Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Configure trust for search between two SharePoint Server 2013 farms

SharePoint 2013

Updated: May 7, 2013

Summary: Configure a SharePoint Server 2013 content farm that receives search queries to trust the SharePoint Server 2013 farm that sends the queries.

Applies to:  SharePoint Server 2013 

To configure an on-premises SharePoint Server 2013 content farm to return results from its search index to a separate on-premises SharePoint Server 2013 farm, you must perform the following two main procedures:

  1. In the farm that will receive the search queries, configure trust of the farm that will send the queries by doing the following:

    • Configure a server-to-server trust relationship by using the Open Authorization 2.0 (OAuth 2.0) web authorization protocol.

    • Enable the farm that receives the queries to return search results from all of its web applications that host content.

  2. In the farm that will send the search queries, create a result source that does each of the following:

    • Specifies Remote SharePoint as the protocol.

    • Specifies the address of any root site collection in the SharePoint farm that will receive the search queries.

    For more information, see Configure result sources for search in SharePoint Server 2013.

    note Note:

    After you create the result source, you expose the search results that it provides by using it in a Web Part or a query-rule action. In this way, users of the farm that is sending search queries can see results from the farm that is receiving the queries. For more information, see Understanding result sources for search in SharePoint Server 2013.

This article describes how to perform the first procedure in the list above: how to configure the farm that receives search queries to trust the farm that sends the queries.

For brevity in this article, the following terms are used:

SendingFarm

An on-premises SharePoint Server 2013 farm that has a search service that sends search queries to ReceivingFarm.

ReceivingFarm

An on-premises SharePoint Server 2013 content farm that has a search index that receives search queries from SendingFarm. In this article, it is assumed that ReceivingFarm has at least one web application that hosts content.

In order for SendingFarm to be able to get search results from the search index in ReceivingFarm, the farms must have the following characteristics:

note Note:

Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

To configure ReceivingFarm to trust SendingFarm

  1. Verify that the account that performs this procedure is a member of the following groups:

    • Farm Administrators group in ReceivingFarm.

    • Administrators group on the server on which you are running Windows PowerShell cmdlets.

      An administrator of that server can use the Add-SPShellAdmin cmdlet to grant someone permission to use SharePoint 2013 cmdlets. When you run the Add-SPShellAdmin cmdlet, you must have membership in the securityadmin fixed server role on the SQL Server instances, and you must have membership in the db_owner fixed database role on all databases that are to be updated. For more information, see Add-SPShellAdmin. Contact your system administrator or SQL Server administrator to request these memberships if you do not have them.

  2. On a server in ReceivingFarm, start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start page, click SharePoint 2013 Management Shell.

      • If SharePoint 2013 Management Shell is not on the Start page, right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

      For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On a server in ReceivingFarm, run the following commands at a Windows PowerShell command prompt. The commands use the OAuth 2.0 web authorization protocol to configure a server-to-server trust, so that ReceivingFarm will trust SendingFarm.

    # Create a trusted security token issuer
    $i = New-SPTrustedSecurityTokenIssuer –Name "SendingFarm" –IsTrustBroker:$false –MetadataEndpoint "https://<SendingFarm_web_application>/_layouts/15/metadata/json/1"
    # Configure trust of the token-signing certificate'
    # by adding the trust used to sign oAuth tokens'
    # to the list of trusted root authorities'
    # in ReceivingFarm
    New-SPTrustedRootAuthority -Name "SendingFarm" -MetadataEndPoint https://<SendingFarm_web_application>/_layouts/15/metadata/json/1/rootcertificate
    

    Where:

    https://<SendingFarm_web_application> is any SSL-enabled web application in SendingFarm

    ImportantImportant:

    Web applications that include server-to-server authentication endpoints for incoming server-to-server requests, or that make outgoing server-to-server requests, should be configured to use Secure Sockets Layer (SSL). For information about how to configure a web application to use SSL, see Create claims-based web applications in SharePoint 2013. For information about how to configure HTTP support for server-to-server requests, see Configure an STS for HTTP in Configure server-to-server authentication in SharePoint 2013.

  4. On a server in ReceivingFarm, at a Windows PowerShell command prompt, run the following command:

    # Use $realm to store the string'
    # that comes after the "@" character'
    # in the value of $i.NameId
    $realm = $i.NameId.Split("@")
    
  5. On a server in ReceivingFarm, at a Windows PowerShell command prompt, run the following commands to enable all web applications in ReceivingFarm to return search results to SendingFarm:

    $s1 = Get-SPSite -Identity https://<ReceivingFarm_web_application>
    $sc1 = Get-SPServiceContext -Site $s1
    # Set up an authentication realm for'
    # a web application that hosts content in ReceivingFarm 
    Set-SPAuthenticationRealm -ServiceContext $sc1 -Realm $realm[1]
    # Get a reference to the application principal'
    # for that web application in Farm B
    $p = Get-SPAppPrincipal -Site https://<ReceivingFarm_web_application> -NameIdentifier $i.NameId
    # Grant rights to the application principal'
    # that SendingFarm will use'
    # when it sends queries to ReceivingFarm
    Set-SPAppPrincipalPermission -Site https://<ReceivingFarm_web_application> -AppPrincipal $p -Scope SiteCollection -Right FullControl
    

    Where:

    https://<ReceivingFarm_web_application> is an SSL-enabled web application in ReceivingFarm.

  6. Repeat the previous step (step 5) for each web application in ReceivingFarm that hosts content that you want to search.

Change History

Date Description

May 07, 2013

Corrected the file path of the metadata endpoint in two of the cmdlets in the Windows PowerShell code.

April 23, 2013

Initial publication

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.