SASL authentication—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in internet protocols. As of 10.9, ArcGIS Enterprise supports using SASL as a means of authenticating with Windows Active Directory or other LDAP providers using the GSS/Kerberos v5 SASL mechanism.

Use case

The SASL GSS authentication is typically used when an organization's domain controller is configured to require signing for authentication with the LDAP server. This requirement only applies when connecting to the LDAP server over ports 389 or 3268 without encryption. If LDAPS is fully supported across all domain controllers, this signing requirement is not needed.

Domain controller setting for LDAP server signing requirements

Requirements

To configure SASL authentication with ArcGIS Enterprise, a few requirements must be met.

Kerberos configuration file

A Kerberos configuration file is required to provide Portal for ArcGIS with information about the Kerberos domain controller. This information must be saved in a text file, for example, krb5.conf. A copy of the text file must be stored in a location where the Portal for ArcGIS service account can access it. Examples of this include the portal installation folder or the portal content directory. The default location for the portal content directory is c:\arcgisportal.

This configuration file is standard for Kerberos and should include default configuration settings and information on one or more Kerberos domain controllers for each Kerberos realm. An example configuration file is shown below.

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_ccache_name = KEYRING:persistent:%{uid}
    dns_lookup_kdc = true
    default_realm = EXAMPLE.COM
    default_checksum = rsa-md5

[realms]

EXAMPLE.COM = {
    kdc = domaincontroller.example.com
    admin_server = domaincontroller.example.com
}

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

New user and group store properties supported with Windows and LDAP identity store types

"saslAuthenticationScheme"—Defines the SASL authentication scheme used by Portal for ArcGIS to connect to domain controllers through LDAP. At 10.9, GSSAPI is the only supported SASL authentication scheme. Example: "saslAuthenticationScheme": "GSSAPI"
"krb5ConfigFilePath"—Defines the path to the Kerberos configuration text file described above. This must reside in a location with read access for the Portal for ArcGIS service account.
Example: "krb5ConfigFilePath": "c:\\arcgisportal\\krb5.conf"

Portal for ArcGIS identity store configurations

The SASL GSS authentication mechanism can be used with either Windows or LDAP identity store types and will work with both portal-tier and web-tier authentications. This also includes maintaining and refreshing enterprise group membership.

Windows users and groups

When configuring Portal for ArcGIS to use Windows users and groups with SASL authentication, the "saslAuthenticationScheme" and "krb5ConfigFilePath" properties are required. The "user" property must be specified in the format username@realm. The realm will always be uppercase in the krb5.conf file but does not need to be in the json string. The "domainControllerAddress" is also required and must include the fully qualified domain name (FQDN) for one or more Kerberos domain controllers that are used. IP addresses are not supported for SASL authentication. If the enterprise users and groups come from more than one domain, the "domainControllerMapping" property should be used to link the domain name to the domain controller host name. Below is an example for both the user and group store configurations with just a single domain.

Sample user store configuration

{
  "type": "WINDOWS",
  "properties": {
    "saslAuthenticationScheme": "GSSAPI",
    "krb5ConfigFilePath": "C:\\arcgisportal\\krb5.conf",
    "user": "entuser@example.com",
    "userPassword": "encrypted_password",
    "isPasswordEncrypted": "true",
    "caseSensitive": "false",
    "userGivenNameAttribute": "givenName",
    "userSurnameAttribute": "sn",
    "userEmailAttribute": "mail",
    "domainControllerAddress": "domaincontroller.example.com"
  }
}

Sample group store configuration

{
  "type": "WINDOWS",
  "properties": {
    "saslAuthenticationScheme": "GSSAPI",
    "krb5ConfigFilePath": "C:\\arcgisportal\\krb5.conf",
    "user": "entuser@example.com",
    "userPassword": "encrypted_password",
    "isPasswordEncrypted": "true",
    "domainControllerAddress": " domaincontroller.example.com"
  }
}

Other considerations

When signing in to portal with portal-tier authentication for LDAP users, the format of the user name must be username@realm, for example, testuser@example.com.

When using portal-tier authentication for Windows users, the format is the same as it is in prior releases: domain\username or username@domain.

Kerberos domain controller setting

The domain controller setting for LDAP server channel binding token requirements cannot be set to Always due to Java limitations. For details, see JVM Bug 8245527. It must be set to either When supported or Never.

Feedback on this topic?