Multiple ArcGIS Server Web instances for security
An ArcGIS Server Web instance supports only one combination of user location, role location and authentication method (for more information on users and roles, see the Overview of setting up users and roles). If you need to support more than one type of authentication or user/role store, then you can set up multiple ArcGIS Server Web instances.
Normally each ArcGIS Server system has one Web instance, which is tied to a single Server Object Manager (SOM). This section describes the configuration where multiple Web instances are tied to a single SOM.
For example, you may have users on your internal network and want to allow them to log in with their Windows accounts. But for external users on the Internet, you want to set up accounts in a SQL Server database. Since an ArcGIS Server Web instance only supports a single user location, you would set up separate instances for each user type.
You need to think about two issues when managing multiple Web instances:
If you decide later to remove a Web instance, you can use the same utility. To remove the instance, start the AddInstance.exe utility, click the Modify button, and in the list of Web instances, select the one to remove, click Remove Instance, and click OK. Wait until the buttons on the utility become enabled, then click Exit. Note also that when you uninstall ArcGIS Server, all instances added with the utility will also be uninstalled.
The new Web instance has its own Manager. To access it, go to Start - (All) Programs - ArcGIS - ArcGIS Server for the Microsoft .NET Framework - ArcGIS Server Manager <instance name>. Use the new Manager to configure the user and role store for the new instance. You will notice that the Services panel lists the same services as the original Manager, and that the permissions for services are also the same. See the next section for important information on managing permissions across multiple Web instances.
The new Web instance will not list the Web applications created with a different instance. Each instance maintains its own list of applications created with that instance.
Each Web instance is located in the IIS Web server directory where you created the instance. For example, if you created a new instance named ArcGIS2 in the Default Web Site on port 80, and the IIS server uses the default location, the location for the instance will be at C:\Inetpub\wwwroot\ArcGIS2. The ArcGIS Web instance will contain the same set of folders as the original instance, including Rest, Services, and Security.
Since permissions are stored in the SOM, multiple Web instances sharing the SOM will also share the same set of permissions for services. When you click the Permissions button for a service or folder, you will see the permissions for roles that have been added with either Web instance's Manager.
You must manage the permissions for folders and services so that users in both instances can access services appropriately. Since permissions are based on roles, rather than users, you must ensure that the roles for each instance are allowed for services as needed. Since administrators using either Manager see the same list of permitted roles, it would be possible to mistakenly remove a role that had been allowed in the other Manager.
One of the following two strategies is recommended for managing roles and permissions: