perhaps not the answer you wanted, but it is the correct answer. What specific type of workflow were you trying to accomplish? Thanks-

Justin

StephanieSnider · ‎04-15-2013

I need to seperate organizational users who will use Windows authentication from public users who will use Anonymous or database authentication. Our IT group would perfer that these services be hosted on different ports. It appears that ArcGIS Server 10.1 will allow you to connect to a SQL Server database for remote membership (user/role). If this is true, perhaps I could use a mix of windows and databse authentication through the SQL Server database - bypassing the configuration store.

JustinRodriguez · ‎04-15-2013

I need to seperate organizational users who will use Windows authentication from public users who will use Anonymous or database authentication. Our IT group would perfer that these services be hosted on different ports. It appears that ArcGIS Server 10.1 will allow you to connect to a SQL Server database for remote membership (user/role). If this is true, perhaps I could use a mix of windows and databse authentication through the SQL Server database - bypassing the configuration store.

Hello Again,
That actually wouldn't work either. Users are stored as table entries in the database, not as users to login. Using mixed mode is a form of administration on the database, not actual data. Here is what I suggest:

1. Install multiple web adaptors. You can have more than one on the same machine, just turn on multiple ports.
2. Use windows integrated authentication.
3. Create an "anonymous" user for your GIS environment.
4. Give the 'anonymous' user rights to your 'public' folders/services.
5. Edit one of the web adaptors to use anonymous authentication. On this web instance only, change the anonymous user from 'Iuser' to the anonymous user you created for your GIS environment.

This will accomplish what you are asking for. Thanks-

Justin

PeterHanmore · ‎03-24-2020

Justin,

I know this post is quite old but I'm trying to implement a similar configuration (one adaptor using specified account instead of IUSR). We are using 10.7.1 now and I'm wondering if the workaround you posted above should still work in this new version of AGS? When I try to access the service which has been granted access to a specific AD group, to which the new anonymous user belongs, the AGS log just shows an 'Anonymous User' attempted to access the service. The service permission has been set to 'Private, available only to selected users' and the anonymous user's role is in the 'Allowed Roles' list.
Is there a better/different way to accomplish this in new versions of AGS? I couldn't find anything besides this post.

Thanks,

Peter

ThomasMontefusco · ‎04-15-2013

Justin Rod, you are the man. Excellent idea.

JustinRodriguez · ‎04-15-2013

Hello Again,
That actually wouldn't work either. Users are stored as table entries in the database, not as users to login. Using mixed mode is a form of administration on the database, not actual data. Here is what I suggest:

1. Install multiple web adaptors. You can have more than one on the same machine, just turn on multiple ports.
2. Use windows integrated authentication.
3. Create an "anonymous" user for your GIS environment.
4. Give the 'anonymous' user rights to your 'public' folders/services.
5. Edit one of the web adaptors to use anonymous authentication. On this web instance only, change the anonymous user from 'Iuser' to the anonymous user you created for your GIS environment.

This will accomplish what you are asking for. Thanks-

Justin

I forgot to mention one thing. For this configuration, you would be using web tier authentication, with windows integrated on IIS.
Thanks-
Justin

nicogis · ‎06-06-2016

you can try create a custom provider that manage mix of users AD and sql server (your store for example) and store roles in sql server (your store for example) with two web adaptors (basic authentication and wa) using web tier authentication ( see AGSMixMembershipProvider )