In this topic
- About setting ArcGIS identity
- Requirements for the ArcGIS identity account
- Setting ArcGIS identity using Visual Studio
- Setting ArcGIS identity manually
- Using the registry for encryption
About setting ArcGIS identity
If a Web Application Developer Framework (ADF) application uses ArcGIS Server local data sources, the application must contain an ArcGIS identity. This identity is stored in the web.config file in the Web application and impersonates the user to access the data source.
You do not need to set an ArcGIS identity for ArcGIS Server Internet data sources or for other data sources used in the Web ADF, such as ArcIMS or Web Map Server (WMS).
Requirements for the ArcGIS identity account
The following requirements are necessary for the ArcGIS identity account:
- The account must be a valid user on the computer where the Web application runs. If it is a domain account, the computer must be a member of the domain or a domain that trusts the domain of the account.
- The account must be a member of the agsusers or agsadmin group on the computer where ArcGIS Server runs (specifically, the Server Object Manager [SOM]).
- If the Web application is on a computer other than the ArcGIS Server SOM, the user account must be recognized on both computers using one of the following options:
- A domain account if both computers are members of the domain
- A local computer account, where the local account is set up on both computers with the same password. In this case, omit the domain or computer name from the identity as described in the following sections.
- Only one user can be configured in the ArcGIS identity. Using multiple ArcGIS Server local data sources, when those data sources require different identities, is not supported at this release.
Setting ArcGIS identity using Visual Studio
The easiest way to set the identity is to use a Visual Studio context menu that was added and configured when the Web ADF was installed. To use this approach, perform the following steps:
- Using Visual Studio, open the Web site on the Web server.
- Right-click the Web application name in Solution Explorer and choose Add ArcGIS Identity.
- Type the new user name, password, and machine name or domain.
- Ensure that the check box for encrypting the credentials is enabled.
- Click OK and save the web.config file.
If you get an error message when saving the web.config file, open the web.config file, delete the <Identity>...<Identity/> section, and save the file. You can then create the identity using the ArcGIS Identity tool.
- Verify that the identity tag has been updated in the web.config file.
Setting ArcGIS identity manually
If Visual Studio is not available on the Web server computer, you can manually set or update ArcGIS identity by performing the following steps:
- Open the web.config file in a text editor, such as Notepad.
- Find the identity Extensible Markup Language (XML) tag. The contents of this tag can vary, depending on whether the identity was encrypted when it was added. An example of encrypted identity appears as follows:
<identity configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQA…vA==</CipherValue>
</CipherData>
<EncryptedData>
</identity>
If the identity tag does not exist, create it as described in step 3. Ensure it is within the <system.web> section of the web.config file.
- Set or update the identity to a user in the agsusers group on the geographic information system (GIS) server. The user account requirements are the same as those described in Requirements for the ArcGIS identity account.
The following is the recommended procedure to set and encrypt the identity: - Modify the identity XML tag to contain the account information you want to use. Use the standard format for an identity tag in ASP.NET, similar to the following:
<identity impersonate=”true” userName=”mydomain\myusername” password=”mypassword” />
If using a local machine account, the domain name (mydomain) can be omitted from the userName value, or the local machine name can be used. If the Web server and GIS server are on separate machines, you must omit the machine name for local accounts.
- Save the web.config file.
- Test the Web application on this Web server to ensure that the identity is correctly recognized.
- Encrypt the identity using the standard aspnet_regiis tool by opening a .NET command prompt from Start>(All) Programs>Microsoft .NET Framework SDK v2.0>SDK Command Prompt.
Typically, the web.config file cannot be viewed by browser users; however, if the Web server is compromised, it might be possible for the credentials to be viewed by unauthorized users.
- Type the command to encrypt the identity section in the web.config file. See the following code:
aspnet_regiis -pe "system.web/identity" -app "/MyWebMappingApp" -prov "DataProtectionConfigurationProvider"
where "/MyWebMappingApp" is the Uniform Resource Locator (URL) of the Web application on the local IIS server.
If the Web site uses the File System option in Visual Studio, when the built-in Web server is used, the following code encrypts the identity section using a file path. (Note the -pef option and omission of the -app option.)
[XML]If the Web site uses the File System option in Visual Studio, when the built-in Web server is used, the following code encrypts the identity section using a file path. (Note the -pef option and omission of the -app option.)
aspnet_regiis -pef "system.web/identity" "C:\MyWebFolder\MyWebMappingApp" -prov "DataProtectionConfigurationProvider"
This scenario uses the .NET DataProtectionConfigurationProvider, which uses a machine-specific key for encryption. If you need to deploy the same application to multiple servers, such as in a Web Farm, use the RSAProtectedConfigurationProvider, which allows export and import of encryption keys. For more information, see How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA on the Microsoft Web site.
The identity is now updated and encrypted in the web.config file. The Web mapping application will use the encrypted identity to access the ArcGIS Server local resource.
Using the registry for encryption
An alternative option to the encryption with aspnet_regiis is to encrypt the credentials for the identity within the registry. For more information, see How to use the ASP.NET utility to encrypt credentials and session state connection strings on the Microsoft Help and Support Web site.