ArcGIS for Server 10.1 - Mixed Mode Authentication

6202
12
07-25-2012 10:30 PM
JoseSousa
Esri Contributor
Hi,

Is it possible to configure mixed-mode authentication in ArcGIS for Server 10.1? If so can you guys point me to the right direction, link?
Furthermore, I only want to restrict one AGS folder. All others should be available to everyone. I am verifying that this is not possible. In previous versions it was possible to create a new instance of AGS and have a different security model for that one to accomplish this. How does this work now?

Thanks,
José
Tags (2)
0 Kudos
12 Replies
BubbaHey
Occasional Contributor III
There is no setting in Server Manager  > Security for this, but I believe ArcSDE requires it.  For more info, see:

http://resources.arcgis.com/en/help/main/10.1/index.html#//0154000004mw000000

http://resources.arcgis.com/en/help/main/10.1/index.html#//002q00000004000000
0 Kudos
JoseSousa
Esri Contributor
Libraries required to communicate with an enterprise geodatabase are now part of ArcGIS Desktop and as always happened before SQL Server Mixed-Mode can be used but is not mandatory. Depends on what authentication scheme you are using.

Question is about ArcGIS for Server not ArcSDE. I believe that it is not possible to support mixed-mode authentication in Server 10.1 Manager. Not sure if this can be achieved by including another adapter into the configuration by editing some files. There isn't enough documentation about this.

Can Esri Inc. provide some lights on this?

Thanks,
José
0 Kudos
BubbaHey
Occasional Contributor III
0 Kudos
IsmaelChivite
Esri Notable Contributor
Hi,

if you want to make all services in your server public, except those within a particular folder, do the following:

-Open ArcGIS Server Manager and log with Administrative privileges
-Click on the locker icon sitting by the name of the folder you want to make private
-Select the roles that you want to have access to that folder (you may need to create the roles first, or configure your identity store)
-Go into the Services Directory to make sure that the folder does no longer show for 'anonymous' users.
-Use the login link in the top-right corner of Services Directory to make sure that users form the role/s you define actually have access to the services in that particular role.

The trick is that ArcGIS 10.1 for Server always has security enabled (as opposed to previous versions). By default we make all services public, meaning that anyone can access them, but you can easily make them private at any time. 

Ismael
0 Kudos
JoseSousa
Esri Contributor
Hi Ismael,

Thanks for your attention.
Yes. I already knew that the services had security enabled by default as you have said that in Dev Summit.

I have configured AGS to use AD authentication (web tier). At that moment I am expecting all services to remain public. Then I went to a folder named "Secured" and applied a role with permissions to access that folder. When I tried to access the root rest endpoint I noticed it wasn't displaying any services (services inside secured where working though). I logged in again into Manager and noticed ALL folders and root were secured, but unlike the "Secured" folder they didn't had any role associated. Not sure whether this was applied at the moment I have defined AD authentication or when I have applied the role to the "Secured" folder.

When clicking the locker icon at the root folder I have noticed that I cannot change the security to public. It has that option blocked for some reason. So it is private and can only be accessed if I define a role. Same for all other folders...

If I go to each folder and services and try to change the security of each to public I see it doesn't allow. It only let's me apply a role from AD to the service/folder.

This means that ALL services/folders are using AD (not just the ones inside the Secured Folder). Not sure this was intended by you. But it seems odd to me.

Is there any way of unlocking this manually? Furthermore, can you provide me details on how to support mixed-mode authentication? As you know we could create in previous versions 2 instances one pointing to AD and another one pointing to some other scheme ... what is the new way of implementing this in case that is possible?

Thanks,
José Sousa
Esri NZ
0 Kudos
IsmaelChivite
Esri Notable Contributor
Hi Jose,

on the first issue, where setting Active Directory for your Identity Store with web tier authentication will prevent you from making services public, we will address this in Service Pack 1.

on the second issue, where you want to set two identity stores (say Windows Active Directory for internal use and Built-in or a custom store for external use for example), we are still looking into this.  At this point, a site can only be configured with one identity store.

I hope the above clarifies your questions. Do not hesitate on contacting me directly if you want further details.

Ismael
0 Kudos
JoseSousa
Esri Contributor
Hi Ismael,

Thanks a lot for your clarification. I will change to GIS Server Authentication for the moment.

Cheers,
José
0 Kudos
TonyGegner
New Contributor III
Hi Ismael,


on the first issue, where setting Active Directory for your Identity Store with web tier authentication will prevent you from making services public, we will address this in Service Pack 1.


This is still an issue, has this been fixed in 10.2?
0 Kudos
TonyGegner
New Contributor III
on the first issue, where setting Active Directory for your Identity Store with web tier authentication will prevent you from making services public, we will address this in Service Pack 1.


It's fixed in 10.2.
0 Kudos