Export (0) Print
Expand All

Configure server-to-server authentication between SharePoint 2013 farms

SharePoint 2013
 

Applies to: SharePoint Server 2013 Standard, SharePoint Server 2013 Enterprise, SharePoint Foundation 2013

Topic Last Modified: 2013-12-18

Summary:Learn how to configure server-to-server authentication between SharePoint 2013 farms.

The configuration details in this article describe how to configure server-to-server authentication between SharePoint 2013 farms. For background information about server-to-server authentication, see Plan for server-to-server authentication in SharePoint 2013.

ImportantImportant:
Web applications that include server-to-server authentication endpoints for incoming server-to-server requests, or that make outgoing server-to-server requests should be configured to use Secure Sockets Layer (SSL). For information about how to create a web application to use SSL, see Create claims-based web applications in SharePoint 2013. For information about configuring HTTP support for server-to-server requests, see Configure an STS for HTTP.
NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

To service incoming server-to-server requests from another SharePoint 2013 farm, you must configure the SharePoint 2013 farm to trust the sending farm. Use the Windows PowerShell New-SPTrustedSecurityTokenIssuer cmdlet in SharePoint 2013 to configure the trust relationship by specifying the JavaScript Object Notation (JSON) metadata endpoint of the sending farm.

To configure a SharePoint 2013 trust relationship with another farm
  1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • Securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. In the SharePoint 2013 environment on the farm that is receiving server-to-server requests, start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, type the following command:

    New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<HostName>/_layouts/15/metadata/json/1" -Name "<FriendlyName>"
    

    Where:

    • <HostName> is the name and port of any SSL-enabled web application of the farm that will be sending server-to-server requests.

    • <FriendlyName> is a friendly name for the sending SharePoint 2013 farm.

  4. Repeat step 3 for all SharePoint 2013 farms that will be sending server-to-server requests.

    NoteNote:
    For more information, see New-SPTrustedSecurityTokenIssuer.

If you have a services-only farm or other type of farm that has no web applications, follow these steps to configure a trust relationship with that farm.

To configure a trust relationship with a farm that has no web applications
  1. On a server of the farm that has no web applications, export the SharePoint Security Token Service certificate in the Computer Certificate store to a .CER file (without the private key).

  2. Copy the .CER file to a location that can be accessed from the SharePoint farm that trusts the farm with no web applications.

  3. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • Securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  4. In the SharePoint 2013 environment of the farm that has no web applications, start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  5. At the Windows PowerShell command prompt, type the following command:

    Get-SPSecurityTokenServiceConfig
    
  6. In the display of the Get-SPSecurityTokenServiceConfig command, note the string in the NameIdentifier field after the "@" symbol. This is the NameID of the STS of this SharePoint farm.

  7. On a server of the SharePoint farm that trusts the farm that has no web applications, start the SharePoint 2013 Management Shell.

  8. To add the SharePoint STS of the SharePoint farm that has no web applications as a trusted security token issuer, use the following Windows PowerShell command:

    New-SPTrustedSecurityTokenIssuer -name <hostname> -Certificate "<CERLocation>" -RegisteredIssuerName "00000003-0000-0ff1-ce00-000000000000@<NameID>" -Description "<FriendlyName>" -IsTrustBroker:$false
    

    Where:

    • <HostName>is the name of the farm that has no web applications.

    • <CERLocation> is the location of the exported .CER file from step 2.

    • <NameID> is the NameID string for the STS of the farm that has no web applications from step 6.

    • <FriendlyName> is a friendly name for the farm that has no web applications

The recommended best practice for server-to-server authentication is to use SSL and an https-based URL to send and receive requests. If you cannot host your web applications over SSL, the following procedure describes how to configure the STS of a SharePoint farm to use HTTP.

To configure the STS to use HTTP
  1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • Securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. In the SharePoint 2013 environment on one of the servers in the farm, start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, type the following commands:

    $c = Get-SPSecurityTokenServiceConfig
    $c.AllowMetadataOverHttp = $true
    $c.AllowOAuthOverHttp= $true
    $c.Update()
    

The recommended best practice for server-to-server authentication is that each server-to-server application that establishes trust with a SharePoint farm must use a different certificate. In a cross-farm SharePoint topology, if you have to use the same certificate across the farms, you have to also set the name identifier of the SharePoint Security Token Service (STS) to be the same across those farms. The following procedure describes how to synchronize the STS name identifier across two SharePoint farms.

To synchronize the STS name identifier across SharePoint farms
  1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • Securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. In the SharePoint 2013 environment on one of the farms, start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, type the following command:

    Get-SPSecurityTokenServiceConfig
    
  4. In the display of the Get-SPSecurityTokenServiceConfig command, note the value of the NameIdentifier field, which starts with “00000003-0000-0ff1-ce00-000000000000@”. This is the name identifier of the SharePoint STS.

  5. To set the name identifier of the SharePoint STS in the other SharePoint farm, use the following Windows PowerShell commands on a server in that farm:

    $config = Get-SPSecurityTokenServiceConfig
    $config.NameIdentifier=<CommonNameIdentifier>
    $config.Update();
    

    Where <CommonNameIdentifier> is the value of the NameIdentifier field from step 4.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft