Configuring the Token Service
The Token Service is a new service available with ArcGIS Server 9.3. The token service enables users to be authenticated in order to use secured GIS Web services. Tokens provide security for services by ensuring that only users who provide appropriate credentials can access secured services. The token is a string of encrypted information sent between client and server. The token contains the user's name, expiration time and other information.
Tokens provide a level of security for your Web GIS services, but are not as secure as certain other methods, such as Integrated Windows authentication. The security of your system with tokens depends on controlling access to the tokens. Requests for tokens require a secure connection (https) by default, but you may also want to require https for all requests that use the token. This would mean requiring https for the folder that contains the secured GIS services. You can require https for a services folder by opening the properties of the folder in Manager or in ArcCatalog and checking the box to "Require Encrypted Web Access".
The Token Service is a Web service that is installed with the ArcGIS Web applications component during the installation of ArcGIS Server. At the current version of the software, the Token Service is automatically enabled when needed. The Token Service is enabled when you specify that users will be stored in either Microsoft SQL Server or a custom membership provider (see Overview of setting up users and roles). The Token Service is not enabled or utilized when you specify that Windows user accounts are used to authenticate users of your GIS services, unless you use SQL Server or a custom provider for roles, and you enable tokens for user authentication.
When the Token Service is enabled, you can set the maximum allowable time-out for tokens. This setting is described in Time-out of tokens. You can also set the encryption key to a unique value for your installation; see Shared key for Token Service. These are the only configuration steps available for the Token Service at the current version.
When tokens are required for a GIS service, client software uses the GIS service by this approach:
What if you want to allow users to access services without having to supply a token or login? You can allow anonymous access to services or folders by using the Everyone role (see Setting permissions for a service or folder).
When the Token Service is enabled and required for accessing GIS services, the client software must be able to obtain and use the token, as in the process outlined above. As of 9.3, ESRI clients have been updated to automatically obtain and use tokens. When connecting to an ArcGIS Server Internet service that requires a login, the client behavior is as follows:
Note that in Web applications, the end user of the application in the browser does not enter credentials for the GIS service. The login information for the service must be specified in advance in Manager or in the development environment. The same credentials are used for all users of the Web application. The Web application itself may be secured to require a login, but this login is validated separately, based on the configuration of security for the Web application in Manager or other means. Using custom programming, it is possible to pass through credentials from the end user to the GIS service. See the Developer Help for more information.
Manager allows you to set several parameters for the Token Service: expiration window for tokens (both short lived and long lived) and the shared key for encryption. Each of these settings is explained below.
When the Token Service is enabled, you can set the time-out of the token in Manager, through Security-Settings. The time-out determines the time period that the token will be valid. The end user might see a time-out or other error message if an expired token is used.
Shorter token time-outs provide better security but may cause legitimate users to encounter time-outs during their use of services if the application does not detect it and obtain a new token (Desktop and ADF clients are able to obtain new tokens). Tokens are given a time-out setting to limit their unauthorized use. If a hacker manages to monitor the communication between the authorized user and the server, the token could be captured by the hacker. If the token is intercepted, the time-out will limit its period of use. For increased security, therefore, you may wish to set the time-out of tokens to a shorter period. The disadvantage of a short token timeout is that if the application does not renew the token, the user be unable to continue with their session once the token times out, and may need to restart their application or connection with the server.
If you are writing a custom application, you may want to detect token time-out and supply an appropriate message or obtain a new token. See the Developer Help for more information.
Two token expiration windows are defined on the Security-Settings page:
A good way to prevent the capture and unauthorized use of tokens is to require the use of HTTPS (SSL) for all communication with GIS services. To do this, you would require secure communication (SSL) for the ArcGIS/Services Web application. For instructions on requiring HTTPS (SSL) for an application in IIS, see Setting up SSL.
The shared key for the Token Service is used to encrypt the token. The token is encrypted with the user name and other information and sent to the client. When the client sends a request for a GIS service, it includes the token. The server then uses the shared key to decrypt the token. The server verifies the identity of the client before permitting access to the GIS service. The shared key ensures that the server has created the token.
Since the shared key is critical to ensuring the identity and authorization of the client, the key must be set to a unique value of proper length. Manager will set the shared key to a random value when the token service is enabled. You can set the key yourself if desired. To set the shared key, go to Security-Settings in Manager, and under the Token Service heading, click the Settings button. On the Settings dialog box that appears, set the Shared key value. The key should be set to 16 characters (any characters beyond 16 are not used). It is recommended that you use a set of random characters for the key. Any characters can be used, including nonalphanumeric characters. The key should be set to a value that cannot easily be guessed by anyone who might intercept the token. Since users will not need to use or remember the key, complexity is not an issue as might be true with passwords.
The token is encrypted with the key using the Advanced Encryption Standard (AES) encryption method, also known as Rijndael. The 16 characters in the key represent the 128 bits used for encryption. For more information on encryption and the AES standard, consult security references or someone in your organization with expertise in security and cryptography.
To use the GetToken page, enter the following information:
If you are concerned about possible misuse of the GetToken page, you can remove it or limit access to it using IIS Manager or file system permissions. Note that even if the GetToken page is not available, token requests can still be made to the token service with the gettoken request to the folder, using the request format as described in the next section.
The token request to the server is made with a URL (GET) request. The clients that work with tokens, such as ArcGIS Desktop and the Web ADF, use this approach, as does the GetToken page described in the previous section. The query string of the URL contains the user login and other information. For example, the following URL might be used to get a token from a server:
https://myserver.example.com/arcgis/tokens?request=gettoken&username=myuser&password=secret1&clientid=ref.http://myserver.example.com&expiration=1440This request would get a token for user myuser for a web application running at the same server (myserver.example.com), with a validity period of one day (1440 minutes).
The following parameters may be specified in the query string:
A secure connection using HTTPS (Secure Sockets Layer or SSL) is required by default when requesting a token from the Token Service. HTTPS encrypts the user name and password during transmission. The client must use HTTPS when requesting a token, either by the standard method where the user name and password are included in the query string (used by ArcGIS Desktop, the Web ADF controls, and other clients), or the GetToken.html Web page.
For internal testing purposes only, the requirement for HTTPS can be disabled, so that tokens can be obtained using nonsecure HTTP. Be aware that passwords sent using HTTP can be intercepted by anyone connected to the network. Using HTTP for tokens should only be necessary on a development server where your organization's policies prohibit the installation of the IIS Web server on the development machine. In these circumstances, development is typically done using the file-based Web server in Visual Studio ("Cassini"), which does not support the use of SSL/HTTPS. When IIS is available, SSL should always be used to protect against the capture and unauthorized use of user names and passwords. For information on setting up SSL, see Setting up SSL.
To set the Token Service to allow nonsecure HTTP requests for tokens, follow these steps:
<appSettings> <add key="RequireSSL" value="True" />
<add key="TokenServiceURL" value="https://myserver/ArcGIS/tokens/" /> ...
Remember to restore the SSL requirement when appropriate. To re-enable the requirement for SSL in the Token Service, restore the RequireSSL setting to True, set the TokenServiceURL to use https, then save the file. Do this for each web.config file in the Tokens, rest, and Services folders.