This content has been marked as final. Show 4 replies
1) if you need windows authentication and sql/custom authentication you need create 2 instance ags ( see http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/0093/0093000000pt000000.htm )
2) with sql/custom you have three special roles
"...These special roles can be added to your roles when you store them either in Microsoft SQL Server or in a custom provider. The Anonymous role enables you to designate one or more GIS Web services to be open to users who do not supply credentials (via a token). The Authenticated users role allows any user who provides correct credentials (via a token) to access the service. The Everyone role allows any user, whether authenticated or not, to access the service. When these special roles exist, no users are actually added to the roles..." so if you want have default free service you can use one of these roles in root services.
with windows users you can use windows authetication or sql server/custom for store roles. For Windows authentication you need disable anonymous while with sql server/custom store roles, you have available special roles if you use the method token.
Remember that security is given using roles.
3) Remember that ags implements security on service so your application must impersonate user or use login pass-thought (however to do) for use service (token or window authentication) so you can decide in base your need.
4) see http://resourcesbeta.arcgis.com/en/help/main/10.1/0154/0154000005m5000000.htm
Thanks for your response. I'm still processing your comments, but this seems like some useful information and links.
Just to clarify a little, yes, you can only have one type of security implemented on a particular instance: either Windows Users & Groups or SQL Server. You're right in saying that these models have different applications. I have a strong preference for SQL Security because 1.) it allows the use of tokens (while Windows Users & Groups does not) and 2.) it allows anonymous access to services (while Windows Users & Groups does not).
If you really find you need both security models implemented in your ArcGIS Server setup, you have the option of adding another instance and applying a different security model. This is accomplished by using the c:\program files (x86)\arcgis\server10.0\dotnet\addinstance.exe utility. Once you've added another instance, you can apply a different security model to it, thus allowing you to have SQL on one and Windows on another. 10.1 does get much better in the granularity of configuration, allowing editor, publisher, and administrator levels of access, so that's a definite improvement.
Finally, yes, once you enable security, all your services instantly become subject to the security configuration enabled on that instance. If you neglect to configure security on some services, they will be completely unavailable until you add a valid role to their configuration. Thus, the security model is "opt out" rather than "opt in". In 10.1, the opposite is true. Security is enabled by default, but all users can view the services until you lock them down tightly. If you have only a handful of services that you want to secure, I recommend implementing the SQL security model as it does allow anonymous connections to designated services even after security is enabled.
Hope this helps!
William, thanks for the info. This helps clarify.