Use LDAP and client certificate authentication to secure access

When using Lightweight Directory Access Protocol (LDAP) to authenticate users, you can use public key infrastructure (PKI)-based client certificate authentication to secure access to your ArcGIS Enterprise organization.

To use LDAP and PKI, you must set up client certificate authentication using ArcGIS Web Adaptor (Java Platform) deployed to a Java application server. You cannot use ArcGIS Web Adaptor (IIS) to perform client certificate authentication with LDAP.

Configure your organization with LDAP

By default, the ArcGIS Enterprise organization enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you must reconfigure the portal to use HTTPS-only communication by following the steps below.

Configure the organization to use HTTPS for all communication

Complete the following steps to configure the organization to use HTTPS:

  1. Sign in to the organization website as an administrator.

    The URL is in the format https://organization.example.com/<context>/home.

  2. Click Organization and click the Settings tab, and then click Security on the left side of the page.
  3. Enable Allow access to the portal through HTTPS only.

Configure your identity store using LDAP users and groups

Next, update your organization's identity store to use LDAP users and groups.

  1. Sign in to ArcGIS Enterprise Manager as an administrator of your organization.

    The URL is in the format https://organization.example.com/<context>/manager.

  2. Click Security and click Identity Store.
  3. Click the buttons under User store and Group store to select how the users and groups will be managed for your organization.
  4. Select LDAP under User store.

    With LDAP users, you can use the built-in group store or an LDAP group store. The input boxes in the User store and group store configuration section change depending on the type of group store selected.

  5. In the User store and group store configuration section, enter the appropriate information in each field.

    The descriptions of each text box are as follows:

    • Type—LDAP or LDAPS.
    • Hostname (Required)—Name of the host machine the LDAP directory is running on.
    • Port (Required)—The port number on the host machine where the LDAP directory is listening for incoming connections.
      Note:

      For secure connections, this is typically 636.

    • User Base DN (Required)—The distinguished name (DN) on the node directory server that user information is maintained under, for example, ou=users,dc=example,dc=com.
    • Group base DN (Required)—The distinguished name (DN) on the node directory server that group information is maintained under, for example, ou=groups,dc=example,dc=com.
    • Username (Required)—The distinguished name (DN) of an LDAP user account that has access to the node containing user information. This account does not need administrative access.
    • Password (Required)—The password for the LDAP user account used to access the directory server.
    • LDAP URL for users—The LDAP URL for users that will be used to connect to the LDAP directory.
      Note:
      This is automatically generated but can be changed if needed.
    • LDAP URL for groups—The LDAP URL for groups that will be used to connect to the LDAP directory.
      Note:
      This is automatically generated but can be changed if needed.
    • Are usernames case sensitive?—Yes or No.
    • User first name attribute (Required)—The directory server attribute for a user's first name.
    • User last name attribute (Required)—The directory server attribute for a user's last name.
    • User email attribute (Required)—The directory server attribute for a user's email address.
    • Username attribute (Required)—The directory server attribute for a user's username.
    • User search attribute—This is an optional field and is only required when configuring Enterprise to use web-tier authentication on a Java web adaptor. In some scenarios, the Java web adaptor may return the authenticated username in a format that is different from the expected username specified above. An example of this would be when a Java web adaptor is configured to use client certificate authentication and the user's full distinguished name is returned from the web server, rather than just the username. In this example, the user search attribute would need to be set to distinguishedName.
    • Member attribute (Required)—The directory server attribute for the list of users who are members of a certain group.
    • Group name attribute (Required)—The directory server attribute for a group's name.

  6. Click Save when you are finished entering the information for configuring your identity store.

Add organization-specific accounts

By default, organization-specific users can access the ArcGIS Enterprise organization. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added and granted access privileges.

Add accounts to your organization using one of the following methods:

It's recommended that you designate at least one organization-specific account as an administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users can sign in to the organization and access content.

Configure ArcGIS Web Adaptor to use client certificate authentication

Once you've installed and configured ArcGIS Web Adaptor (Java Platform) with your organization, configure an LDAP realm on your Java application server and configure PKI-based client certificate authentication for ArcGIS Web Adaptor. For instructions, consult your system administrator or the product documentation for your Java application server.

Note:

For client certificate authentication to work, TLS 1.3 must be disabled in the Java application server.

Verify organization access using LDAP and client certificate authentication

To verify you can access the portal using LDAP and client certificate authentication, complete the following steps:

  1. Open the ArcGIS Enterprise portal.
  2. Verify that you are prompted for your security credentials and can access the website.

Prevent users from creating their own built-in accounts

You can prevent users from creating their own built-in accounts by disabling the ability for users to create built-in accounts in the organization settings.