Skip To Content

Use nested groups in a Windows Active Directory identity store

You can configure Windows as the identity store for ArcGIS Server using the security configuration wizard in ArcGIS Server Manager. However, this configuration does not support nested groups. To support nested groups, ArcGIS Server provides a custom ASP.NET provider. To configure this custom provider, follow the steps below.

Note:

If your ArcGIS Server site is already configured with Active Directory, configuring the ASP.NET provider as detailed in this workflow erases the existing role-based security settings on your services.

  1. Verify that the ArcGIS Server .NET Extension Support feature is installed on the machine hosting the server. Do this by launching the ArcGIS Server setup program and checking the list of features selected for installation. To install the feature, do the following:
    1. Install Microsoft .NET Framework 4.5.1 or later on the machine hosting ArcGIS Server.

      The .NET framework is available on the ArcGIS Server setup media.

    2. Re-run the ArcGIS Server setup program and enable the .NET Extension Support feature on the Select Features page.
  2. Open the ArcGIS Server Administrator Directory and sign in with a user who has administrative permissions to your site.

    The Administrator Directory is typically available at https://gisserver.domain.com:6443/arcgis/admin.

  3. Click security > config > updateIdentityStore.
  4. Copy and paste the following text into the User Store Configuration dialog box on the Operation - updateIdentityStore page.
    {
      "type": "ASP_NET",
      "class": "AGSMembershipProvider.AGSADMembershipProvider",
      "properties": {
        "adminUserPassword": "[user password]",
        "adminUser": "[domain]\\[user name]"
      }
    }
  5. Update the adminUserPassword and adminUser property values with the appropriate credentials to your Windows identity store.
  6. Copy and paste the following text into the Role Store Configuration dialog box on the Operation - updateIdentityStore page.
    {
      "type": "ASP_NET",
      "class": "AGSMembershipProvider.AGSADRoleProvider",
      "properties": {
        "adminUserPassword": "[user password]",
        "adminUser": "[domain]\\[user name]"
      }
    }
  7. Update the adminUserPassword and adminUser property values with the appropriate credentials to your Windows identity store.
  8. Click Update to save your configuration.
  9. Open Manager and sign in with a user who has administrative permissions to your site.

    If you need help with this step, see Log in to Manager.

  10. Click Security > Users.
  11. In the Find User dialog box, click the Search Search button to look for the name of a user who is a member of a nested group.
  12. In the results view, click the Edit Edit button next to the user with nested group membership.
  13. In the Member of section in the Edit User dialog box, verify that the list displays groups the user belongs to and groups inherited through nesting.