When you configure your ArcGIS Server site to enforce security with users and roles managed in Microsoft Active Directory, it uses the Active Directory Global Catalog to obtain user and role information. However, ArcGIS Server cannot enforce security if the site binds to a domain controller that does not also serve as a global catalog. For example, you may see the following error when attempting to view the User and Role tab in the Security module in Manager:
An error occurred while searching for [users\roles]: [IP Address]:3268
If your Active Directory deployment includes multiple domain controllers, but not all domain controllers are configured as global catalog servers, you'll need to manually specify the domain controller or controllers used by ArcGIS Server. The following steps detail how to do this:
- Open the ArcGIS Server Administrator Directory and sign in with a user with administrative privileges. The URL to the Administrator Directory is formatted http://gisserver.domain.com:6080/arcgis/admin.
- Click security > config > updateIdentityStore.
- Copy and paste the following text into the User Store Configuration dialog box on the Operation - updateIdentityStore page:
{ "type": "WINDOWS", "properties": { "adminUserPassword": "[password]", "adminUser": "[domain]\\[user name]", "domainControllerAddress": "[IP Address], [alternate IP Address]" } }
- Update the adminUserPassword, adminUser, and domainControllerAddress properties with the appropriate values. Optionally, more than one IP address can be listed for the domainControllerAddress property. If multiple IP addresses are listed, they should be ordered based on priority. ArcGIS Server will attempt to communicate with the first one listed and will fall back to subsequent ones only if the first one becomes unavailable.
- If your Active Directory environment includes multiple domains within a forest, and you want to include IP addresses for the domain controllers assigned to each domain, use the domainControllerMapping parameter on both the User Store Configuration and Group Store Configuration dialog boxes. Multiple IP addresses can be listed for each domain if desired.
{ "type": "WINDOWS", "properties": { "adminUserPassword": "[password]", "adminUser": "[domain]\\[user name]", "domainControllerAddress": "[IP Address], [alternate IP Address]", "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]" } }
- If you will be using built-in roles, skip to the next step. If you will be using Active Directory roles, copy and paste the text from step 3 into the Role Store Configuration dialog box on the Operation - updateIdentityStore page.
- Click Update to save your configuration.
- Open ArcGIS Server Manager and sign in with a user who has administrative permissions to your site.
- Click Security > Users. Verify that users from your Active Directory are displayed.