One of the prerequisites to succeed is to establish STS trust between the farms. This is what this post is all about. In one of my next post I'll write about the service publishing and consuming itself in more details.
So... imagine how it looks like (assume we have only 2 farms, could be n farms):
The steps needed to implement this topology
are:
1. Export the root certificate on
the Services Farm
We will first need to export our Root certificate from the Services
Farm. We will use the Get-SPCertificateAuthority cmdlet to export the
certificate for our farm.
On the Services Farm, run the following in the
SharePoint 2013 Management Shell:
$rootCert
= (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert")
| Set-Content "C:\Cert\ServicesFarmRootCert.cer" -Encoding byte
2. Create a Certificate on the Consuming
Farm
On the Consumer Farm, we not only need to
export the Root certificate, but also a Secure Token Service (STS) certificate
as well. The later can be exported by using the
Get-SPSecurityTokenServiceConfig cmdlet. To ease this process, we will also get
the Farm ID for our Consuming Farms and create text files with it. The Farm ID
will need to be added to the Publishing permissions on the Services Farm so that
we can access our services later on.
Here's the PowerShell script you need to run to achieve that, on the first 2 variables you need to replace the values with your server hostnames:
$publisher
= "ServicesFarmCAServer"
$consumer
= "ConsumingFarmCAServer"
$path
= "C:\Cert"
If
((test-path $path) -eq $false)
{
[IO.Directory]::CreateDirectory("$path")
}
$rootCert
= (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert")
| Set-Content "C:\Cert\ConsumingFarmRootCert.cer" -Encoding byte
$stsCert
= (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert")
| Set-Content "C:\Cert\ConsumingFarmSTSCert.cer" -Encoding byte
$farmID
= (Get-SPFarm).Id
New-Item
C:\Cert\ConsumingFarmID.txt -type file -force -value "$farmID"
Copy-Item
\\$consumer\c$\Cert\ConsumingFarmID.txt \\$publisher\c$\Cert
3, Exchange the certificates
between the Consuming and Services farms
Now we have all certificates that we need from the 2 farms. Remember, if you have more than one consuming farms, you need to repeat Step 2 for each of the farm. That's an easy copy-paste operation, however if you have more farms, it makes sense to script it.
$publisher = "ServicesFarmCAServer"
$consumer = "ConsumingFarmCAServer"
Copy-Item \\$publisher\c$\Cert\ServicesFarmRootCert.cer \\$cconsumer\c$\Cert
Copy-Item \\$cconsumer\c$\Cert\ConsumingFarmRootCert.cer \\$publisher\c$\Cert
Copy-Item \\$cconsumer\c$\Cert\ConsumingFarmSTSSTSCert.cer \\$publisher\c$\Cert
4. Certificate Import on the Services
farm
We now want to import all the Consuming
farms certificates on the Services Farm and establish a trust. We are required to
use the Farm ID to set up our permissions later on. We will rely on the text files we
created a few steps back.
Replace ConsumingFarmName with the name you want to refer to the trusted provider/consumer and that's what will be visible later in the Trust section under Central Administration -> Security.
$trustCert =
Get-PfxCertificate "C:\cert\ConsumingFarmRootCert.cer"
New-SPTrustedRootAuthority ConsumingFarmName -Certificate $trustCert
$stsCert =
Get-PfxCertificate "c:\cert\ConsumingFarmSTSCert.cer"
New-SPTrustedServiceTokenIssuer ConsumingFarmName -Certificate $stsCert
$farmID = Get-Content
C:\Cert\ConsumingFarmID.txt
$security =
Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider =
(Get-SPClaimProvider System).ClaimProvider
$principal =
New-SPClaimsPrincipal -ClaimType
"http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid"
-ClaimProvider $claimProvider -ClaimValue $farmID
Grant-SPObjectSecurity
-Identity $security -Principal $principal -Rights "Full Control"
Get-SPTopologyServiceApplication
| Set-SPServiceApplicationSecurity -ObjectSecurity $security
5. Certificate Import on the
Consuming Farm
We have one final step to
wrap up concerning our certificates. On the Consuming Farm(s), we will need to
execute the following script to import the Services Farm Root Certificate only.
Replace ServicesFarmName with the name you want to refer to the trusted provider/consumer and that's what will be visible later in the Trust section under Central Administration -> Security.
$trustCert = Get-PfxCertificate "C:\Cert\ServicesFarmRootCert.cer"
New-SPTrustedRootAuthority ServicesFarmName -Certificate $trustCert
That should be it. Considering you've got your user profiles in sync, and you've done everything in this article properly, you are now ready to publish some of your service applications and consume them remotely. This works over WAN as well. As mentioned earlier, one of my next blog posts will focus on the publishing/consuming setup.
No comments:
Post a Comment