Using Windows Active Directory and PKI to secure access

When using Windows Active Directory to authenticate users, you can use a public key infrastructure (PKI) to secure access to your organization.

To use Integrated Windows Authentication and PKI, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your organization.

Configure your portal with Windows Active Directory

First, configure the portal to use SSL for all communication. Then update your portal's identity store to use Windows Active Directory users and groups.

Configure the organization to use HTTPS for all communication

Complete the following steps to configure the organization to use HTTPS:

  1. Sign in to the organization website as an administrator.

    The URL is in the format https://organization.example.com/<context>/home.

  2. Click Organization and click the Settings tab, and then click Security on the left side of the page.
  3. Enable Allow access to the portal through HTTPS only.

Configure your Identity Store using Active Directory users and groups

Next, update your organization's identity store to use Windows Active Directory users and groups.

  1. Sign in to the ArcGIS Enterprise Manager as an administrator of your organization.

    The URL is in the format https://site.example.com/<site context>/manager.

  2. Click Security > Identity Store.

    The option buttons under User store and Group store allow you to select how the users and groups will be managed for your organization.

  3. Select Windows under the User store.

    With Windows users, you can use the Built-in group store or a Windows group store. The input boxes in the User store and group store configuration section will change depending on the type of group store selected.

  4. In the User store and group store configuration, enter the appropriate information in each text box.
    The descriptions of each text box are as follows:

    • Username (Required)
    • Password (Required)
    • Are usernames case sensitive?—Yes or No
    • User first name attribute (Required)—The directory server attribute for a user's first name.
    • User last name attribute (Required—The directory server attribute for a user's last name.
    • User email attribute (Required)—The directory server attribute for a user's email address.
    • Domain controller (Required)
    • Domain controller mapping

  5. Click Save when you are finished entering the information for configuring your identity store.

Add organization-specific accounts

By default, organization-specific users can access the ArcGIS Enterprise organization. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added and granted access privileges.

Add accounts to your organization using one of the following methods:

It's recommended that you designate at least one organization-specific account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.

Install and enable Active Directory Client Certificate Mapping Authentication

Active Directory Client Certificate Mapping is not available in the default installation of IIS. You must install and enable the feature.

Install Client Certificate Mapping Authentication

The instructions for installing the feature vary according to your operating system.

Install with Windows Server 2016

Complete the following steps to install Client Certificate Mapping Authentication with Windows Server 2016:

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Expand the Web Server and Security roles.
  4. In the Security role section, select Client Certificate Mapping Authentication and click Next.
  5. Click Next through the Select Features tab and click Install.

Install with Windows Server 2008/R2 and 2012/R2

Complete the following steps to install Client Certificate Mapping Authentication with Windows Server 2008/R2 and 2012/R2:

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Scroll to the Role Services section and click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication and click Next.
  5. Click Install.

Install with Windows 7, 8, and 8.1

Complete the following steps to install Client Certificate Mapping Authentication with Windows 7, 8, and 8.1:

  1. Open Control Panel and click Programs and Features > Turn Windows Features on or off.
  2. Expand Internet Information Services > World Wide Web Services > Security and select Client Certificate Mapping Authentication.
  3. Click OK.

Enable Active Directory Client Certificate Mapping Authentication

After you install Active Directory Client Certificate Mapping, enable the feature by following the steps below.

  1. Start Internet Information Server (IIS) Manager.
  2. In the Connections node, click the name of your web server.
  3. Double-click Authentication in the Features View window.
  4. Verify that Active Directory Client Certificate Authentication is displayed. If the feature is not displayed or unavailable, you may need to restart your web server to complete the installation of the Active Directory Client Certificate Authentication feature.
  5. Double-click Active Directory Client Certificate Authentication and choose Enable in the Actions window.

A message displays indicating that SSL must be enabled to use Active Directory Client Certificate Authentication. You'll address this in the next section.

Configure ArcGIS Web Adaptor to require SSL and client certificates

Complete the following steps to configure ArcGIS Web Adaptor to require SSL and client certificates:

  1. Start Internet Information Services (IIS) Manager.
  2. Expand the Connections node and select your ArcGIS Web Adaptor site.
  3. Double-click Authentication in the Features View window.
  4. Disable all forms of authentication.
  5. Select your ArcGIS Web Adaptor from the Connections list again.
  6. Double-click SSL Settings.
  7. Enable the Require SSL option, and choose the Require option under Client certificates.
  8. Click Apply to save your changes.

Verify you can access the portal using Windows Active Directory and PKI

Complete the following steps to verify you can access the portal using Windows Active Directory and PKI:

  1. Open the ArcGIS Enterprise portal.

    The URL is in the format: https://organization.example.com/<context>/home.

  2. Verify that you are prompted for your security credentials and can access the website.

Prevent users from creating their own built-in accounts

You can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings.