If you plan to federate your ArcGIS Server site with the ArcGIS Enterprise portal, be aware that the way you administer your ArcGIS Server site will change after you federate. The key differences to administering a federated server are noted below.
Security differences
When you federate an ArcGIS Server site with a portal, the portal's security store controls all access to the server. This impacts how you access and administer the federated server.
Users, roles, and permissions
When you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions.
Similar to ArcGIS Server, the portal offers user, publisher, and administrator levels of privilege. The portal also provides a viewer role, which has a limited set of privileges. The portal additionally includes a custom role that is considered a user role by the federated server. You should set up and check these permissions in your portal before you expose your federated server to end users.
At the time of federation, items are automatically created in the portal for all existing ArcGIS Server web services. These items are owned by the administrator who performs federation. After federation, ownership can be reassigned to existing portal members as desired. Any items or services added to the portal after federation are explicitly owned by the member who created them.
When federated, the ability to isolate access to the server is eliminated. For example, anyone who is a member of the built-in publisher role can publish to any federated server. However, you can update a federated server's security configuration to restrict administrative and publisher access. See Fine-grained access control of federated servers below for details.
Viewer role
Members who are assigned this role can connect to and use ArcGIS Server services. When connected to a federated server as a viewer, any services shared with the viewer or a group the viewer is a member of can be viewed and consumed. Viewers see a customized view of the portal website; can use the organization's maps, apps, layers, and tools; and join groups owned by the organization. Viewers do not have privileges to create, share, or own items.
User role
Members who are assigned this role can connect to and use ArcGIS Server services. When connected to a federated server as a user, any services shared with the user or a group the user is a member of can be viewed and consumed. Users see a customized view of the portal website; can use the organization's maps, apps, layers, and tools; and join groups owned by the organization. Users can also create maps and apps, add items, share content, and create groups.
Publisher role
Publishers can only delete or modify services that they have created in the portal. They cannot modify or delete other publishers' services. Publishers have user privileges, though, and they can use any layers that other publishers share with them.
Anyone with publisher privileges can publish to any federated server. Services published to a federated server are automatically added as items in the portal. Hosted services published directly to the portal appear as items in the portal and as services on the hosting server.
Administrator role
Administrators have user and publisher privileges, and they have permissions to all services hosted by the federated server. Administrators also have privileges to manage the portal and all of its members. A portal must have at least one administrator. However, there are no limits on how many can administer an organization. For example, if a portal has five members, all five members can be administrators.
Custom role
Custom roles include a specific set of privileges defined by the administrator. For example, members with the custom role may be able to create content but cannot create groups; they may be able to publish features but not tiles. To allow members to publish services to a federated ArcGIS Server site, the role must be assigned the general content Publish server-based layers privilege.
If a custom role is created with any administrative privileges, ArcGIS Server grants limited administrative access to members with that role. This includes rights to publish any service type directly to ArcGIS Server and the ability to view and access all services. Consider the security risks before creating a custom role for any member that includes administrative privileges.
Fine-grained access control of federated servers
You can update a federated server to restrict publishing and administrative access. Once updated, all portal administrators will still have administrative privileges on the server. Portal members with publisher privileges will not be granted publishing access to the server by default. Instead, publisher access to the server is controlled by a group named [federated server name]_Publishers or the item [federated server name]_Publishers.
Note:
The default group and item names must not be changed.
To gain publisher privileges to the server, the portal member must be either a member of the [federated server name]_Publishers group or a member of a group that the [federated server name]_Publishers item has been shared with. Likewise, additional administrative access to the server is controlled by a group named [federated server name]_Administrators or the item [federated server name]_Administrators. A portal member must be either a member of this group or a member of the group that the item has been shared with to gain administrative access to the server.
Fine-grained access control is configured in the ArcGIS Portal Directory. Once you have federated a server with your portal, follow the steps below to update the server to enable this control.
- Sign in to the ArcGIS Portal Directory as a portal member with administrative privileges.
The URL to the Portal Directory is in the format https://portal.domain.com/arcgis/portaladmin.
- Go to Federation > Servers and click the server you want to edit.
- Click Update.
- From the Server role drop-down menu, choose Federated Server With Restricted Publishing.
- Click Update Server.
You will now see the [federated server name]_Administrators and [federated server name]_Publishers groups as well as the corresponding items on the My Content page. These will be owned by the portal member who updated the server.
Connect to Server Manager
You can connect to ArcGIS Server Manager only if your portal account is assigned to the administrator or publisher role. You cannot sign in to Server Manager using an account assigned to the viewer or user role or a custom role. You also cannot log in using the site's primary site administrator account. When you connect, use a URL that uses HTTPS and includes the fully qualified domain name of the server:
- If you connect directly to ArcGIS Server, the URL is formatted https://gisserver.domain.com:6443/arcgis/manager. If the site includes multiple machines, this will be the URL of the machine you specified for the Administration URL when federating your site.
- If you connect through ArcGIS Web Adaptor, you must ensure that administrative access is enabled on ArcGIS Web Adaptor. The URL you use to connect is formatted https://webadaptorhost.domain.com/webadaptorname/manager.
If the portal is configured with a built-in identity store or Lightweight Directory Access Protocol (LDAP), you must provide the user name and password of your portal account. If the portal is configured with Windows Active Directory, you may be prompted to enter your Windows credentials or be logged into Server Manager automatically.
Modify desktop shortcut for Server Manager
ArcGIS Server supplies a desktop shortcut for ArcGIS Server Manager. The default shortcut URL is formatted http://localhost:6080/arcgis/manager, which is a valid path as long as the server has not been federated to an ArcGIS Enterprise portal. As noted in the section above, a federated server is accessed using the URL format https://gisserver.domain.com:6443/arcgis/manager, meaning the default shortcut URL results in an error message of Invalid redirect_uri. Follow these steps to update the shortcut path for a federated server:
- In the Windows Start menu on the federated server, right-click the ArcGIS Server Manager shortcut, click More, and click Open file location.
