Administering a federated server

When you've registered your ArcGIS Server site with Portal for ArcGIS to take advantage of the portal's identity store and optionally host services, it is said that you are working with a federated server. Administering a federated server is similar to administering a typical ArcGIS Server site, except for a few key differences.

Security differences

Once you federate your server with the portal, the portal's security store controls all access to ArcGIS Server. The users and roles you previously used with ArcGIS Server are no longer valid for accessing the server; instead, you perform all connections to the server using a portal account that has Publisher or Administrator access.

The only exception is ArcGIS Server's primary site administrator account. You can always log in to the ArcGIS Server Administrator Directory using this account if you connect directly through port 6080 or 6443.

When you federate the server with a portal, any permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal groups and sharing permissions. You should set up and check these permissions before you expose your federated server to end users.

Similar to ArcGIS Server, the portal offers User, Publisher, and Administrator levels of privilege. However, the portal's Publisher privilege is more restrictive than ArcGIS Server's Publisher privilege. Publishers can only work with services that they have created in the portal; they cannot modify or delete other publishers' services.

Connecting to Manager

You can connect to Manager only if your portal account has been granted administrator or publisher privileges. You cannot log in to Manager using the primary site administrator account from your ArcGIS Server site or a portal account that only has user privileges. When you connect, you should use a URL that uses HTTPS and includes the fully qualified domain name of the server:

  • If you are connecting directly to ArcGIS Server, the URL is formatted https://gisserver.domain.com:6443/arcgis/manager.
  • If you are connecting through the ArcGIS Web Adaptor, you'll need to ensure administrative access is enabled on the Web Adaptor. The URL you'll use to connect is formatted https://webadaptor.domain.com/arcgis/manager.

If your portal is configured with a built-in identity store or Lightweight Directory Access Protocol (LDAP), you'll need to enter the user name and password of your portal account. If your portal is configured with Windows Active Directory, you may be prompted to enter your Windows credentials or be logged into Manager automatically.

Connecting to the server in ArcGIS for Desktop

You can connect to the server in ArcGIS for Desktop with any portal account, for example, accounts that have been granted user, publisher, or administrator privileges. You can also connect to the server using the primary site administrator account from your ArcGIS Server site.

When you supply the Server URL when connecting to your server using the Add ArcGIS Server wizard, you should specify a URL that uses HTTPS and includes the fully qualified domain name of the server:

  • If you are connecting directly to ArcGIS Server, the URL is formatted https://gisserver.domain.com:6443/arcgis.
  • If you are connecting through the ArcGIS Web Adaptor as a publisher or administrator, you'll need to ensure administrative access is enabled on the Web Adaptor. The URL you'll use to connect is formatted https://webadaptor.domain.com/arcgis/manager.

If your portal is configured with a built-in identity store or Lightweight Directory Access Protocol (LDAP), you'll need to enter the user name and password of your portal account. If your portal is configured with Windows Active Directory, do not enter your Windows credentials in the wizard; click Finish and you'll be connected to the server automatically. If you want to connect to ArcGIS Server using the primary site administrator account, enter the credentials for the account.

Connecting to the ArcGIS Server Administrator Directory or Services Directory

When connecting to the ArcGIS Server Administrator Directory or Services Directory, you may need to supply a portal token. The login page provides instructions on how to obtain this token. For more information, see Accessing REST resources from a federated server.

Behavior of a portal's hosting server

When you designate your federated server to also act as the portal's hosting server, you provide the portal with a powerful back end. You allow any portal users with at least Publisher privileges to publish tiled map services and feature services. These users might not have any ArcGIS products on their computers; they may just publish the services by uploading a shapefile or a CSV file through the portal website; however, publishing through ArcMap is still an option.

All services published by portal users directly to the portal are hosted services, and are placed in an ArcGIS Server folder called Hosted. This way, you can keep track of which services are hosted services and which are not. If you delete a hosted service through the portal, it's also deleted from the server. This is not true for services published to the federated server; if you delete a service from the portal that was published to the federated server, the service is not deleted from the server.

Hosted services cannot be given additional capabilities or operations from ArcGIS Server. For example, once a user has published a tiled map service using the portal website, you should not attempt to use Manager or ArcGIS for Desktop to give the service the WMS capability or allow the Query operation. When using the Catalog window in ArcGIS for Desktop to administer your hosted services, perform your work through the My Hosted Services node instead of your GIS server connection node. This will help ensure that you only view capabilities available through the portal.

A hosting server should have sufficient storage space, CPU, and memory to accommodate the services that it will host. You should train your publishers carefully and monitor your server metrics to avoid exceeding capacity.

Considerations for tiled map services and map caching jobs

Tiled map services present special challenges because of the processing power that can be taken by a single large caching job or many concurrent jobs. By publishing a tiled map service at large scales over an indiscriminately broad area, a single untrained portal publisher could send a very large caching job to the server that would consume portal resources for a long time.

You can potentially mitigate the effect of caching jobs by running your CachingTools service in a separate ArcGIS Server cluster from the other services. If this is not possible, you can lower the number of instances of the CachingTools service that are allowed to run at one time, thereby leaving CPU cycles available for other services.

You can also limit the number of caching jobs that can run at one time by lowering the maximum number of instances allowed for the CachingControllers service. By default, three jobs can run simultaneously.

See Allocation of server resources to caching for additional detail on how server resources are apportioned for caching jobs.

Unfederating the server from the portal

You can decide to unfederate the server from the portal, allowing each to continue independent of the other. This process of separation requires several steps.

  1. Remove any service items that you imported at the time you federated.
  2. If the hosted services that were published by members of the portal are no longer needed, you can log in to ArcGIS Server Manager and delete them. Hosted services are in the Hosted folder on your server. If the services will still be used, skip this step.
  3. Disable the hosting server so that portal users can no longer publish to it.
  4. Remove the ArcGIS Server site from your portal, which restores your ArcGIS Server security store to its default settings and removes any portal items that came from the server while it was federated.
  5. Configure ArcGIS Server security to use your desired user and role stores.
12/13/2013