Export (0) Print
Expand All

Configure server-to-server authentication between publishing and consuming farms

SharePoint 2013
 

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

Topic Last Modified: 2013-12-18

Summary:Learn how to configure server-to-server authentication when you share service applications across SharePoint 2013 publishing and consuming farms.

To enable a web application or an application service to request a resource from a web application on another farm on behalf of a user, you must configure server-to-server authentication between the farms. A few examples of SharePoint 2013 processes that use server-to-server authentication are as follows:

  • Follow a document on a Team Sites web application when a user’s personal site is located on a My Sites web application. The Team Sites web application makes a request of the My Sites web application on behalf of the user.

  • Create or reply to a site feed post for a site that is located on a Team Sites web application but performed through the user’s My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply.

  • A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache.

NoteNote:
Web applications or application services that request resources from an application service on another farm do not require server-to-server authentication.

To understand the procedures in this article, you should be familiar with the basic concepts in the following articles:

Authentication overview for SharePoint 2013

Plan for server-to-server authentication in SharePoint 2013

NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

The following procedure describes how to configure server-to-server authentication between the publishing and consuming farms.

To configure server-to-server authentication between publishing and consuming farms
  1. Choose a realm name that will be common to both farms.

  2. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • Securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  3. In the SharePoint 2013 environment on both the publishing and consuming farms, start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  4. To configure the publishing farm for the common realm name, type the following command at the Windows PowerShell command prompt on a server in the publishing farm:

    Set-SPAuthenticationRealm -realm <RealmName>
    

    Where:

    RealmName is the name that you chose in step 1.

  5. To configure the Name ID for the SharePoint Security Token Service (STS) on the publishing farm to include the common realm name, type the following commands at the Windows PowerShell command prompt on a server in the publishing farm:

    $sts=Get-SPSecurityTokenServiceConfig
    $Realm=Get-SpAuthenticationRealm
    $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm"
    Write-Host "Setting STS NameId to $nameId"
    $sts.NameIdentifier = $nameId
    $sts.Update()
    
  6. To configure the consuming farm for the common realm name, type the following command at the Windows PowerShell command prompt on a server in the consuming farm:

    Set-SPAuthenticationRealm -realm <RealmName>
    

    Where:

    RealmName is the name that you chose in step 1.

  7. To configure the Name ID for the SharePoint STS on the consuming farm to include the common realm name, type the following commands at the Windows PowerShell command prompt on a server in the consuming farm:

    $sts=Get-SPSecurityTokenServiceConfig
    $Realm=Get-SpAuthenticationRealm
    $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm"
    Write-Host "Setting STS NameId to $nameId"
    $sts.NameIdentifier = $nameId
    $sts.Update()
    
    
  8. To configure the publishing farm for server-to-server authentication with the consuming farm, type the following command at the Windows PowerShell command prompt on a server in the publishing farm:

    New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<ConsumeHostName>/_layouts/15/metadata/json/1" -Name "<ConsumeFriendlyName>"
    

    Where:

    • ConsumeHostName is the name and port of any SSL-enabled web application of the consuming farm.

    • ConsumeFriendlyName is a friendly name for the consuming farm.

    This creates the server-to-server authentication trust with the consuming farm.

  9. To configure the consuming farm for server-to-server authentication with the publishing farm, type the following command at the Windows PowerShell command prompt on a server in the consuming farm:

    New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<PublishHostName>/_layouts/15/metadata/json/1" -Name "<PublishFriendlyName>"
    

    Where:

    • PublishHostName is the name and port of any SSL-enabled web application of the publishing farm.

    • PublishFriendlyName is a friendly name for the publishing farm.

    This creates the server-to-server authentication trust with the publishing farm.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft