12 Replies Latest reply on Jan 13, 2015 3:15 PM by pfoppe

    ArcGIS for Server 10.1 - Mixed Mode Authentication

    jvseagle-co-nz-esridist
      Hi,

      Is it possible to configure mixed-mode authentication in ArcGIS for Server 10.1? If so can you guys point me to the right direction, link?
      Furthermore, I only want to restrict one AGS folder. All others should be available to everyone. I am verifying that this is not possible. In previous versions it was possible to create a new instance of AGS and have a different security model for that one to accomplish this. How does this work now?

      Thanks,
      José
        • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
          jvseagle-co-nz-esridist
          Libraries required to communicate with an enterprise geodatabase are now part of ArcGIS Desktop and as always happened before SQL Server Mixed-Mode can be used but is not mandatory. Depends on what authentication scheme you are using.

          Question is about ArcGIS for Server not ArcSDE. I believe that it is not possible to support mixed-mode authentication in Server 10.1 Manager. Not sure if this can be achieved by including another adapter into the configuration by editing some files. There isn't enough documentation about this.

          Can Esri Inc. provide some lights on this?

          Thanks,
          José
          • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
            ichivite-esristaff
            Hi,

            if you want to make all services in your server public, except those within a particular folder, do the following:

            -Open ArcGIS Server Manager and log with Administrative privileges
            -Click on the locker icon sitting by the name of the folder you want to make private
            -Select the roles that you want to have access to that folder (you may need to create the roles first, or configure your identity store)
            -Go into the Services Directory to make sure that the folder does no longer show for 'anonymous' users.
            -Use the login link in the top-right corner of Services Directory to make sure that users form the role/s you define actually have access to the services in that particular role.

            The trick is that ArcGIS 10.1 for Server always has security enabled (as opposed to previous versions). By default we make all services public, meaning that anyone can access them, but you can easily make them private at any time. 

            Ismael
            • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
              jvseagle-co-nz-esridist
              Hi Ismael,

              Thanks for your attention.
              Yes. I already knew that the services had security enabled by default as you have said that in Dev Summit.

              I have configured AGS to use AD authentication (web tier). At that moment I am expecting all services to remain public. Then I went to a folder named "Secured" and applied a role with permissions to access that folder. When I tried to access the root rest endpoint I noticed it wasn't displaying any services (services inside secured where working though). I logged in again into Manager and noticed ALL folders and root were secured, but unlike the "Secured" folder they didn't had any role associated. Not sure whether this was applied at the moment I have defined AD authentication or when I have applied the role to the "Secured" folder.

              When clicking the locker icon at the root folder I have noticed that I cannot change the security to public. It has that option blocked for some reason. So it is private and can only be accessed if I define a role. Same for all other folders...

              If I go to each folder and services and try to change the security of each to public I see it doesn't allow. It only let's me apply a role from AD to the service/folder.

              This means that ALL services/folders are using AD (not just the ones inside the Secured Folder). Not sure this was intended by you. But it seems odd to me.

              Is there any way of unlocking this manually? Furthermore, can you provide me details on how to support mixed-mode authentication? As you know we could create in previous versions 2 instances one pointing to AD and another one pointing to some other scheme ... what is the new way of implementing this in case that is possible?

              Thanks,
              José Sousa
              Esri NZ
              • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
                ichivite-esristaff
                Hi Jose,

                on the first issue, where setting Active Directory for your Identity Store with web tier authentication will prevent you from making services public, we will address this in Service Pack 1.

                on the second issue, where you want to set two identity stores (say Windows Active Directory for internal use and Built-in or a custom store for external use for example), we are still looking into this.  At this point, a site can only be configured with one identity store.

                I hope the above clarifies your questions. Do not hesitate on contacting me directly if you want further details.

                Ismael
                • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
                  jvseagle-co-nz-esridist
                  Hi Ismael,

                  Thanks a lot for your clarification. I will change to GIS Server Authentication for the moment.

                  Cheers,
                  José
                  • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
                    tony.gegneresri-se-esridist
                    Hi Ismael,


                    on the first issue, where setting Active Directory for your Identity Store with web tier authentication will prevent you from making services public, we will address this in Service Pack 1.


                    This is still an issue, has this been fixed in 10.2?
                    • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
                      tony.gegneresri-se-esridist
                      on the first issue, where setting Active Directory for your Identity Store with web tier authentication will prevent you from making services public, we will address this in Service Pack 1.


                      It's fixed in 10.2.
                      • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
                        harley
                        It's fixed in 10.2.


                        looking at 10.2 now, and it looks like it may have some issues.

                        directions call for creating 2 web adaptor applications, one for public, the other for private access.

                        the later is supposed to be web-tier single sign on configurable but not much luck here in 10.2.

                        I have 10.1 using ldap and CAMS, so single sign-on works... but this capability in the web adaptor is broken in 10.2.

                        specifically, special characters in user name fails to login, and successful login does not make it past the progress bar.

                        in 10.1 this was fixed:ArcGIS-101SP1-S-SSSC-Patch.msp

                        but the issue is more involved than that in 10.2 when configured for single sign-on, i get not authorized page, and services show just the public authorized web services.

                        no-joy.
                        • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
                          pfoppe

                          on the second issue, where you want to set two identity stores (say Windows Active Directory for internal use and Built-in or a custom store for external use for example), we are still looking into this.  At this point, a site can only be configured with one identity store.
                          Ismael


                          Hi Ismael - Do you have an update to this?  We have a public facing AD forest with an explicit 1 way trust to our internal AD forest to authenticate external partners.  Our arcgis server solutions in the public domain joined to that external forest do not seem to have the ability to reach across the trust and authenticate our internal AD accounts, and subsequently authorize them to access GIS resources.  We do have the ability to authenticate users across multiple domains within an single forest, but not across multiple forests. 

                          Having a dual identity store configuration would be a great alternative.  Unfortunatly the only way I can see this happening is building a custom identity provider (either asp.net or java) to query both forests.  Any advice would be greatly appreciated.  Thanks!
                            • Re: ArcGIS for Server 10.1 - Mixed Mode Authentication
                              pfoppe

                              Hi Ismael Chivite

                               

                              Circling back to this thread as this is still a problem we face with public deployments.  Having the ability to setup multiple identity stores or authenticate users across a forest-trust model.  There is an ArcGIS Ideas post submitted for consideration of support for an Active Directory Forest Trust model. 

                               

                              An alternative we have had to implement is to build a proxy protected in 1 forest that uses an account from the second forest.  Users are authenticated to the proxy, then the proxy impersonates a service account that is known to arcgis server.  With this though we cannot use editor tracking and cannot handle fine-grained control at the service level.  I also question the security of that model as we continue to grant that service account access to more and more.  Thanks if you have any input or update.