If you plan to federate your ArcGIS Server site with the ArcGIS Enterprise portal, be aware that the way you administer your ArcGIS Server site will change after you federate. The key differences to administering a federated server are noted below.
Security differences
When you federate an ArcGIS Server site with a portal, the portal's security store controls all access to the server. This impacts how you access and administer the federated server.
Users, roles, and permissions
When you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions.
Similar to ArcGIS Server, the portal offers user, publisher, and administrator levels of privilege. The portal also provides a viewer role, which has a limited set of privileges. The portal additionally includes a custom role that is considered a user role by the federated server. You should set up and check these permissions in your portal before you expose your federated server to end users.
At the time of federation, items are automatically created in the portal for all existing ArcGIS Server web services. These items are owned by the administrator who performs federation. After federation, ownership can be reassigned to existing portal members as desired. Any items or services added to the portal after federation are explicitly owned by the member who created them.
When federated, the ability to isolate access to the server is eliminated. For example, anyone with publisher privileges can publish to any federated server. However, you can update a federated server's security configuration to restrict administrative and publisher access. See Fine-grained access control of federated servers below for details.
Viewer role
Members who are assigned this role can connect to and use ArcGIS Server services. When connected to a federated server as a viewer, any services shared with the viewer or a group the viewer is a member of can be viewed and consumed. Viewers see a customized view of the portal website, can use the organization's maps, apps, layers, and tools, and join groups owned by the organization. Viewers do not have privileges to create, share, or own items.
User role
Members who are assigned this role can connect to and use ArcGIS Server services. When connected to a federated server as a user, any services shared with the user or a group the user is a member of can be viewed and consumed. Users see a customized view of the portal website, can use the organization's maps, apps, layers, and tools, and join groups owned by the organization. Users can also create maps and apps, add items, share content, and create groups.
Publisher role
Publishers can only work with services that they have created in the portal. They cannot modify or delete other publishers' services. For example, when connected to the federated server in ArcMap, only services published by the publisher will display. Publishers have user privileges and can also perform analysis on layers in maps.
Anyone with publisher privileges can publish to any federated server. Services published to a federated server are automatically added as items in the portal. Hosted services published directly to the portal appear as items in the portal and as services on the hosting server.
Administrator role
Administrators have user and publisher privileges, and they have permissions to all services hosted by the federated server. Administrators also have privileges to manage the portal and all of its members. A portal must have at least one administrator. However, there are no limits on how many can administer an organization. For example, if a portal has five members, all five members can be administrators.
Custom role
Custom roles include a specific set of privileges defined by the administrator. For example, members with the custom role might be able to create content, but cannot create groups; they might be able to publish features, but not tiles. In release 10.5.1 and earlier, a custom role with any publishing privilege (for features, tiles, or scenes) was able to create other types of ArcGIS Server services. Beginning at 10.6, there is a Publish server-based layers privilege that's needed to publish any service directly to ArcGIS Server.
If a custom role is created with any administrative privileges, ArcGIS Server will grant members within that role full administrative access. This includes rights to publish any service type directly to ArcGIS Server and the ability to view and access all services. Consider the security risks before creating a custom role for any member that includes administrative privileges.
Fine-grained access control of federated servers
You can update a federated server to restrict publishing and administrative access. Once updated, all portal administrators will still have administrative privileges on the server. Portal members with publisher privileges will not be granted publishing access to the server by default. Instead, publisher access to the server is controlled by a group named [federated server name]_Publishers or the item [federated server name]_Publishers. To gain publisher privileges to the server, the portal member must be either a member of the [federated server name]_Publishers group or a member of a group that the [federated server name]_Publishers item has been shared with. Likewise, additional administrative access to the server is controlled by a group named [federated server name]_Administrators or the item [federated server name]_Administrators. A portal member must be either a member of this group or a member of the group that the item has been shared with to gain administrative access to the server.
Fine-grained access control is configured in the ArcGIS Portal Directory. Once you have federated a server with your portal, follow the steps below to update the server to enable this control.
- Log in to the ArcGIS Portal Directory as a portal member with administrative privileges. The URL to the Portal Directory is in the format https://portal.domain.com/arcgis/portaladmin.
