SharePoint 2016/2013: Plan for SharePoint Services Farm POC - SharePoint 2016 Search Publishing Consuming Scenario Rishabh Y Mathur
Objective POC – Granular details on the publishing consuming services farm scenario. POC Environment Setup Supported scenarios Federated Search Implementation Demo
Environment setup 3 SharePoint Farms for this POC (all onprem) SharePoint 2016 Services Farm – SP2016 SharePoint 2013 Content Farm #1 – SP SharePoint 2013 Content Farm #2 – SP2 Note: the consumer could be a 2010 farm as well. Office 365 tenant (if setting up hybrid)
Supported service applications and scenarios You can publish the following service applications in a SharePoint 2013 farm: Business Data Connectivity Machine Translation Managed Metadata User Profile Search Secure Store If the server farms are located in different domains, the User Profile service application requires both domains to trust one another.
Cont’d The User Profile service must reside in the same datacenter as the content it supports — The performance of social features require the User Profile service application to be located in the same datacenter as My Sites, team sites, and community sites. For the Business Data Connectivity service and Secure Store service application administration features to work from the consuming farm, the domain of the publishing farm must trust the domain of the consuming farm. Other cross-farm service applications work without a trust requirement between domains.
Big picture view – steps involved Step 1: Exchange trust certificates between the farms. Step 2: On the publishing farm, publish the service application. Step 3: On the consuming farm, set the permission to the appropriate service applications Step 4: On the consuming farm, connect to the remote service application. Step 5: Add the shared service application to a Web application proxy group on the consuming farm. Step 6: Configure server-to-server authentication between the publishing and consuming farms.
Step 1: Exchange trust certificates between farms 2 part Process Exporting and copying certificates Managing trust certificates Step 1.1 : Exporting and copying certificates To export the root certificate from the consuming farm $rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert") | Set-Content C:\ConsumingFarmRoot.cer -Encoding byte
Cont’d – Step 1.1 To export the STS certificate from the consuming farm $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate $stsCert.Export("Cert") | Set-Content C:\ConsumingFarmSTS.cer -Encoding byte To export the root certificate from the publishing farm $rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert") | Set-Content C:\PublishingFarmRoot.cer -Encoding byte
Step 1.1 - Copy the certificates Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm. Copy the root certificate from the server in the publishing farm to a server in the consuming farm.
Step 1.2 : Managing trust certificates Establishing trust on consuming farm To import the root certificate and create a trusted root authority on the consuming farm $trustCert = Get-PfxCertificate C:\PublishingFarmRoot.cer New-SPTrustedRootAuthority ServicesPublishingFarm -Certificate $trustCert
Cont’d Step 1.2 Establishing trust on the publishing farm To import the root certificate and create a trusted root authority on the publishing farm $trustCert = Get-PfxCertificate "C:\sp certs\ConsumingFarmRoot.cer" New-SPTrustedRootAuthority ServicesConsumingFarmSP -Certificate $trustCert $trustCert = Get-PfxCertificate "C:\sp2 certs\ConsumingFarmRoot.cer" New-SPTrustedRootAuthority ServicesConsumingFarmSP2 -Certificate $trustCert
Cont’d Step 1.2 To import the STS certificate and create a trusted service token issuer on the publishing farm $stsCert = Get-PfxCertificate "c:\sp certs\ConsumingFarmSTS.cer" New-SPTrustedServiceTokenIssuer ServicesConsumingFarmSP -Certificate $stsCert $stsCert = Get-PfxCertificate "c:\sp2 certs\ConsumingFarmSTS.cer" New-SPTrustedServiceTokenIssuer ServicesConsumingFarmSP2 -Certificate $stsCert
Step 2: Publish service applications On the SharePoint Central Administration website, click Application Management, and then click Manage service applications. On the ribbon, click Publish. In the Publish Service Application dialog box: Select the Connection Type that you want from the drop-down list. If you want the service application to be available to remote farms, select the check box for Publish this Service Application to other farms. Copy the Published URL into Notepad
Step 3: Set permissions to published service applications Set permission to the Application Discovery and Load Balancing Service Application and any other service application for a consuming farm Get Farm Id of the consuming farms Get-SPFarm | Select Id
Cont’d Step 3 On the SharePoint Central Administration (publishing), click Application Management, and then click Manage service applications. Click the row that contains Application Discovery and Load Balancing Service Application. On the ribbon, click Permissions.
Cont’d Step 3 In the Connection Permissions dialog box, do the following: Manually paste the ID of the consuming farm. Click Add. Select the consuming farm ID, and then select the Full Control. Repeat above steps for any published service applications for which you want to enable access from the consuming farm and assign the necessary permission.
Step 4: Connect to service applications on remote farms On a server in the consuming farm, on Central Administration, click Application Management, and then click Manage service applications. On the ribbon, click Connect. On the Connect drop-down menu, click the kind of service application to which you want to connect.
Cont’d - Step 4 On the Connect to a Remote Service Application page, paste the appropriate URL from step 2 in the Farm or Service Application address text box, and then click OK. Click the row that contains the name of the service application, and then select the check box to add the service application connection to the farm’s default list of service application connections (that is, the default proxy group). Click OK.
Step 5: Add service application connections from a web application Nothing needs to be done here, just verify that the default proxy connection is associated to the web application.
Step 6: Configure server-to-server authentication between publishing and consuming farms To configure the publishing farm for the common realm name, type the following command at the Windows PowerShell command prompt on a server in the publishing farm: Set-SPAuthenticationRealm -realm <RealmName> Note: RealmName is common to both pub and consuming farm. To configure the Name ID for the SharePoint Security Token Service (STS) on the publishing farm to include the common realm name, type the following commands at the Windows PowerShell command prompt on a server in the publishing farm:
Cont’d Step 6 $sts=Get-SPSecurityTokenServiceConfig $Realm=Get-SpAuthenticationRealm $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" Write-Host "Setting STS NameId to $nameId" $sts.NameIdentifier = $nameId $sts.Update() To configure the consuming farm for the common realm name, type the following command at the Windows PowerShell command prompt on a server in the consuming farm: Set-SPAuthenticationRealm -realm <RealmName>
Cont’d Step 6 To configure the Name ID for the SharePoint STS on the consuming farm to include the common realm name, type the following commands at the Windows PowerShell command prompt on a server in the consuming farm: $sts=Get-SPSecurityTokenServiceConfig $Realm=Get-SpAuthenticationRealm $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" Write-Host "Setting STS NameId to $nameId" $sts.NameIdentifier = $nameId $sts.Update()
Cont’d Step 6 To configure the publishing farm for server-to-server authentication with the consuming farm, type the following command at the Windows PowerShell command prompt on a server in the publishing farm: Where: ConsumeHostName is the name and port of any SSL-enabled web application of the consuming farm. ConsumeFriendlyName is a friendly name for the consuming farm. This creates the server-to-server authentication trust with the consuming farm. New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<ConsumeHostName>/_layouts/15/metadata/json/1" -Name "<ConsumeFriendlyName>"
Cont’d Step 6 To configure the consuming farm for server-to-server authentication with the publishing farm, type the following command at the Windows PowerShell command prompt on a server in the consuming farm: Where: PublishHostName is the name and port of any SSL-enabled web application of the publishing farm. PublishFriendlyName is a friendly name for the publishing farm. This creates the server-to-server authentication trust with the publishing farm. New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<PublishHostName>/_layouts/15/metadata/json/1" -Name "<PublishFriendlyName>"
Recap
Resources Share service applications across farms in SharePoint 2013 https://technet.microsoft.com/en-us/library/ff621100.aspx Exchange trust certificates between farms in SharePoint Server 2016 https://technet.microsoft.com/en-us/library/ee704552(v=office.16).aspx Publish service applications https://technet.microsoft.com/en-us/library/ee704545(v=office.16).aspx Connect to service applications on remote farms https://technet.microsoft.com/en-us/library/ee704558(v=office.16).aspx Add or remove service application connections from a web application https://technet.microsoft.com/en-us/library/ee704550(v=office.16).aspx Configure server-to-server authentication between publishing and consuming farms https://technet.microsoft.com/en-us/library/jj992595.aspx