You may want to use standard Windows accounts to authenticate
users. This is most often used when your services and applications
run on an intranet. Users must have Windows accounts on the local
network in order to access secured services and applications.
To specify Windows users for setting permissions, follow these steps:
- Expand the Security panel in Manager and click Settings.
- Under Security Stores, click the Change
- On the dialog that opens for Location for Users, choose
Windows users. Click Next.
- On the next dialog, choose whether to use Windows
groups as your role location or to use SQL
Server (or a custom provider if you configured one
previously). Click Next.
- If you chose SQL Server in the previous step, follow these steps:
- a. Type the database server name.
- b. If you connect to the database with a Windows user account,
leave the option to Use Trusted Connection
enabled. This will always be true for SQL Server Express. If using
the full SQL Server, use SQL logins, uncheck Use Trusted Connection, then type a SQL user name and password. This login will be used by
the Web services and applications to connect to the database.
- c. Click Connect to display a list of
available databases and options (if the connection fails, check to
ensure your database server is running and available on the
- d. If you have not yet set up a database to store roles, click
the option to create a new database, and type a name (such as
"aspnetdb"). If you already have a database set up for ASP.NET
membership and roles, you can choose it from the drop-down
- e. The Add anonymous role to database option
adds three generic roles to the database: Everyone, Authenticated Users, and Anonymous. These roles are only relevant if you choose Token-based authentication in the next panel. In that case, you can use these roles to enable anyone or, alternatively, only users with a valid login to
access one or more services. Adding these roles does not
automatically allow anonymous users but makes the generic roles available should
you choose to permit them. For more details on using these roles, see Securing Internet connections to services. These roles are used only with Web services and not with Web applications.
- f. Click Next.
- On the final panel, choose the authentication method for users. Users or server-based applications must supply valid user names and passwords to access restricted services. This choice determines the method that is used to obtain credentials from users.
Windows authentication: The Internet Information Services (IIS) Web server obtains the user credentials by responding to service requests with an authentication challenge. This approach is most commonly used on an intranet when users are connecting to a server within the local network. When the client is an end user, such as when opening the REST Services Directory in a browser, the user can either be automatically authenticated based on the operating system login, or the user may see a pop-up login dialog. If you choose Windows authentication, you must disable
anonymous access to the Services application in order to authenticate users. See the section below for instructions.
Token-based authentication: This approach is commonly used when the client of the service is connecting over the Internet. The client application includes a token with requests to the service. The token is an encrypted string that allows the user to be authenticated. Most clients will obtain the token automatically on startup, based on the user's operating system login. For some applications, the developer may need to obtain the token in advance and embed it in the application. If you choose Token-based authentication, you should configure the token service after completing the user/role setup wizard. See Configuring the token service for instructions and details.
Tip: be sure that users include the machine name (for local accounts) or domain name when logging in to the server. For example, with an account called planner1 on a server called CityWeb, use CityWeb\planner1 as the username. If the machine name is omitted, the connection might be made but no services may be listed.
Disabling anonymous access to ArcGIS Web services in Internet Information Services
If you chose Windows authentication as the method to authenticate users, you must perform the steps in this section to disable anonymous access to your ArcGIS Web services. If you do not disable anonymous access, then client applications will not be able to access your services.
Before you enable security for Web services,
you must perform this step in IIS Manager. However, you may want to
wait to perform this step until you have assigned permissions to services.
Note that if you do not disable anonymous access, users will be
unable to access secured services.
To disable anonymous access to
GIS services, follow these steps:
- Open IIS Manager from Control Panel >
Administrative Tools > Internet Information
- Navigate in the local computer's Web Sites to the Web site
containing your ArcGIS instance (typically in the
Default Web Site). Find the ArcGIS folder and
- The method to disable anonymous access depends on your system.
- In Windows Server 2003 or XP:
- Right-click the Services Web application
and click Properties. The Service Properties
dialog box opens.
- Click the Directory Security tab. Under
Anonymous access and authentication control, click
Edit. This opens the Authentication Methods
- Uncheck Anonymous access. Check at least
one of the methods under Authenticated access. See below for more information on authentication methods. Then click OK twice to return to the IIS Manager console.
- In Windows Server 2008 or Vista:
- Left-click on the Services application to display its property links on the right side of IIS Manager.
- Double-click on the Authentication item under the IIS group. This displays the authentication methods list for the application.
- In the list of authentication methods, right-click on Anonymous Authentication, and in the context menu, click Disable.
- Enable at least one of the other authentication methods. See below for more information on authentication methods.
- Repeat the previous step, but set the properties for the Rest Web application within the ArcGIS folder. You may then close IIS Manager.
For more information
on authentication methods, see IIS documentation and other
resources such as the MSDN page Authentication Methods Supported in IIS