Dave Bouwman - Running ArcGIS as Another Windows Login

Friday, October 27, 2006

Posted on Friday, October 27, 2006 10:41:41 AM (Mountain Daylight Time, UTC-06:00)	Comments [3] \|
Categories: ArcSDE \| ArcMap \| ArcCatalog \| Security

I'm doing some testing with ArcSDE direct connections and Windows Authentication, and needed a quick way to check how the settings were working for different users. Of course I could go to another PC, and login as one of the test users, or setup a bunch of virtual machines, log into each of them as different users, and test the connections that way, but it seemed like a lot of work when there is the "run as" command in Windows XP.

Basically "Run As" allows you to start up an application or process as a different Windows login. Here's the syntax (showing how to start ArcMap)

runas /user:your-domain\testuser /profile /savecred "C:\Program Files\ArcGIS\Bin\ArcMap.exe"

So, I happliy created some test users on our domain, and whipped up a quick batch file, and ran it, expecting ArcMap to fire up as the specified user. Not quite. I got an error when ArcMap was spinning up - a totally generic "ArcMap has encountered a Problem and needs to close" error. Usually this is a really bad type of error, but before I got too wound up, I thought about things a little, and when ArcMap starts up for the first time, it writes a bunch of stuff into the users profile. But this user does not yet have a profile on my machine since they have never logged in!

So I logged myself out, and logged in as the test user - which created the profile. I then promptly logged out and back in as myself again. Now when I run the batch file - ArcMap happily starts up as the specified user. Nice.

If you are using Windows Authentication with ArcSDE, this can be a useful tool - it can allow you to run in a more restricted mode most of the time, but when you need to you can switch over to a login which has rights to make schema modifications - without having to log out of your windows session.

Monday, October 30, 2006 2:47:50 PM (Mountain Daylight Time, UTC-06:00)

Dave,

You had mentioned that you would be testing Direct Connect and Windows authentication on 9.2. Although on the beta program, I didn't have the opportunity to test either of those items out. Both, I've read and heard in a 9.2 webcast, were supposed to have been improved? What has been your experience thus far, especially with DC?

Thanks,

Ron

Ron Bruder

Thursday, November 02, 2006 11:33:23 AM (Mountain Daylight Time, UTC-06:00)

Dave,

We use ArcSDE with windows authentication. I've got a couple of VB6 helper apps that I use to launch ArcCatalog as the "sde" user and as our "data owner" user. They use the CreateProcessWithLogonW winapi function.

They work fine but I sometimes have problems which I think arise because AppROT doesn't know about those instances of ArcCatalog. I haven't looked into that any further because it's not a major issue.

By the way, I just found your site because I'm searching for ways to let users outside our domain impersonate a domain login inside our domain so they can connect to ArcSDE. I don't think that's such a hot idea - I'm pushing for ArcGIS Server - but my boss wants me to look into it. Any ideas?

Thanks,

Mike

Mike Juniper

Thursday, November 09, 2006 8:05:26 AM (Mountain Standard Time, UTC-07:00)

I did not get these comments via email, so I appologize for the delay.

@Ron: Re: Direct Connect
Since I do not yet have the "final release", I can not comment w/o breaking the beta gag order. Once I get final bits, this is one of the things I'm going to test. Of course, the ESRI license agreement precludes me actually posting performance details, but I'm sure I can post "relative" information, and if I automate the tests, I'll post the code.

@Mike: Re Impersonation
You can do actual "impersonation" in .NET, but I'm not sure if you can switch the principal for the current thread (ArcMap) - and if they are not on the domain, I'm not sure you could switch their process to run as a domain user. My suggestion would be to use mixed authentication - SQL logins for the non-domain users, and Windows Auth for those on the domain. Depending on what your use case is, allowing ArcMap users to connect to an ArcIMS that is pulling data from your ArcSDE may be the simplest and cheapest option.

Cheers,

Dave

Dave

Comments are closed.

Welcome

I'm Dave and this is my blog. I'm usually writing about .NET Software Development, ArcGIS, or Agile Practices, but other stuff does creep in from time to time. I hope you find something of use, and feel free to contact me if you have any questions. You can also check out my profile on LinkedIn

Twitter

dbouwman: @cspag I'm sure Magpie "sounded" like a good idea, me thinks it will backfire before too long.
Created 17 minutes ago
dbouwman: @cageyjames dojo is a whole lot more than the ESRI Map control - the UI stuff is slick, and the packaging system is also bueno.
Created 46 minutes ago
dbouwman: Oh unit testing, what problems can't you solve!!! (known exceptions: world peace, poverty, aids, scraped knees and bad meat loaf)
Created 3 hours, 11 minutes ago
dbouwman: rolling templates for POCO's... mmmmm code gen is sooo tasty on a snowy winter day! ;-P
Created 3 hours, 52 minutes ago
dbouwman: @mimobot geekme up scotty!
Created 5 hours, 5 minutes ago

Search

Resources

dojo.DTSAgile.com is our technology preview / demo site. As I and my team cook up cool things we post them here.

ArcDeveloper.net is a site that hosts a set of open source projects related to ArcGIS. This includes Tile Cache for .NET (TC4N) and Feature Server for .NET (FS4N). Come over and check it out!

Assembla is a free service that provides Subversion source control, wikis and work Tracking. The ArcDeveloper project is run from here. It rocks. Check them out today.

Agilistas is a LinkedIn group focused on discussing and promoting Agile practices. Everyone is welcome to join in the conversation as we evolve the process of creating software to make it more enjoyable for all involved.