Disable any unencrypted communication with Windows Active Directory

This topic is not relevant for ArcGIS Enterprise on Linux.

By default, ArcGIS Server attempts to encrypt communication with Windows Active Directory when the server is configured with a Windows identity store. If this encrypted communication fails for any reason, ArcGIS Server will then attempt to communicate with Active Directory through an unencrypted channel. If your organization wants to require that all communication with Active Directory be encrypted, you can do so in the ArcGIS Server Administrator Directory. When the useSSLOnly parameter is added to the user store configuration string, and to the role store configuration string if applicable, ArcGIS Server will no longer use any unencrypted channel to communicate with Active Directory.

1. Sign in to the ArcGIS Server Administrator Directory as a user with administrative privileges, using the URL format https://gisserver.example.com:6443/arcgis/admin.

2. Browse to security > config > updateIdentityStore.

3. Add the parameter "useSSLOnly": "true" to the user store configuration string within the properties bracket. If the role store configuration string is also set to "type": "WINDOWS", add the same parameter, for example:

   {
    "type": "WINDOWS",
    "properties": {
     "adminUserPassword": "encrypted_password",
     "adminUser": "sampledomain\\sampleuser",
     "useSSLOnly": "true"
    }
   }
   

   When you add this parameter, or anytime you update either identity store's configuration JSON on this page, you must reenter the adminUserPassword parameter in the JSON string with the current credentials to your Windows identity store.

4. Click Update. The changes take effect immediately without requiring a restart of the ArcGIS Server site.