Skip To Content

ArcGIS Mission Server administrator operations

The following sections describe the properties available to ArcGIS Mission Server administrators. Each property is described along with its path located in the ArcGIS Mission Server administration site.

Which account should I designate as the ArcGIS Mission Server account?

The ArcGIS Mission Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, Esri recommends that you create a domain or Active Directory account prior to installing ArcGIS Mission Server.

You are allowed to specify a local account or a domain account. You can export the setup configuration file when you install ArcGIS Mission Server on the first machine in your site and use the configuration file when you install ArcGIS Mission Server on the other machines in your site. That way, you guarantee that the ArcGIS Mission Server account is configured exactly the same on all the machines in your site.

Domain account

A domain account makes it easier to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.

When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the ArcGIS Mission Server installation wizard creates a local account with the user name you specified. If you specify a domain account that does not exist, the installation returns an error.

If your logon settings deny login rights to the machine where ArcGIS Mission Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Mission Server account.

Local account

If you've chosen a local account, the local account and password must exist on each machine in the ArcGIS Mission Server site and be identical. You can create the local account with the same password on each machine before installing ArcGIS Mission Server, or you can let the ArcGIS Mission Server installation wizard create the local account; just be sure to use the same user name and password on every machine in the site.

If you're creating a new local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does meet the minimum strength requirements of your operating system, the installation returns an error. Consult the Microsoft documentation for the version Windows you are using to learn how to check the security policy on your machines.

Group managed service account

A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logons and is restricted for use on only a pre-defined group of servers.

Using a gMSA is especially advantageous when a service account governs software on multiple machines, such as in a multiple-machine ArcGIS Mission Server site. Because the gMSA works at the domain level, it is able to regularly change the service account password on each machine with no manual steps required.

Starting in 10.8, the ServerConfigurationUtility command line tool, which is described below, can be used to configure the ArcGIS Mission Server service to run under a gMSA. For the user name parameter, the group managed service account can be specified either with or without the $ symbol at the end. The password parameter is not needed. The readconfig and writeconfig parameters both function the same with a group managed service account.

A sample command to configure a gMSA as the ArcGIS Mission Server account:

ServerConfigurationUtility.exe /username mydomain\enterprise-gmsa$ /writeconfig c:\temp\domainaccountconfig.xml

Import an existing server certificate

To import an existing server certificate, click Home > Machines > MachineName > sslCertificates > importExistingServerCertificate

This operation imports an existing server certificate into the keystore. If the certificate is a Certificate Authority (CA) signed certificate, you must first import the CA root or intermediate certificate using the importRootOrIntermediate operation.

Import a root certificate

To import a root certificate, click Home > Machines > MachineName > sslCertificates > importRootOrIntermediate

This operation imports a CA's root and intermediate certificates into the keystore. To create a production quality CA-signed certificate, add the CA's certificates to the keystore that enables the SSL mechanism to trust the CA (and the certificates it has signed). While most of the popular CA's certificates are already available in the keystore, you can use this operation if you have a custom CA or specific intermediate certificates.

Update the security configuration

To update the security configuration, click Home > Security > SecurityConfig > UpdateSecurityConfig

This operation updates the security configuration, including TLS protocols and cipher suites, for your ArcGIS Mission Server site. This operation causes the SOAP and REST service endpoints to be redeployed on every server machine in the site. If the authentication tier is GIS_SERVER, the ArcGIS token service is started on all server machines. When the authentication occurs at the Web Adaptor, the server does not participate in authenticating the user. If you updated the communication protocol as part of this operation, it takes ArcGIS Web Adaptor one minute to recognize changes to the communication protocol of your site.

Delete a site

To delete a site, click Home > Delete Site

This operation deletes the site configuration and releases all server resources. It is suited for development or test servers that need to be cleaned up regularly and can also be performed before uninstallation. Use caution with this option because it deletes all services, settings, and other configurations and is an unrecoverable operation.

This operation performs the following tasks:

  • All server machines participating in the site are stopped. This in turn stops all GIS services hosted on the server machines.
  • All services and cluster configurations are deleted.
  • All server machines are unregistered from the site.
  • The configuration store is deleted.

Define the length of time a JWT is valid

To define the length of time a JSON Web Token (JWT) is valid, click Home > System > Properties > AuthTokenTimeInSeconds

This integer defines the length of time in seconds that a JWT is valid for a client to establish a Web Socket session with ArcGIS Web Adaptor. If this is not set, the default is 180.

Define a web socket URL

To define a web socket URL, click Home > System > Properties > WebSocketContextURL

This string defines a URL to be used when ArcGIS Web Adaptor provides a web socket URL to a potential web socket client. If this is not set, the system default URL is used, such as https://<>:<portnumber>/<webadaptor>

Configure ArcGIS Web Adaptor

To configure ArcGIS Web Adaptor, click Home > System > Web Adaptors > WebAdaptorConfig

The Web Adaptor configuration is a resource for all the configuration parameters shared across the Web Adaptors in the site. This resource identifies the shared key used by all the Web Adaptors to encrypt key data bits in the incoming requests to the server.

Edit the log settings

To edit the log settings, click Home > Logs > LogSettings > EditLogSettings

This operation updates the log settings for the entire server site, such as log output location, level, and format, as well as log file age.