An ASP.NET module library that provides an extensible interface for integration of various authentication and authorization integration providers.
This module was meant to be used within the ArcGIS Web Adaptor (IIS), in order to provide a custom principal to the Web GIS platform (ArcGIS for Server and Portal for ArcGIS) in cases where standard configurations are not possible.
- ArcGIS Web Adaptor (IIS)
- Microsoft .NET Framework 3.5+
- Install and configure the ArcGIS Web Adaptor (IIS)
- Create a folder named bin within the web adaptor folder (typically c:\inetpub\wwwroot\arcgis)
- Build the solution
- Place all of the binaries from the output folder into the bin folder
Modify the web.config file (within the Web Adaptor folder) to resemble the following (add content, do not remove existing configuration items):
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="Esri.Services.WebAuthnz"
type="Esri.Services.WebAuthnz.Config.AuthnzConfigSection, Esri.Services.WebAuthnz,Version=1.0.0.0,Culture=neutral,PublicKeyToken=5357ddc79ef593b5" requirePermisson="false" />
<section name="log4net"
type="log4net.Config.Log4NetConfigurationSectionHandler, log4net,Version=2.0.8.0,Culture=neutral,PublicKeyToken=669e0ddf0bb1aa2a" requirePermisson="false" />
</configSections>
<Esri.Services.WebAuthnz requireHTTPS="true"
providerType="Esri.Services.WebAuthnz.Providers.Impl.CommonNameIdentityProvider, Esri.Services.WebAuthnz,Version=1.0.0.0,Culture=neutral,PublicKeyToken=5357ddc79ef593b5"
setPrincipal="true">
<!-- setPrincipal should be true for Portal and UNFEDERATED ArcGIS Servers only -->
<accessControl>
<!--
see documentation below
-->
</accessControl>
<!-- IP addresses to allow without client certificate -->
<whitelistedIPs>
<add key="localhost" value="127.0.0.1" />
</whitelistedIPs>
<!-- properties are provider-specific -->
<providerSettings>
<!--
<add key="property1" value="value1" />
<add key="property2" value="value2" />
<add key="propertyn" value="valuen" />
-->
</providerSettings>
</Esri.Services.WebAuthnz>
<log4net>
<!--
your log4net configuration here
see https://logging.apache.org/log4net/release/manual/configuration.html for examples
-->
<appender name="ConsoleAppender" type="log4net.Appender.ConsoleAppender">
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
</appender>
<appender name="RollingLogFileAppender" type="log4net.Appender.RollingFileAppender">
<file value="d:\logs\web_adaptor" />
<appendToFile value="true" />
<rollingStyle value="Composite" />
<datePattern value="yyyyMMdd" />
<maxSizeRollBackups value="-1" />
<countDirection value="1" />
<maximumFileSize value="1MB" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
</appender>
<root>
<level value="INFO" />
<appender-ref ref="ConsoleAppender" />
<appender-ref ref="RollingFileAppender" />
</root>
</log4net>
<system.web>
<httpModules>
<!-- The other Esri authentication module should come first -->
<add name="EsriWebAuthnzModule"
type="Esri.Services.WebAuthnz.Modules.EsriWebAuthnzModule, Esri.Services.WebAuthnz,Version=1.0.0.0,Culture=neutral,PublicKeyToken=5357ddc79ef593b5"/>
</httpModules>
</system.web>
<system.webServer>
<!-- add this tag if it does not already exist (it should) -->
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<!-- The other Esri authentication module should come first -->
<add name="EsriWebAuthnzModule-integrated"
type="Esri.Services.WebAuthnz.Modules.EsriWebAuthnzModule, Esri.Services.WebAuthnz,Version=1.0.0.0,Culture=neutral,PublicKeyToken=5357ddc79ef593b5"/>
</modules>
</system.webServer>
</configuration>Modify the webadaptor.config file (found in the web adaptor folder (typically c:\inetpub\wwwroot\arcgis).
- Locate the EnableGetRolesForUser property and change the value to false.
<EnableGetRolesForUser>false</EnableGetRolesForUser>
The EsriWebIdentityProvider concrete implementation produces an instance of EsriWebIdentity, which contains a Dictionary<string, string[]> of user attributes that are used to determine if the user has the authorization required to view the requested resource. At this time, the module can only be configured to act globally on an ASP.NET web application -- custom authorization ruels for separate location directives are not supported.
There are three nodes permitted in the <accessControl> element:
- and (Conjunction) -- all child element logic must evaluate to true in order to grant access.
- or (Disjunction) -- any child element logic must evaluate to true in order to grant access.
- prop (Proposition) -- the property must exist and contain the value within the EsriWebIdentity in order to grant access. If the property does not exist, this node will always evaluate to false. Comparison is case-sensitive.
- @name -- The name of the property to evaluate.
- @value -- The value of the property to evaluate. The dictionary of properties may contain multiple values for a given key.
All three nodes have a @negate attribute (default value: false), which will invert the logical output of the node's boolean evaluation.
The accessControl node behaves as a conjunction.
The following example illustrates a universal pass-through for all users.
<accessControl />
In this example, access is granted to users whose attributes include 'ORIOLES' or 'RAVENS' in a property named 'team', excluding any users who have 'NATIONALS' in the same property.
<accessControl>
<or>
<prop name="team" value="ORIOLES" />
<prop name="team" value="RAVENS" />
</or>
<prop name="team" value="NATIONALS" negate="true" />
</accessControl>
Use the command prompt as an Administrator for the steps listed in tis section.
> netsh show sslcert ipport=0.0.0.0:443
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : CERTIFICATE_HASH
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Enabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Make note of the certificate hash in the resposne above (it will be specific to each implementation).
> netsh http delete sslcert ipport=0.0.0.0:443
SSL Certificate successfully deleted
> netsh http add sslcert ipport=0.0.0.0:443 ^
certhash=CERTIFICATE_HASH ^
appid={4dc3e181-e14b-4a21-b022-59fc669b0914} ^
certstorename=My ^
sslctlstorename=ClientAuthIssuer ^
clientcertnegotiation=enable
SSL Certificate successfully added
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL ^
/v SendTrusterIssuerList ^
/t REG_DWORD ^
/d 0 ^
/f
cd path\to\directory\containing\CA\certs\
for %f in (*.cer) do (
certutil -enterprise -addstore -F ClientAuthIssuer %f
)
NOTE: if using in a .bat file, %f should be replaced with %%f for all occurrences.