- Go to Federation > Servers and click the server you want to edit.
- Click Update.
- From the Server role drop-down menu, choose Federated Server With Restricted Publishing.
- Click Update Server.
You will now see the [federated server name]_Administrators and [federated server name]_Publishers groups as well as the corresponding items on the My Content page. These will be owned by the portal member who updated the server.
Connect to Manager
You can connect to ArcGIS Server Manager only if your portal account is assigned to the administrator or publisher role. You cannot log in to Manager using an account assigned to the viewer or user role. You also cannot log in using the site's primary site administrator account. When you connect, you should use a URL that uses HTTPS and includes the fully qualified domain name of the server:
- If you are connecting directly to ArcGIS Server, the URL is formatted https://gisserver.domain.com:6443/arcgis/manager. If the site includes multiple GIS servers, this will be the URL of the machine you specified for the Administration URL when federating your site.
- If you are connecting through ArcGIS Web Adaptor, you'll need to ensure administrative access is enabled on ArcGIS Web Adaptor. The URL you'll use to connect is formatted https://webadaptorhost.domain.com/webadaptorname/manager.
If your portal is configured with a built-in identity store or Lightweight Directory Access Protocol (LDAP), you'll need to enter the user name and password of your portal account.
Modify desktop shortcut for Manager
ArcGIS Server supplies a desktop shortcut for ArcGIS Server Manager. The default shortcut URL is formatted http://localhost:6080/arcgis/manager, which is a valid path as long as the server has not been federated to an ArcGIS Enterprise portal. As noted in the section above, a federated server is accessed using the URL format https://gisserver.domain.com:6443/arcgis/manager, meaning the default shortcut URL results in an error message of Invalid redirect_uri. Follow these steps to update the shortcut path for a federated server:
- Locate the shortcut file in the <ArcGIS Server installation directory>/Support/Shortcuts folder.
- Open the ArcGIS Server Manager shortcut file in your preferred editing program. It should read as follows, though your specified internet browser may differ:
[Desktop Entry] Comment=ArcGIS Server Manager Encoding=UTF-8 Exec=firefox localhost:6080/arcgis/manager Icon=web-browser Name=ArcGIS Server Manager Terminal=false Type=Application Keywords=arcgis;esri;
- Modify the URL in the Exec line to the format https://gisserver.domain.com:6443/arcgis/manager.
- Save your changes and exit the program.
The shortcut item will now open ArcGIS Server Manager with the updated URL.
Connect to the server in ArcGIS Desktop
You can connect to the server in ArcGIS Desktop with any portal account, for example, accounts assigned to the viewer, user, publisher, or administrator role. You can also connect to the server using the primary site administrator account from your ArcGIS Server site.
Note:
You can only make user connections to an ArcGIS Server site from ArcGIS Pro; therefore, even if you provide a publisher or administrator account, you cannot publish to or administer the ArcGIS Server site in ArcGIS Pro. To make a publisher or administrator connection from an ArcGIS Desktop client, use ArcMap.
When you supply the Server URL when connecting to your server using the Add ArcGIS Server wizard, you should specify a URL that uses HTTPS and includes the fully qualified domain name of the server:
- If you are connecting directly to ArcGIS Server, the URL is formatted https://gisserver.domain.com:6443/arcgis.
- If you are connecting through ArcGIS Web Adaptor as a publisher or administrator, you'll need to ensure administrative access is enabled on the Web Adaptor. The URL you'll use to connect is formatted https://webadaptorhost.domain.com/webadaptorname/manager.
If your portal is configured with a built-in identity store or Lightweight Directory Access Protocol (LDAP), you'll need to enter the user name and password of your portal account. If you want to connect to an ArcGIS Server site using the primary site administrator account, enter the credentials for the account.
Connect to the ArcGIS Server Administrator Directory and Services Directory
When connecting to the ArcGIS Server Administrator Directory, you may need to supply a portal token. The login page provides instructions on how to obtain this token. For more information, see Accessing the Administrator Directory on a federated server. Alternatively, you can log in using the server's primary site administrator account if you connect directly through port 6080 or 6443.
