Community

Secure Map Services

1888
7
04-29-2014 03:54 AM
PaulLivingstone
by
New Contributor III
‎04-29-2014 03:54 AM
I have created some secure map services which are only accessible to users logged onto the company domain having the appropriate windows role.

Is it possible to configure the service/ArcGIS Server so that the user does not have to supply the username/password to obtain a token as they are already logged onto the company domain?
Tags (2)
0 Kudos
7 Replies
WilliamCraft
by MVP Regular Contributor
MVP Regular Contributor
‎04-29-2014 07:50 AM
I believe what you're referring to is Single-Sign-On (SSO).  SSO for Windows Integrated Authentication will work with ArcGIS for Server but I believe your users and roles all need to come from the same provider.  In other words, I don't think you can use a mixed configuration whereby users come from the domain and roles come from the built-in store as an example.  You'll want to authenticate users at the web tier rather than the GIS tier.  If you're using the web adaptor, configure it to use Windows authentication rather than anonymous authentication within IIS.  There shouldn't be a need to enter credentials for users on the domain from that point forward.

EDIT: This article provides instructions for making the configuration changes necessary in ArcGIS for Server and in IIS for the web adaptor in order to set up Windows authentication.  You'll want to review the following sections:

  • Configuring the ArcGIS Web Adaptor (IIS) to use Windows authentication

  • Configuring ArcGIS Server security to use Windows Active Directory users and roles

  • Reviewing users and roles


I'm assuming you're using 10.2.x as your software version.
0 Kudos
JosephAccardi
by
New Contributor III
‎05-02-2014 09:03 AM
I believe what you're referring to is Single-Sign-On (SSO).  SSO for Windows Integrated Authentication will work with ArcGIS for Server but I believe your users and roles all need to come from the same provider.  In other words, I don't think you can use a mixed configuration whereby users come from the domain and roles come from the built-in store as an example. 


Hello, the way I understand it, you cannot use Integrated Windows Authentication if you have external users that need to securely log into your site. Is that correct? The article that you provided a link to states;

"This tutorial demonstrates how to secure ArcGIS web services using Integrated Windows Authentication. Integrated Windows Authentication requires users and roles to be managed in a Microsoft Windows Active Directory server. It can be a convenient approach when you want your GIS users to take advantage of the accounts they already have on your network. You can use Integrated Windows Authentication when users have Windows domain accounts and access the services through a local network."

There is no way to add external users to a Windows Active Directory server with internal user accounts, correct? I just want to make sure I'm interpreting this process correctly. The only way I've found for my external users to securely log into my web app using SSO (not have to provide credentials for each secured service which loads at startup) is to add them as a user in IIS server manager and turn off security for my services. This is not ideal since anyone who knows the service REST endpoints can view the services without a log-in, but at least it restricts anonymous users into the web app. Is there something that I'm missing? Should I be using a different security platform/work flow? I've read that using a proxy might solve my issues, but I've never been able to implement it correctly.

I'm still on AGS 10.1 and my web app is using FV 3.0. Has AGS 10.2.x added any additional security functionality which allows external users to use SSO to gain access to a web app with multiple secured services?

Thanks
0 Kudos
WilliamCraft
by MVP Regular Contributor
MVP Regular Contributor
‎05-02-2014 10:33 AM
I'm unclear as to whether you're trying to secure services and expose them only on your internal network or if you're trying to make those secured services available over the internet.  When you say external users, are you talking about users who do not have a user account on your network's domain or are you talking about domain users who have an account but are working from a remote location (e.g., working from home) which is not part of a WAN?  For the former, you can't use secured services and expect anyone without a domain account to be able to access those services... on or off the network.  For the latter, users who are logged into the domain with a valid account should be able to see the services... they could do this by way of VPN.  I'm not sure who you consider to be 'external'.
0 Kudos
JosephAccardi
by
New Contributor III
‎05-02-2014 10:51 AM
Hi William, I'm sorry to confuse you. I would like to secure services and expose them, over the internet, to users that do not have a user account in my network's windows active directory. I added them as a user in IIS, which provides them access to the web app, but what you're saying is that it's not possible to somehow pass the IIS windows log-in credentials to the secured services then, correct?
0 Kudos
WilliamCraft
by MVP Regular Contributor
MVP Regular Contributor
‎05-02-2014 11:19 AM
Hi William, I'm sorry to confuse you. I would like to secure services and expose them, over the internet, to users that do not have a user account in my network's windows active directory. I added them as a user in IIS, which provides them access to the web app, but what you're saying is that it's not possible to somehow pass the IIS windows log-in credentials to the secured services then, correct?


When you say you added them as users in IIS, what are you referring to?  You might be able to achieve all of this, but I am curious to know why you wish to secure services yet expose them over the internet while trying to pass Windows credentials through.  It might be possible using impersonation and/or changing the application pool identity in IIS.  If those external users are not part of your organization or domain, and you want them to not have to input credentials when accessing the services, then I don't see how you can separate specific people from the rest of the world in terms of accessing the services.  Are you saying you want to set up named Windows accounts on the domain and allow those to be used as pass-through accounts when users make external requests to the website?
0 Kudos
JosephAccardi
by
New Contributor III
‎05-02-2014 12:18 PM
My goal (if it's possible) is to have a (1) password-protected web application, with (2) secured web services, that is (3) accessible to users outside of my organization. I am able to achieve #1 and #3 together without any problems, but I cannot find a way achieve all three without my users having to, first, log into the site, and then provide the same credentials for every secured service that loads at start-up. My services need to be exposed to the internet so my external users can view them, but I would like them to be secured so they are not viewable to the public.
0 Kudos
RichardWatson
by
Frequent Contributor
‎05-04-2014 03:13 AM
I previously developed a solution which used a secure ArcGIS Server running behind the firewall, i.e. as an internal component.  The way that it worked is that the users authenticated against the website and ArcGIS Server requests were routed through the website.  One of the things that the website did was to proxy these type of requests.  If the user was authenticated then it validated the request, generated (or used a cached) token, added the token to the request and forwarded the request to ArcGIS Server, and then finally returned the response.

I am not saying that this is the pattern for your total solution but it might be a component.
0 Kudos