Skip To Content

Using Windows Active Directory and PKI to secure access to your portal

When using Windows Active Directory to authenticate users, you can use a public key infrastructure (PKI) to secure access to your portal.

To use Integrated Windows Authentication and PKI, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your portal.

Note:

If you'll be adding an ArcGIS Server site to your portal and want to use Windows Active Directory and PKI with the server, you'll need to disable PKI-based client certificate authentication on your ArcGIS Server site and enable anonymous access before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using PKI-based client certificate authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.

Configure your portal with Windows Active Directory

First, configure the portal to use SSL for all communication. Then update your portal's identity store to use Windows Active Directory users and groups.

Configure the portal to use HTTPS for all communication

  1. Sign in to the portal website as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
  2. Click Organization and click the Settings tab, then click Security on the left side of the page.
  3. Check Allow access to the portal through HTTPS only.
  4. Click Save to apply your changes.

Update your portal's identity store

Next, update your portal's identity store to use Active Directory users and groups.

  1. Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
  2. Click Security > Config > Update Identity Store.
  3. In the User store configuration (in JSON format) text box, paste your organization's Windows Active Directory user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization.

    {
      "type": "WINDOWS",
      "properties": {
        "userPassword": "secret",
        "isPasswordEncrypted": "false",
        "user": "mydomain\\winaccount",
        "userFullnameAttribute": "cn",
        "userEmailAttribute": "mail",
        "caseSensitive": "false"
      }
    }

    In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, specify an account whose password does not expire.

    In the rare case where your Windows Active Directory is configured to be case sensitive, set the caseSensitive parameter to true.

  4. If you want to create groups in the portal that leverage the existing enterprise groups in your identity store, paste your organization's Windows Active Directory group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use portal's built-in groups, delete any information in the text box and skip this step.

    {
      "type": "WINDOWS",
      "properties": {
        "isPasswordEncrypted": "false",
        "userPassword": "secret",
        "user": "mydomain\\winaccount"
      }
    }

    In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the names of Windows groups on the network. If possible, specify an account whose password does not expire.

  5. Click Update Configuration to save your changes.
  6. If you've configured a highly available portal, restart each portal machine. See Stopping and starting the portal for full instructions.

Add enterprise accounts to your portal

By default, enterprise users can access the portal website. However, they can only view items that have been shared with everyone in the organization. This is because the enterprise accounts have not been added to the portal and granted access privileges.

Add accounts to your portal using one of the following methods:

It's recommended you designate at least one enterprise account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.

Install and enable Active Directory Client Certificate Mapping Authentication

Active Directory Client Certificate Mapping is not available in the default installation of IIS. You must install and enable the feature.

Install Client Certificate Mapping Authentication

The instructions for installing the feature vary according to your operating system.

Windows Server 2016

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Expand the Web Server and Security roles.
  4. In the Security role section, select Client Certificate Mapping Authentication and click Next.
  5. Click Next through the Select Features tab and click Install.

Windows Server 2008/R2 and 2012/R2

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Scroll to the Role Services section and click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication and click Next.
  5. Click Install.

Windows 7, 8, and 8.1

  1. Open Control Panel and click Programs and Features > Turn Windows Features on or off.
  2. Expand Internet Information Services > World Wide Web Services > Security and select Client Certificate Mapping Authentication.
  3. Click OK.

Enable Active Directory Client Certificate Mapping Authentication

After you install Active Directory Client Certificate Mapping, enable the feature by following the steps below.

  1. Start Internet Information Services (IIS) Manager.
  2. In the Connections node, click the name of your web server.
  3. Double-click Authentication in the Features View window.
  4. Verify that Active Directory Client Certificate Authentication is displayed. If the feature is not displayed or unavailable, you may need to restart your web server to complete the installation of the Active Directory Client Certificate Authentication feature.
  5. Double-click Active Directory Client Certificate Authentication and choose Enable in the Actions window.

A message displays indicating that SSL must be enabled to use Active Directory Client Certificate Authentication. You'll address this in the next section.

Configure ArcGIS Web Adaptor to require SSL and client certificates

  1. Start Internet Information Services (IIS) Manager.
  2. Expand the Connections node and select your Web Adaptor site.
  3. Double-click Authentication in the Features View window.
  4. Disable all forms of authentication.
  5. Select your ArcGIS Web Adaptor from the Connections list again.
  6. Double-click SSL Settings.
  7. Enable the Require SSL option, and choose the Require option under Client certificates.
  8. Click Apply to save your changes.

Verify you can access the portal using Windows Active Directory and PKI

  1. Open the portal website. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
  2. Verify that you are prompted for your security credentials and can access the website.

Prevent users from creating their own built-in accounts

To prevent people from creating their own built-in accounts, disable the Create an account button and sign-up page (signup.html) in the portal website. This means all members sign in to the portal with their enterprise credentials and unnecessary member accounts cannot be created. See Disabling users ability to create built-in portal accounts for full instructions.