Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Exchange trust certificates between farms in SharePoint 2013

 

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

Topic Last Modified: 2014-03-17

Summary: Learn how to exchange trust certificates between the publishing farm and the consuming farm in SharePoint 2013.

In SharePoint 2013, a SharePoint farm can connect to and consume a service application that is published on another SharePoint 2013 farm. For this to occur, the farms must exchange trust certificates.

Both farms must participate in this exchange for service application sharing to work.

For more information about how to share service applications across farms see Share service applications across farms in SharePoint 2013.

You must use Windows PowerShell 3.0 commands to export and copy the certificates between farms. After the certificates are exported and copied, you can use either Windows PowerShell 3.0 commands or Central Administration to manage the trusts within the farm.

The instructions here assume the following criteria:

  • That the servers that are used for these procedures are running Windows PowerShell 3.0.

  • That the administrator will select and use the same server in each farm for all steps in the process.

  • If User Account Control (UAC) is turned on, you must run the Windows PowerShell 3.0 commands with elevated privileges.

In this article:

NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

Before you begin this operation, review the following information about prerequisites:

An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm.

You can only export and copy certificates by using Windows PowerShell 3.0.

To export the root certificate from the consuming farm
  1. On a server that is running SharePoint 2013 on the consuming farm, verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command:

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    
    $rootCert.Export("Cert") | Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte
    

    Where:

    • <C:\ConsumingFarmRoot.cer> is the path of the root certificate.

To export the STS certificate from the consuming farm
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command:

    $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
    
    $stsCert.Export("Cert") | Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte
    

    Where:

    • <C:\ConsumingFarmSTS.cer> is the path of the STS certificate..

To export the root certificate from the publishing farm
  1. On a server that is running SharePoint 2013 on the publishing farm, verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command:

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    
    $rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte
    

    Where:

    • <C:\PublishingFarmRoot.cer> is the path of the root certificate.

To copy the certificates
  1. Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.

  2. Copy the root certificate from the server in the publishing farm to a server in the consuming farm.

Managing trust certificates in a farm involves establishing trust. This section describes how to establish trust on both the consuming and publishing farms by using Windows PowerShell 3.0 commands.

To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority.

To import the root certificate and create a trusted root authority on the consuming farm
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command:

    $trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer>
    
    New-SPTrustedRootAuthority <PublishingFarm> -Certificate $trustCert
    

    Where:

    • <C:\PublishingFarmRoot.cer> is the path of the root certificate that you copied to the consuming farm from the publishing farm.

    • <PublishingFarm> is a unique name that identifies the publishing farm. Each trusted root authority must have a unique name.

To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root authority. You must then import the STS certificate that was copied from the consuming farm and create a trusted service token issuer.

To import the root certificate and create a trusted root authority on the publishing farm
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command:

    $trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer>
    
    New-SPTrustedRootAuthority <ConsumingFarm> -Certificate $trustCert
    

    Where:

    • <C:\ConsumingFarmRoot.cer> is the name and location of the root certificate that you copied to the publishing farm from the consuming farm.

    • <ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name.

To import the STS certificate and create a trusted service token issuer on the publishing farm
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. At the Windows PowerShell command prompt, type the following command:

    $stsCert = Get-PfxCertificate 
    <c:\ConsumingFarmSTS.cer>
    
    New-SPTrustedServiceTokenIssuer <ConsumingFarm> -Certificate $stsCert
    

    Where:

    • <C:\ConsumingFarmSTS.cer> is the path of the STS certificate that you copied to the publishing farm from the consuming farm.

    • <ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted service token issuer must have a unique name.

Where:

For more information about these Windows PowerShell 3.0 cmdlets, see the following articles:

For information about how to use a script to automate part of this process, see Exchange trust certificates between farms (http://go.microsoft.com/fwlink/?LinkId=230666).

You can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm.

To establish trust by using Central Administration
  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

  2. On the SharePoint Central Administration website, click Security.

  3. On the Security page, in the General Security section, click Manage trust.

  4. On the Trust Relationship page, on the ribbon, click New.

  5. On the Establish Trust Relationship page:

    1. Supply a name that describes the purpose of the trust relationship.

    2. Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Windows PowerShell, as described in Exporting and copying certificates.

    3. If you are performing this task on the publishing farm, select the check box for Provide Trust Relationship. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm, as described in Exporting and copying certificates.

    4. Click OK.

    After a trust relationship is established, you can modify the Token Issuer description or the certificates that are used by clicking the trust, and then clicking Edit. You can delete a trust by clicking it, and then clicking Delete.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.