When connecting to the ArcGIS Server Services Directory, you do not need to provide a token. You'll log in using your portal credentials. You cannot log in using the primary site administrator account.
Behavior of a portal's hosting server
When you designate your federated server to also act as the portal's hosting server, you provide the portal with a powerful back end. You allow portal users with at least publisher privileges to publish cached maps, feature services, and scene services (tile layers, feature layers, and scene layers). These users may not have any ArcGIS products on their computers; they may just publish the services by uploading a shapefile or a CSV file through the portal website; however, publishing through ArcMap is still an option.
All services published by portal users directly to the portal are hosted services and are placed in an ArcGIS Server folder called Hosted. This way, you can keep track of which services are hosted services and which are not.
If you delete a service in the portal, it's also deleted from the server. This is true both for services published to the federated server and hosted services published directly to the portal.
Note:
Prior to 10.6.1, deleting a non-hosted service from the portal did not automatically delete the service from the federated server. Hosted services were automatically deleted from the server when deleted in the portal.
Service types listed in the Hosted folder differ from those in other server folders. This is to match the item types that are displayed in the ArcGIS Enterprise portal. The following table lists all supported hosted services and their updated item types:
ArcGIS Server service type | Hosted folder/portal item type |
---|---|
Cached map service | Tile layer |
Cached map service with feature service | Tile and Feature Layer |
Feature service | Feature Layer |
Image service* | Imagery Layer |
Scene service | Scene Layer |
WFS service | WFS layer |
*The image service that underlies a hosted imagery layer runs on the portal's raster analysis server, not the portal's hosting server.
When viewing and editing hosted service properties in Manager or ArcMap, there will only be a subset of the expected ArcGIS Server capabilities or operations available. For example, some services will not display instance information in the service gallery or on the service Pooling tab in Manager.
When using the Catalog window in ArcMap to administer your hosted services, perform your work through the My Hosted Services node instead of the GIS Servers connection node. This will help ensure that you only view capabilities available through the portal.
A hosting server should have sufficient storage space, CPU, and memory to accommodate the services that it will host. You should train your publishers carefully, and monitor your server metrics to avoid exceeding capacity.
Considerations for tile layers and caching jobs
Tile layers present special challenges because of the processing power that can be taken by a single large caching job or many concurrent jobs. By publishing a tile layer at large scale over an indiscriminately broad area, a single untrained portal publisher could send a very large caching job to the server that would consume portal resources for a long time.
You can potentially mitigate the effect of caching jobs by running your CachingTools service in a separate ArcGIS Server cluster from the other services. If this is not possible, you can lower the number of instances of the CachingTools service that are allowed to run at one time, thereby leaving CPU cycles available for other services.
You can also limit the number of caching jobs that can run at one time by lowering the maximum number of instances allowed for the CachingControllers service. By default, three jobs can run simultaneously.
See Allocation of server resources to caching for additional details on how server resources are apportioned for caching jobs.
Unfederate a server from the portal
You can unfederate a server from the portal, allowing each to continue independent of the other.
Caution:
Unfederating a server site has several significant consequences and should not be done as part of routine troubleshooting. It is not easily undone and may have irreversible consequences. Removing a hosting server from the ArcGIS Enterprise portal renders existing hosted web layers unusable. Adding the hosting server back does not return the hosted services to a usable state. Only unfederate a site if you have a clear understanding of the impact.
Unfederation requires the following steps:
- If the federated server you want to remove is not the hosting server and the services that were published to this federated server are no longer needed, you can log in to ArcGIS Server Manager and delete the services. If the services will still be used, skip this step.
- If this federated server is the hosting server, sign in to the portal website and delete the hosted web layers that were published to the portal.
- If this federated server is also the hosting server and you no longer need any of the services running on the hosting server, disable the hosting server so that portal users can no longer publish to it.
- Remove the ArcGIS Server site from your portal, which restores your ArcGIS Server security store to its default settings and removes any portal items that came from the server while it was federated.
- Configure ArcGIS Server security to use your desired user and role stores.