Configuring accounts and permissions in a distributed installation

Sterling Quinn of the ArcGIS Server team contributed the following post.  This information will ultimately end up in the ArcGIS Server Help site in a few weeks. 


ArcGIS Server for the Microsoft® .NET Framework has a scalable architecture that allows you to distribute its components among multiple machines. When you set up a distributed installation, there are a number of post installs, accounts, and operating system groups that you’ll need to configure. These requirements have changed at 9.2, so even if you have configured a distributed installation in the past, you may not be familiar with the latest requirements.

Below is a guide that shows what you’ll need to do on each machine. Each machine in the diagram contains some green text denoting which post install you must run on that machine. Items in blue are accomplished by the post install. Items in red are things that you must do. Note especially that you must manually add the ArcGIS Web services account on each dedicated SOC machine.




This entry was posted in Services and tagged , . Bookmark the permalink.

Leave a Reply


  1. jlacombe says:

    I’ve got a question for ya… We have setup an SOM/SOC on a server and created map server objects. We then want to make an internet map source connection through code from a web app on a development machine using a local “gis” user we created on that SOM(which is assigned to the agsadmin and agsusers groups). I can create an internet map conection through the map resources manager as well as in ArcCatalog, however when trying in code, ie. creating an identity, and supplying that to an AGSServerConnection, we get “could not authenticate supplied identity”. Thoughts?

  2. minliny2k says:

    I’ve got a similar question. My ArcGIS Server Web App works fine until upgrade to 9.2 final last week…

    I am connecting to Local ArcGIS Svr from my box web server using ESRI.ArcGIS.ADF.Identity in code. The Identity user is a domain user that is under agsadmin group on SOM box. Prior to final release (PR, RC…), this works fine. But upon final release, no map, toc or overview content got loaded.

    Then noticed that if using “Impersonate the same Identity domain user in Web.config”, everything loads fine. Why the IIS has to impersonate the domain user in order to have permission to load map? The Web app already provide the same Identity. Or did i miss something?

    But then when deploy to the production IIS Svr, same as SOM machine, it wouldn’t work again.