You can secure access to your portal using Integrated Windows Authentication (IWA). When you use IWA, logins are managed through Microsoft Windows Active Directory. Users do not sign in and out of the portal website; instead, when they open the website, they are signed in using the same accounts they used to log in to Windows.
To use Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your portal.
Note:
To use web-tier authentication with a federated ArcGIS Server site, you must disable web-tier authentication (including client-certificate authentication) and enable anonymous access on the ArcGIS Web Adaptor configured with your ArcGIS Server site before federating it with the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required. For instructions on how to add a server to your portal, see Federate an ArcGIS Server site with your portal.
Follow these steps to configure IWA with your portal:
Configure your portal to use Windows Active Directory
By default, Portal for ArcGIS enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you will need to reconfigure the portal to use HTTPS-only communication by following the steps below.
Note:
Using an Active Directory identity store, ArcGIS Enterprise supports authentication from multiple domains with a single forest, but does not provide cross-forest authentication. To support enterprise users from multiple forests, a SAML identify provider would be required.
Configure the portal to use HTTPS for all communication
- Sign in to the portal website as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
- Click Organization and click the Settings tab, then click Security on the left side of the page.
- Enable Allow access to the portal through HTTPS only.
Update your portal's identity store
Next, update your portal's identity store to use Active Directory users and groups.
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > Config > Update Identity Store.
- In the User store configuration (in JSON format) text box, paste your organization's Windows Active Directory user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization.
{ "type": "WINDOWS", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "mydomain\\winaccount", "userFullnameAttribute": "cn", "userEmailAttribute": "mail", "userGivenNameAttribute": "givenName", "userSurnameAttribute": "sn", "caseSensitive": "false" } }
In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, specify an account whose password does not expire.
In the rare case where your Windows Active Directory is configured to be case sensitive, set the caseSensitive parameter to true.
- If you want to create groups in the portal that leverage the existing enterprise groups in your identity store, paste your organization's Windows Active Directory group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use portal's built-in groups, delete any information in the text box and skip this step.
{ "type": "WINDOWS", "properties": { "isPasswordEncrypted": "false", "userPassword": "secret", "user": "mydomain\\winaccount" } }
In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the names of Windows groups on the network. If possible, specify an account whose password does not expire.
- Click Update Configuration to save your changes.
- If you've configured a highly available portal, restart each portal machine. See Stopping and starting the portal for full instructions.
Optionally configure additional identity store parameters
There are additional identity store configuration parameters that can be modified using the ArcGIS Portal Directory administration API. These parameters include options such as restricting whether groups are refreshed automatically when an enterprise user signs into the portal, setting the membership refresh interval, and defining whether to check for multiple user name formats. See Update Identity Store for details.
Add enterprise accounts to your portal
By default, enterprise users can access the portal website. However, they can only view items that have been shared with everyone in the organization. This is because the enterprise accounts have not been added to the portal and granted access privileges.
Add accounts to your portal using one of the following methods:
- Portal for ArcGIS website (one at a time, in bulk from a CSV file, or from existing enterprise groups)
- Python script
- Command line utility
- Automatically
It's recommended you designate at least one enterprise account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.
Configure ArcGIS Web Adaptor to use IWA
- Open Internet Information Server (IIS) Manager.
- In the Connections panel, locate and expand the website hosting ArcGIS Web Adaptor.
- Click the name of ArcGIS Web Adaptor. The default is arcgis.
- In the Home panel, double-click Authentication.
- Select Anonymous Authentication and click Disable.
- Select Windows Authentication and click Enable.
- Close Internet Information Server (IIS) Manager.
Verify you can access the portal using IWA
- Open the portal website. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
- Verify that you are prompted for your enterprise account credentials or automatically signed in using your enterprise account. If you do not see this behavior, verify the Windows account you used to log in to the machine was added to the portal.
Prevent users from creating their own built-in accounts
You can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings.