Skip to main content

Configure stand-alone security

The security model of a stand-alone ArcGIS Server site is determined by the server administrator.

ArcGIS Server offer robust and effective built-in authentication and identity stores that are enforced by default. Stand-alone ArcGIS Server sites also support web-tier authentication and external identity providers. When such a provider is configured, user authentication is done through its identity store.

  • Best practices. This topic explains how to restrict file permissions and provides options for disabling the primary site administrator account.

  • Firewall settings. This topic explains methods for using a firewall or series of firewalls to restrict communication to ArcGIS Server.

  • Port settings. This topic explains exactly which ports need to be opened and between which machines the ports need to be opened.

  • File-based data and database permissions that are minimally needed for ArcGIS Server to access data.

Stand-alone ArcGIS Server sites

ArcGIS Server uses a role-based access model. Users are assigned one or more roles, to which certain permissions have been granted.

To manage these users and roles, ArcGIS Server sites in a stand-alone configuration can use the built-in identity store, as well as several types of third-party identity providers. You can change these settings using the Security Configuration Wizard in ArcGIS Server Manager.

Authentication to a stand-alone ArcGIS Server site can be done at the server tier or at the web tier.

The table below describes the identity store configurations that are supported for the type of authentication chosen:

Authentication mechanism

Supported identity store configurations

ArcGIS Server authentication

  • Built-in users and roles

  • Users in Active Directory and roles in either Active Directory or the built-in store

  • Users in LDAP and roles in either LDAP or the built-in store

  • Users in a custom store and roles in the custom or the built-in store

Web-tier authentication

Any user store for which the web server has built-in or extensible support

For example, if your web server has built-in support for Active Directory, LDAP, and custom identity stores, you may use one of the following configurations:

  • Users in Active Directory and roles in either Active Directory or the built-in store

  • Users in LDAP and roles in either LDAP or the built-in store

  • Users in a custom store and roles in the custom or built-in store

Server-tier authentication takes place entirely within the server site, while web-tier authentication relies on the external identity store to validate the user's credentials.

The built-in identity store is managed in ArcGIS Server Manager when it is configured. Information about users and roles is kept in the server's configuration store, and only ArcGIS Server has access to that information. Users authenticate to the identity store using tokens—strings of encrypted information that contain the user's name, the token expiration time, and other proprietary information.

Many types of web-tier authentication systems can be configured with stand-alone ArcGIS Server sites. These include Lightweight Directory Access Protocol (LDAP) directories, public key infrastructure (PKI)-based client certificate authentication, and Integrated Windows Authentication (IWA).

If your ArcGIS Server site will remain a stand-alone site, and you are not configuring web-tier authentication, see Configure server-tier authentication.

If you are configuring web-tier authentication, as through an LDAP directory, IWA, or client certificate authentication with your stand-alone ArcGIS Server site, see Configure web-tier authentication.