ArcGIS for Server 10.1 - Mixed Mode Authentication

6204
12
07-25-2012 10:30 PM
JoseSousa
Esri Contributor
Hi,

Is it possible to configure mixed-mode authentication in ArcGIS for Server 10.1? If so can you guys point me to the right direction, link?
Furthermore, I only want to restrict one AGS folder. All others should be available to everyone. I am verifying that this is not possible. In previous versions it was possible to create a new instance of AGS and have a different security model for that one to accomplish this. How does this work now?

Thanks,
José
Tags (2)
0 Kudos
12 Replies
harleypowers_parks
New Contributor III
It's fixed in 10.2.


looking at 10.2 now, and it looks like it may have some issues.

directions call for creating 2 web adaptor applications, one for public, the other for private access.

the later is supposed to be web-tier single sign on configurable but not much luck here in 10.2.

I have 10.1 using ldap and CAMS, so single sign-on works... but this capability in the web adaptor is broken in 10.2.

specifically, special characters in user name fails to login, and successful login does not make it past the progress bar.

in 10.1 this was fixed:ArcGIS-101SP1-S-SSSC-Patch.msp

but the issue is more involved than that in 10.2 when configured for single sign-on, i get not authorized page, and services show just the public authorized web services.

no-joy.
0 Kudos
PF1
by
Occasional Contributor II

on the second issue, where you want to set two identity stores (say Windows Active Directory for internal use and Built-in or a custom store for external use for example), we are still looking into this.  At this point, a site can only be configured with one identity store.
Ismael


Hi Ismael - Do you have an update to this?  We have a public facing AD forest with an explicit 1 way trust to our internal AD forest to authenticate external partners.  Our arcgis server solutions in the public domain joined to that external forest do not seem to have the ability to reach across the trust and authenticate our internal AD accounts, and subsequently authorize them to access GIS resources.  We do have the ability to authenticate users across multiple domains within an single forest, but not across multiple forests. 

Having a dual identity store configuration would be a great alternative.  Unfortunatly the only way I can see this happening is building a custom identity provider (either asp.net or java) to query both forests.  Any advice would be greatly appreciated.  Thanks!
0 Kudos
PF1
by
Occasional Contributor II

Hi Ismael Chivite

Circling back to this thread as this is still a problem we face with public deployments.  Having the ability to setup multiple identity stores or authenticate users across a forest-trust model.  There is an ArcGIS Ideas post submitted for consideration of support for an Active Directory Forest Trust model. 

An alternative we have had to implement is to build a proxy protected in 1 forest that uses an account from the second forest.  Users are authenticated to the proxy, then the proxy impersonates a service account that is known to arcgis server.  With this though we cannot use editor tracking and cannot handle fine-grained control at the service level.  I also question the security of that model as we continue to grant that service account access to more and more.  Thanks if you have any input or update. 

0 Kudos