Multiple ArcGIS Server Web instances for security

An ArcGIS Server Web instance supports only one combination of user location, role location and authentication method (for more information on users and roles, see the Overview of setting up users and roles). If you need to support more than one type of authentication or user/role store, then you can set up multiple ArcGIS Server Web instances.

Normally each ArcGIS Server system has one Web instance, which is tied to a single Server Object Manager (SOM). This section describes the configuration where multiple Web instances are tied to a single SOM.

For example, you may have users on your internal network and want to allow them to log in with their Windows accounts. But for external users on the Internet, you want to set up accounts in a SQL Server database. Since an ArcGIS Server Web instance only supports a single user location, you would set up separate instances for each user type.

You need to think about two issues when managing multiple Web instances:

• Permissions for Internet connections to services are stored in the SOM. If multiple Web instances work with the SOM, the instances will share the same set of permissions. Since permissions are based on roles, you need to manage permissions carefully so that roles, and hence users, in each instance work correctly. See the section below, Managing permissions with multiple Web instances, for more information.
• If you enable the Web Mapping Service (WMS) capability for a service, the capabilities information for the service is shared by all Web instances. The OnlineResource URL for the service will be set to one of the Web instances. For further information, see Knowledge Base article 35672, Why does the OnlineResource URL in the WMS capabilities use a different ArcGIS Web instance?.

To add an ArcGIS Server Web instance

1. On the Web server where you want to add the Web instance, open Windows Explorer and navigate to <ArcGIS Install directory>\DotNet. Typically the ArcGIS install directory is C:\Program Files\ArcGIS.
2. Double-click the file AddInstance.exe. The ArcGIS Server Instance program will open.
3. In the Add ArcGIS Server Instance panel, enter a name for the new Web instance. This will be the URL that users will use to access the instance. For example, if you enter ArcGIS2, then the services URL might be http://myserver/ArcGIS2/services.
4. If necessary, adjust the port number for the IIS Web Site where the instance will be added, and also the SOM machine name to which the instance will be tied. Then enter the username and password for the account you used when you configured the original ArcGIS Web instance.
5. Click Add to add the instance. Adding the instance can take several minutes.
6. When the buttons on the utility become re-enabled, click Exit to close the utility.

If you decide later to remove a Web instance, you can use the same utility. To remove the instance, start the AddInstance.exe utility, click the Modify button, and in the list of Web instances, select the one to remove, click Remove Instance, and click OK. Wait until the buttons on the utility become enabled, then click Exit. Note also that when you uninstall ArcGIS Server, all instances added with the utility will also be uninstalled.

Using the new Web instance

The new Web instance has its own Manager. To access it, go to Start - (All) Programs - ArcGIS - ArcGIS Server for the Microsoft .NET Framework - ArcGIS Server Manager <instance name>. Use the new Manager to configure the user and role store for the new instance. You will notice that the Services panel lists the same services as the original Manager, and that the permissions for services are also the same. See the next section for important information on managing permissions across multiple Web instances.

The new Web instance will not list the Web applications created with a different instance. Each instance maintains its own list of applications created with that instance.

Each Web instance is located in the IIS Web server directory where you created the instance. For example, if you created a new instance named ArcGIS2 in the Default Web Site on port 80, and the IIS server uses the default location, the location for the instance will be at C:\Inetpub\wwwroot\ArcGIS2. The ArcGIS Web instance will contain the same set of folders as the original instance, including Rest, Services, and Security.

Managing permissions with multiple Web instances

Since permissions are stored in the SOM, multiple Web instances sharing the SOM will also share the same set of permissions for services. When you click the Permissions button for a service or folder, you will see the permissions for roles that have been added with either Web instance's Manager.

You must manage the permissions for folders and services so that users in both instances can access services appropriately. Since permissions are based on roles, rather than users, you must ensure that the roles for each instance are allowed for services as needed. Since administrators using either Manager see the same list of permitted roles, it would be possible to mistakenly remove a role that had been allowed in the other Manager.

One of the following two strategies is recommended for managing roles and permissions:

• Use the same names for roles in both instances, and add users in each instance to these shared roles. This is appropriate if you want to allow users in both instances to access services with the same permissions rules. For example, you might add a group named Planners to the Windows groups on your server, and add Windows users to the group. Then in the Manager that uses SQL Server for roles, you also add a Planners role, and add SQL Server users to the role. Then when you permit the Planners role to access a service, users from both instances can use the service through the one permission rule for Planners.
• Use recognizably different names for the roles in the two instances. This is appropriate if you want different rules for users in each instance. For example, you might create a Windows group named InternalEditors for internal users, and in the Manager set to use SQL Server for roles, add a role named ExternalViewers. The Internal and External prefixes indicate the different location of each role, so that someone using Manager in one Web instance would not mistakenly remove a role added for the benefit of users in the other instance.