Setting up users and roles in a custom provider

Release 9.3 E-mail This Topic Printable Version Give Us Feedback

You can use a custom provider to store users and roles. Custom providers are created as standard ASP.NET membership and role providers. Providers may be available from software vendors or other sources for particular storage types. For example, an Oracle provider is available for using Oracle databases. Another example is an XML file based provider, available from a number of sources.

The provider must be created and configured outside Manager. Additionally, you must also configure the user and role stores before using the provider with Manager. The custom provider must implement the requirements for an ASP.NET provider. If the provider meets these prerequisites, it can be utilized as the user and role store. For example, this page at Microsoft discusses providers and shows how to use the Active Directory provider built into ASP.NET: How To: Use Membership in ASP.NET 2.0.

Once you've obtained the custom provider, you must add it to Manager's configuration file to see the provider in Manager's Security dialog box. Add the provider configuration information to the web.config file at /ArcGIS/Security web application (by default this is at C:\Inetpub\wwwroot\ArcGIS\Security). The entries in this web.config file should be standard provider entries as would be used when configuring an ASP.NET application to use the provider. Specifically, the <membership> element would be added if necessary, with a <providers> subelement. The provider would be inserted with an <add> element inside <providers>. Any connection strings or other required information would also need to be added. The content of these elements will vary depending on how the provider works.

For example, the following settings would be added to the web.config file for the Active Directory provider, as discussed in the topic How To: Use Membership in ASP.NET 2.0 linked above:

<connectionStrings>
   <add name="ADConnectionString" 
    connectionString= "LDAP://domain.testing.com/CN=Users,DC=domain,DC=testing,DC=com" />
</connectionStrings>

<system.web> 
... 
<membership defaultProvider="MembershipADProvider"> 
   <providers> 
<add 
 name="MembershipADProvider" 
 type="System.Web.Security.ActiveDirectoryMembershipProvider, 
       System.Web, Version=2.0.0.0, Culture=neutral, 
       PublicKeyToken=b03f5f7f11d50a3a"
 connectionStringName="ADConnectionString" 
 connectionUsername="<domainName>\administrator" 
 connectionPassword="password"/> 
   </providers> 
</membership> 
... 
</system.web>

ArcGIS Server can allow users to recover lost passwords. If your provider supports recovering lost passwords, and you want to enable users to recover passwords, you must also add a mail settings section with SMTP mail server information into the web.config file. For details and examples, see this Microsoft page: http://msdn2.microsoft.com/en-us/library/ms164240.aspx.

When you choose to use a custom provider in Manager, Manager copies these entries from this web.config file into the web.config files for the Web services application and for each Web application registered in Manager's application list.

Any custom provider should be thoroughly tested before being used with Manager. If the custom provider does not work properly, or is not configured correctly in Manager/Security/web.config, then security features will not work with services or Web applications.

Once you've tested the custom provider and added it to Manager's configuration file, perform the following steps to use it as the user and role store:

  1. Expand the Security panel in Manager and click Settings.
  2. Click the Change link.
  3. Choose your custom provider from the list. (If the provider does not appear or an error occurs, recheck the provider settings in /ArcGIS/Security/web.config.)
  4. Click Next. No further configuration is necessary within Manager.
  5. Click Finish.
  6. Configure the token service for your ArcGIS Server. Users provide login credentials to your ArcGIS Web services with tokens obtained from the Token service. You should set the server key, which encrypts tokens, and optionally the token time-out. For details and instructions, see Configuring the token service.

Whether Manager may be used to add, edit, or delete users or roles depends on the custom provider. If the provider implements the methods in the .NET API to manage users and roles, then Manager will enable editing operations for users or roles. If editing tools are not available, then you must use tools compatible with the provider to manage users and roles. Refer to the provider vendor for management tools.

User names and roles in a custom provider must not contain commas (,) or semicolons (;). Your custom provider may have other characters that are not permitted in user names or roles.