- In the File Explorer window that opens, right-click the ArcGIS Server Manager shortcut item and again select Open file location.
This opens the shortcut link in the folder C:\Program Files\Common Files\ArcGIS\Support\Shortcuts.
- Cut the Manager shortcut item and paste it to your desktop.
The Manager shortcut item is now deleted from its original location.
- Right-click the pasted item, open Properties, and modify the URL property so that the URL uses HTTPS and the 6443 port to connect.
For example, the URL should look similar to the following: https://gisserver.domain.com:6443/arcgis/manager, where gisserver.domain.com is the fully qualified domain name of one of the machines in the ArcGIS Server site.
- Click OK to apply the change and close the properties window.
- Cut the modified shortcut item and paste it back to the C:\Program Files\Common Files\ArcGIS\Support\Shortcuts folder.
The shortcut item will now open ArcGIS Server Manager from the Windows Start menu.
Connect to the server in ArcGIS Pro
When you connect to the portal in ArcGIS Pro, you can choose the federated server when you publish. See Manage portal connections from ArcGIS Pro and Introduction to sharing web layers in the ArcGIS Pro help.
Connect to the ArcGIS Server Administrator Directory and Services Directory
When connecting to the ArcGIS Server Administrator Directory, you may need to supply a portal token. The login page provides instructions on how to obtain this token. For more information, see Accessing the Administrator Directory on a federated server. Alternatively, you can sign in using the server's primary site administrator account if you connect directly through port 6080 or 6443.
When connecting to the ArcGIS Server Services Directory, you do not need to provide a token. Sign in using credentials for a portal administrator. You cannot sign in using the primary site administrator account.
Behavior of a portal's hosting server
When you designate a federated ArcGIS GIS Server site to act as the portal's hosting server, you provide publishers the ability to create cached map tiles, feature services, and scene services (tile layers, feature layers, and scene layers). These users may not have any ArcGIS products on their computers; they may just publish the services by uploading a shapefile or a .csv file through the portal website; however, publishing through ArcGIS Pro is still an option.
Services published directly to the portal are hosted services, and the services are placed in an ArcGIS Server folder called Hosted on the hosting server. This way, you can keep track of which services are hosted services and which are not.
If you delete a hosted layer item in the portal, the service is also deleted from the hosting server. Similarly, if you delete an item that references a service on a federated server, deleting the item from the portal deletes the service. This is true both for services published to the federated server and hosted services published directly to the portal.
The following table lists supported hosted services and their item types:
ArcGIS Server service type | Portal item type |
---|---|
Cached map service | |
Cached map service with feature service | |
Feature service | |
Image service* | |
Scene service | |
WFS service | |
Vector tile service | |
Knowledge graph service** | Knowledge Graph |
*The image service that a hosted imagery layer references runs on the portal's raster analysis server or image hosting server, not the portal's hosting server.
**The knowledge graph service that a hosted knowledge graph references runs on the portal's knowledge server, not the portal's hosting server.
When viewing and editing hosted service properties in Server Manager, only a subset of ArcGIS Server capabilities or operations are available. For example, some services will not display instance information in the service gallery or on the service Pooling tab in Server Manager.
A hosting server needs sufficient storage space, CPU, and memory to accommodate the services that it will host. Train your publishers to understand how services impact resources on the hosting server, and monitor the metrics on the hosting server machines to avoid exceeding capacity.
Considerations for tile layers and caching jobs
Tile layers present special challenges because of the processing power that can be taken by a single large caching job or many concurrent jobs. By publishing a tile layer at large scale over an indiscriminately broad area, a single untrained portal publisher could send a very large caching job to the server that would consume portal resources for a long time.
You can potentially mitigate the effect of caching jobs by running your CachingTools service in a separate ArcGIS Server cluster from the other services. If this is not possible, you can lower the number of instances of the CachingTools service that are allowed to run at one time, thereby leaving CPU cycles available for other services.
You can also limit the number of caching jobs that can run at one time by lowering the maximum number of instances allowed for the CachingControllers service. By default, three jobs can run simultaneously.
See Allocation of server resources to caching for additional details on how server resources are apportioned for caching jobs.
Unfederate a server from the portal
Caution:
You can unfederate an ArcGIS Server site from the portal, allowing each to continue independent of the other. However, unfederating an ArcGIS Server site has several significant consequences and should not be done as part of routine troubleshooting. It is not easily undone and may have irreversible consequences. Removing a hosting server from the ArcGIS Enterprise portal renders existing hosted web layers unusable. Adding the hosting server back does not return the hosted services to a usable state. Only unfederate a site if you have a clear understanding of the impact.
Only sites that fill a limited number of roles can run as stand-alone ArcGIS Server sites. For example, ArcGIS GeoAnalytics Server sites and ArcGIS Knowledge Server sites cannot function as stand-alone sites, and unfederating them makes them unusable.
Unfederation requires the following steps:
- Delete services.
If the services are on a hosting server, you must delete them. If the services are on a federated server that can act as a stand-alone ArcGIS Server site, you can skip this step.
- If the federated server you want to remove is not the hosting server and the services that were published to this federated server are no longer needed, you can sign in to ArcGIS Server Manager as an administrator and delete the services.
- If this federated server is the hosting server, sign in to the portal website and delete the hosted web layers that were published to the portal.
- Remove the ArcGIS Server site from your portal, which restores your ArcGIS Server security store to its default settings and removes any portal items that came from the server while it was federated.
- Configure ArcGIS Server security to use your desired user and role stores.