Kerberos constrained delegation

Kerberos delegation enables users to access remote data sources through Windows authentication. Kerberos is the recommended solution to manage user access among different servers. With Kerberos, PI Integrator for Esri ArcGIS accepts and relays login credentials to Portal for ArcGIS when a user accesses a layer.

It is recommended that you enable and configure Kerberos constrained delegation for the service account that runs PI Integrator for Esri ArcGIS so that only the appropriate data in time-enabled feature layers is available to the end user. If Kerberos is not enabled, users in the PI Geo Admins and PI Geo Users Windows groups are granted access to the data in all time-enabled feature layers. See Authorization using Windows groups.

Note: PI Integrator for Esri ArcGIS supports constrained delegation only. Unconstrained delegation is not supported.

Before you can enable and configure Kerberos constrained delegation, you must have the following:

• The PI Integrator for Esri ArcGIS running under a managed service account.

  A managed service account provides applications such as SQL Server or Exchange with automatic password management and support for simplified service provider names.

  For detailed information about managed service accounts, see Introducing Managed Service Accounts on the Microsoft web site.

• The machine name where the PI Integrator for Esri ArcGIS is installed.

• The name of the managed service account that runs the PI Integrator for Esri ArcGIS.

• Access to the domain controller and domain admin rights.

Complete the following tasks to configure Kerberos constrained delegation:

Task 1: Configure service principal names (SPN)

Task 2: Enable service account for Kerberos constrained delegation

Task 3: Add Portal for ArcGIS server with the HTTP service type