Disable Windows Active Directory groups lookup in ArcGIS Web Adaptor (IIS)—ArcGIS Server | Documentation for ArcGIS Enterprise
Skip To Content

Disable Windows Active Directory groups lookup in ArcGIS Web Adaptor (IIS)

When performing web-tier authentication with ArcGIS Web Adaptor (IIS), the Web Adaptor will look up Windows Active Directory groups for the signed-in user every time a request is sent to your ArcGIS Server site. In organizations with a small number of groups, this lookup will have no impact on performance. However, if your organization has hundreds or thousands of groups, you may see a decrease in performance because of the time it takes to complete the lookup.

If you notice a performance decrease, you can disable Active Directory groups lookup in ArcGIS Web Adaptor (IIS). Disabling this functionality is only applicable if the following criteria are met:

  • You've configured web-tier authentication (Integrated Windows Authentication or PKI-based client certificate authentication) in ArcGIS Web Adaptor (IIS).
  • You're using the ArcGIS Server built-in groups as the group store for your site. If you're using groups from Windows Active Directory, the lookup must occur to obtain groups.

To disable Active Directory groups lookup in ArcGIS Web Adaptor (IIS), do the following:

  1. On the machine hosting ArcGIS Web Adaptor (IIS), browse to and open the WebAdaptor.config file. By default, this file is located in the IIS inetpub folder, for example, C:\inetpub\wwwroot\<web adaptor name>\WebAdaptor.config.
  2. Locate the EnableGetRolesForUser property and change the value to false, for example:
    <EnableGetRolesForUser>false</EnableGetRolesForUser>
  3. Save and close the file.
  4. Restart IIS.
  5. Repeat these steps on the remaining Web Adaptors configured with your site.

You can enable lookups at any time by changing the EnableGetRolesForUser property to true.