What is the difference between Web-tier vs. GIS-tier functionality in ArcGIS Server?

Answer

When Configuring ArcGIS Server security, the Security Configuration wizard prompts to select GIS-tier or Web-tier authentication.

They are very similar in that:

• Both GIS-tier and Web-tier authentication check the selected identity store to authenticate users.
• Both GIS-tier and Web-tier authentication utilize the GIS server for authorization of users based on roles.

They are different in that:

• GIS-tier authentication is handled by the ArcGIS server itself, making a connection to the identity store.
• Web-tier authentication offloads authentication of users to the web adaptor using the settings of its host web server; either IIS or TomCat, respectively.

Note:
In the following distinctions it is assumed that an IIS Web Adaptor is used when using Web-tier authentication. 

What are the functional differences?

GIS-tier authentication

• Is the default authentication mechanism for ArcGIS for Server.
• Allows for embedding ArcGIS tokens to pass credentials.
• Allows for connections to be made to all services, secured and public, from both inside the local domain, and from the internet.
• Does not support single sign-on. All users are prompted for a log-in unless passing an ArcGIS token.

Web-tier authentication

• Requires the installation and configuration of a web adaptor.

Note:
See the Related Information links below for web adaptor installation and configuration help.

• All Services are set to secured when Web-tier authentication is turned on.
• For Web-tier to function, it is required to turn on Windows Authentication and disable anonymous authentication in IIS.
• As a result of disabling anonymous connections in IIS, there are no unsecured services. All services require a Windows Domain Account to be accessible whether accessing the services from inside the domain, or from the internet.
• Using Web-tier authentication allows for the use of single sign-on when used inside the local domain.
• When Web-tier authentication is turned on, attempting to access the REST and SOAP end points of the ArcGIS server on Port 6080 or 6443 results in an HTTP 403 Unauthorized error. This is by design as accessing the server directly on port 6080 circumvents the Web-tier authentication, and is rejected as a result, as seen in this image.

• To access the ArcGIS end points, the web adaptor must be used.
• Does not allow ArcGIS tokens to be used to pass credentials since IIS is doing the authentication on behalf of the ArcGIS server.