Web-tier authentication

Web-tier authentication allows you to integrate your ArcGIS Enterprise log-in experience and user management with your organization's external identity store.

To use web-tier authentication, you'll need to install and configure ArcGIS Enterprise on Kubernetes Web Adaptor. If you plan on configuring a federated server, you also must set the privatePortalURL property and configure federated server sites to recognize the privatePortalURL.

Lightweight Directory Access Protocol directories

ArcGIS Enterprise can use user and role information stored in a Lightweight Directory Access Protocol (LDAP) directory such as Apache Directory Server or OpenLDAP. ArcGIS Enterprise uses the LDAP directory as a read-only source of user and role information, meaning that when an LDAP directory is configured, you cannot use ArcGIS Enterprise to add or delete users and roles or edit their attributes.

To use LDAP, you must deploy ArcGIS Enterprise on Kubernetes Web Adaptor (Java) to a Java application server such as Apache Tomcat.

See Configure web-tier authentication with an LDAP directory for complete instructions.

Windows Active Directory

ArcGIS Enterprise can use user and group information stored in Windows Active Directory. ArcGIS Enterprise uses Windows Active Directory as a read-only source of user and group information, meaning you cannot use ArcGIS Enterprise to add or delete Active Directory users and groups or edit their attributes.

To use Active Directory, you must deploy ArcGIS Enterprise on Kubernetes Web Adaptor (IIS) to an IIS web server. IIS can be configured to use Integrated Windows Authentication (IWA) to handle user authentication.

See Use Integrated Windows Authentication with your organization for complete instructions.

Client certificate authentication

If your organization requires client certificates to authenticate users, you can configure ArcGIS Web Adaptor to handle authentication using the Transport Layer Security (TLS) protocol. This is available for both Active Directory and LDAP users. ArcGIS Web Adaptor must be deployed to either a Java application server, such as Apache Tomcat, or to IIS. The web server must then be configured to require client certificates for user authentication. Users attempting to access ArcGIS Enterprise are not required to be members, however, they must still provide a client certificate to gain access. You cannot enable anonymous access to your site when using client certificates.