Setting up users and roles in the Windows operating system

Release 9.3 E-mail This Topic Printable Version Give Us Feedback

You may want to use standard Windows accounts to authenticate users. This is most often used when your services and applications run on an intranet. Users must have Windows accounts on the local network in order to access secured services and applications.

To specify Windows users for setting permissions, follow these steps:

  1. Expand the Security panel in Manager and click Settings.
  2. Under Security Stores, click the Change link.
  3. On the dialog that opens for Location for Users, choose Windows users. Click Next.
  4. On the next dialog, choose whether to use Windows groups as your role location or to use SQL Server (or a custom provider if you configured one previously). Click Next.
  5. If you chose SQL Server in the previous step, follow these steps:
    • a. Type the database server name.
    • b. If you connect to the database with a Windows user account, leave the option to Use Trusted Connection enabled. This will always be true for SQL Server Express. If using the full SQL Server, use SQL logins, uncheck Use Trusted Connection, then type a SQL user name and password. This login will be used by the Web services and applications to connect to the database.
    • c. Click Connect to display a list of available databases and options (if the connection fails, check to ensure your database server is running and available on the network).
    • d. If you have not yet set up a database to store roles, click the option to create a new database, and type a name (such as "aspnetdb"). If you already have a database set up for ASP.NET membership and roles, you can choose it from the drop-down list.
    • e. The Add anonymous role to database option adds three generic roles to the database: Everyone, Authenticated Users, and Anonymous. These roles are only relevant if you choose Token-based authentication in the next panel. In that case, you can use these roles to enable anyone or, alternatively, only users with a valid login to access one or more services. Adding these roles does not automatically allow anonymous users but makes the generic roles available should you choose to permit them. For more details on using these roles, see Securing Internet connections to services. These roles are used only with Web services and not with Web applications.
    • f. Click Next.
  6. On the final panel, choose the authentication method for users. Users or server-based applications must supply valid user names and passwords to access restricted services. This choice determines the method that is used to obtain credentials from users.
    • Windows authentication: The Internet Information Services (IIS) Web server obtains the user credentials by responding to service requests with an authentication challenge. This approach is most commonly used on an intranet when users are connecting to a server within the local network. When the client is an end user, such as when opening the REST Services Directory in a browser, the user can either be automatically authenticated based on the operating system login, or the user may see a pop-up login dialog. If you choose Windows authentication, you must disable anonymous access to the Services application in order to authenticate users. See the section below for instructions.
    • Token-based authentication: This approach is commonly used when the client of the service is connecting over the Internet. The client application includes a token with requests to the service. The token is an encrypted string that allows the user to be authenticated. Most clients will obtain the token automatically on startup, based on the user's operating system login. For some applications, the developer may need to obtain the token in advance and embed it in the application. If you choose Token-based authentication, you should configure the token service after completing the user/role setup wizard. See Configuring the token service for instructions and details.

Tip: be sure that users include the machine name (for local accounts) or domain name when logging in to the server. For example, with an account called planner1 on a server called CityWeb, use CityWeb\planner1 as the username. If the machine name is omitted, the connection might be made but no services may be listed.

Disabling anonymous access to ArcGIS Web services in Internet Information Services

If you chose Windows authentication as the method to authenticate users, you must perform the steps in this section to disable anonymous access to your ArcGIS Web services. If you do not disable anonymous access, then client applications will not be able to access your services.

Before you enable security for Web services, you must perform this step in IIS Manager. However, you may want to wait to perform this step until you have assigned permissions to services. Note that if you do not disable anonymous access, users will be unable to access secured services.

To disable anonymous access to GIS services, follow these steps:

  1. Open IIS Manager from Control Panel > Administrative Tools > Internet Information Services.
  2. Navigate in the local computer's Web Sites to the Web site containing your ArcGIS instance (typically in the Default Web Site). Find the ArcGIS folder and expand it.
  3. The method to disable anonymous access depends on your system.
    • In Windows Server 2003 or XP:
      1. Right-click the Services Web application and click Properties. The Service Properties dialog box opens.
      2. Click the Directory Security tab. Under Anonymous access and authentication control, click Edit. This opens the Authentication Methods dialog box.
      3. Uncheck Anonymous access. Check at least one of the methods under Authenticated access. See below for more information on authentication methods. Then click OK twice to return to the IIS Manager console.
    • In Windows Server 2008 or Vista:
      1. Left-click on the Services application to display its property links on the right side of IIS Manager.
      2. Double-click on the Authentication item under the IIS group. This displays the authentication methods list for the application.
      3. In the list of authentication methods, right-click on Anonymous Authentication, and in the context menu, click Disable.
      4. Enable at least one of the other authentication methods. See below for more information on authentication methods.
  4. Repeat the previous step, but set the properties for the Rest Web application within the ArcGIS folder. You may then close IIS Manager.

For more information on authentication methods, see IIS documentation and other resources such as the MSDN page Authentication Methods Supported in IIS 6.0.