You can secure access to your organization using Integrated Windows Authentication (IWA). When you use IWA, logins are managed through Microsoft Windows Active Directory. Users do not sign in and out of the organization; instead, when they open the website, they are signed in using the same accounts they used to sign in to Windows.
To use Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your organization.
Configure your organization to use Windows Active Directory
By default, ArcGIS Enterprise enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you will need to reconfigure the portal to use HTTPS-only communication by following the steps below.
Using an Active Directory identity store, ArcGIS Enterprise supports authentication from multiple domains with a single forest, but does not provide cross-forest authentication. To support organization-specific users from multiple forests, a SAML identity provider is required.
Configure the organization to use HTTPS for all communication
Complete the following steps to configure the organization to use HTTPS:
- Sign in to the organization website as an administrator.
The URL is in the format https://organization.example.com/<context>/home.
- Click Organization and click the Settings tab, and then click Security on the left side of the page.
- Enable Allow access to the portal through HTTPS only.
Configure your identity store using Active Directory users and groups
Next, update your organization's identity store to use Windows Active Directory users and groups.
- Sign in to ArcGIS Enterprise Manager as an administrator of your organization.
The URL is in the format https://organization.example.com/<context>/manager.
- Click Security and click Identity Store.
The buttons under User store and Group store allow you to select how the users and groups will be managed for your organization.
- Select Windows under User store.
With Windows users, you can use the built-in group store or a Windows group store. The input boxes in the User store and group store configuration section change depending on the type of group store selected.
- In the User store and group store configuration section, enter the appropriate information in each field.
The descriptions of each text box are as follows:
- Username (Required)
- Password (Required)
- Are usernames case sensitive?—Yes or No.
- User first name attribute (Required)—The directory server attribute for a user's first name.
- User last name attribute (Required)—The directory server attribute for a user's last name.
- User email attribute (Required)—The directory server attribute for a user's email address.
- Domain controller (Required)
- Domain controller mapping
- Click Save when you are finished entering the information for configuring your identity store.
Configure additional identity store parameters
Optionally, you can modify additional identity store configuration parameters using the ArcGIS Enterprise Administration API. These parameters include restricting whether groups are refreshed automatically when an organization-specific user signs in to the organization, setting the membership refresh interval, and defining whether to check for multiple user name formats. See Update Identity Store for details.
Add organization-specific accounts
By default, organization-specific users can access the ArcGIS Enterprise organization. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added and granted access privileges.
Add accounts to your organization using one of the following methods:
- Individually or in bulk (one at a time, in bulk from a .csv file, or from existing Active Directory groups)
It's recommended that you designate at least one organization-specific account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.
Configure ArcGIS Web Adaptor to use IWA
To configure ArcGIS Web Adaptor to use IWA, complete the following steps:
- Open Internet Information Server (IIS) Manager.
- In the Connections panel, locate and expand the website hosting ArcGIS Web Adaptor.
- Click the name of ArcGIS Web Adaptor.
The default is arcgis.
- In the Home panel, double-click Authentication.
- Select Anonymous Authentication and click Disable.
- Select Windows Authentication and click Enable.
- Close Internet Information Server (IIS) Manager.
Verify portal access using IWA
To verify you can access the portal using IWA, complete the following steps:
- Open the ArcGIS Enterprise portal.
The URL is in the format: https://organization.example.com/<context>/home.
- Verify that you are prompted for your organization-specific account credentials or automatically signed in using your organization-specific account. If you do not see this behavior, confirm that the Windows account you used to sign in to the machine was added to the portal.
Prevent users from creating their own built-in accounts
You can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings.