Establishing Trust Relationships between SharePoint Farms

Step 1: Export certificates from the consumer farm

1. Log on to the Consumer Farm CA Server.

2. On the Start screen, type SharePoint 2013 Management Shell, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

$rootcert = (Get-SPCertificateAuthority).RootCertificate 

4. At the command prompt, type the following command, and then press Enter:

$rootcert.Export("Cert") | Set-Content "C:\Certs\ConsumerFarmRoot.cer" -Encoding byte 

5. At the command prompt, type the following command, and then press Enter:

$stscert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate

6. At the command prompt, type the following command, and then press Enter:

$stscert.Export("Cert") | Set-Content "C:\Certs\ConsumerFarmSTS.cer" -Encoding byte 

7. Close the SharePoint 2013 Management Shell.

8. On the Windows taskbar, click File Explorer.

9. In the File Explorer window, expand Computer, and then double-click C

10. Select the ConsumerFarmRoot and ConsumerFarmSTS files, right-click the files, and then click Copy.

11. In the File Explorer address bar, type \\ProviderFarmServer\c$\Certs, and then press Enter.

12. Right-click the content area, and then click Paste.

13. Close the File Explorer window.

Step 2: Export the root certificate from the provider farm

1. Switch to the Provider Farm virtual machine.

2. On the Start screen, type SharePoint 2013 Management Shell, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

$rootcert = (Get-SPCertificateAuthority).RootCertificate 

4. At the command prompt, type the following command, and then press Enter:

$rootcert.Export("Cert") | Set-Content "C:\Certs\ProviderFarmRoot.cer" -Encoding byte 

5. Close the SharePoint 2013 Management Shell.

6. On the Windows taskbar, click File Explorer.

7. In the File Explorer window, double-click C Drive.

8. Right-click the ProviderFarmRoot.cer, and then click Copy.

9. In the File Explorer address bar, type \\ConsumerFarmServer\c$\Certs, and then press Enter.

10. Right-click the content area, and then click Paste.

11. Close the File Explorer window.

Step 3: Create a trusted root authority on the consumer farm

1. Switch to the Consumer Farm virtual machine.

2. On the Start screen, type SharePoint 2013 Management Shell, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

$trustcert = Get-PfxCertificate "C:\Certs\ProviderFarmRoot.cer" 

4. At the command prompt, type the following command, and then press Enter:

New-SPTrustedRootAuthority "Contoso Provider Farm" -Certificate $trustcert 

5. Close the SharePoint 2013 Management Shell.

Step 4: Create a trusted root authority on the provider farm

1. Switch to the Provider Farm virtual machine.

2. On the Start screen, type SharePoint 2013 Management Shell, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

$trustcert = Get-PfxCertificate "C:\Certs\ConsumerFarmRoot.cer" 

4. At the command prompt, type the following command, and then press Enter:

New-SPTrustedRootAuthority "Contoso Consumer Farm" -Certificate $trustcert

Step 5: Create a trusted token issuer on the provider farm

1. At the command prompt, type the following command, and then press Enter:

$stscert = Get-PfxCertificate "C:\Certs\ConsumerFarmSTS.cer" 

2. At the command prompt, type the following command, and then press Enter:

New-SPTrustedServiceTokenIssuer "Contoso Consumer Farm" -Certificate $stscert 

3. Close the SharePoint 2013 Management Shell.

4. On the Start screen, type SharePoint 2013 Central Administration, and then press Enter.

5. On the Quick Launch navigation menu, click Security.

6. Under General Security, click Manage trust.

7. Verify that Contoso Consumer Farm is listed with a type of Trusted Service Provider.

Note: The term Trusted Service Provider on this page can be confusing, as in this case you want to use Contoso Consumer Farm to consume services. In this context, the term Trusted Service Provider means that the local farm includes a trust relationship that enables it to provide services to Contoso Consumer Farm

Publishing and Consuming Service Applications

Step 1: Get the ID of the consumer farm

1. Switch to the Consumer Farm virtual machine.

2. On the Start screen, type SharePoint 2013 Management Shell, and then press Enter.

3. At the command prompt, type the following command, and then press Enter:

Get-SPFarm | Select Id | Set-Content "C:\Certs\ConsumerFarmID.txt" 

Close the SharePoint 2013 Management Shell.

5. On the Windows taskbar, click File Explorer.

6. In the File Explorer window, double-click C:\

7. Right-click the ConsumerFarmID.txt file, and then click Copy.

8. In the File Explorer address bar, type \\ProviderServer\c$\Certs, and then press Enter.

9. Right-click the content area, and then click Paste.

10. Close the File Explorer window

Step 2: Grant the consumer farm permissions on the provider farm Application Discovery and Load Balancing Service Application

1. Switch to the Provider VM virtual machine.

2. On the Windows taskbar, click File Explorer.

3. In the File Explorer window, browse to C:\Certs, and then open the ConsumerFarmID.txt file.

4. In the ConsumerFarmID.txt file, select the GUID, and then on the Edit menu, click Copy.

Note: Only copy the GUID. Do not include the curly brackets {} or the preceding text.

5. Close the Notepad window and the File Explorer window.

6. On the Start screen, type SharePoint 2013 Management Shell, and then press Enter.

7. At the command prompt, type the following command, and then press Enter:

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity

8. At the command prompt, type the following command, and then press Enter:

$claimprovider = (Get-SPClaimProvider System).ClaimProvider

9. At the command prompt, type the following command, and then press Enter (replace <ConsumerFarmID> with the value you copied from the text file):

$principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue <ConsumerFarmID> 

10. At the command prompt, type the following command, and then press Enter:

Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full

Control”

11. At the command prompt, type the following command, and then press Enter:

Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity –ObjectSecurity $security 

12. Close the SharePoint 2013 Management Shell

Step 3: Grant the consumer farm permissions on the provider farm Search Service application

1. On Provider Farm – On the Start screen, type SharePoint 2013 Central Administration, and then press Enter.

2. Under Application Management, click Manage service applications.

3. On the list of service applications, click the uppermost Contoso Search Service.

4. On the ribbon, click Permissions.

5. In the Connection Permissions for Contoso Search Service dialog box, in the text box, paste the GUID that you copied from the text file, and then click Add.

6. In the list of permissions, select the Full Access to Term Store check box, and then click OK.

Step 4: Publish the Search Service application on the provider farm

1. In the list of service applications, ensure that Contoso Search Service is still selected.

2. On the ribbon, click Publish.

3. In the Publish Service Application dialog box, in the Connection Type list, ensure http is selected.

4. Select the Publish this Service Application to other farms check box.

5. Under Published URL, select the URL, right-click the selected text, and then click Copy.

6. In the Description text box, type Search Service application from the Contoso provider farm, and then click OK.

7. Close Internet Explorer.

8. On the Windows taskbar, click File Explorer.

9. In the File Explorer address bar, type \\ConsumerFarm\c$\Certs, and then press Enter.

10. Right-click in the content area, point to New, and then click Text Document.

11. Type ContosoServiceServiceApplicationURL, and then press Enter.

12. Open the ContosoServiceServiceApplication.txt file, paste the URL you copied, and then save and close the file

Step 5: Connect to the Search Service application from the consumer farm

1. Switch to the ConsumerFarm virtual machine.

2. On the Windows taskbar, click File Explorer.

3. Browse to C:\Certs, and then double-click ContosoServiceServiceApplicationURL.txt.

4. Select and copy the URL, and then close the file.

5. Close the File Explorer window.

6. On the Start screen, type SharePoint 2013 Central Administration, and then press Enter.

7. Under Application Management, click Manage service applications.

8. On the ribbon, on the Connect menu, click Search Service Connection.

9. In the Connect to a Remote Service Application dialog box, in the text box, paste the URL you copied from the text file, and then click OK.

10. When the dialog box displays the Contoso Search Service application, click Contoso Search Service, and then click OK.

11. When you are prompted to name the connection, accept the default name and click OK.

12. When the dialog box displays a success message, click OK.

13. On the list of service applications, click Connection to: Contoso Search Service.

14. On the ribbon, click Manage.

15. On the Term Store Management Tool page, verify that the Organization term set is displayed from the remote farm.

.clip_image002

Click on Search Service Application Link and Click OK. Now rename the connection if you like.

clip_image004

Click OK and OK.

clip_image006

The connection will appear right below.

clip_image009

Setting Published Service Application as Default

You can only use a single web application as default search proxy so Next Step would be to make this service application proxy as Default. To do that you have to do the following steps.

Open SharePoint 2013 Central Administration

Click on Application Management à Manage Service Application Association

Click on Default or the service application proxy group of your choice.

clip_image011

Click on Set as Default next to Service Application you just published.

Now open a Search Center and perform a search. You must see the search result.

Advertisements

One thought on “Establishing Trust Relationships between SharePoint Farms

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s