From cfb6eff4dab35d9f83cbe8987a64712f9ecc974a Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Mon, 8 Oct 2018 11:07:10 +0200 Subject: [PATCH 1/4] Updated article --- ...-to-server-authentication-in-sharepoint.md | 54 +++++++------------ 1 file changed, 20 insertions(+), 34 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 357f881783..830f978f4b 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -3,7 +3,7 @@ title: "Configure server-to-server authentication between publishing and consumi ms.author: stevhord author: bentoncity manager: pamgreen -ms.date: 9/6/2017 +ms.date: 8/10/2018 ms.audience: ITPro ms.topic: article ms.prod: sharepoint-server-itpro @@ -15,31 +15,29 @@ description: "Summary: Learn how to configure server-to-server authentication wh # Configure Server-to-Server authentication between publishing and consuming farms - **Summary:** Learn how to configure Server-to-Server authentication when you share the User Profile service application across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms. + **Summary:** Learn how to configure Server-to-Server authentication when you share the User Profile service application across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms. When a farm consumes the User Profile service application of a publishing farm, SharePoint issues requests using Server-to-Server authentication on behalf of the user for some features: - Follow a document on a content web application when a user's personal site is located on a web application in an external farm. The content web application makes a OAuth request to the My Sites web application on behalf of the user. -- Create or reply to a site feed post for a site that is located on a content web application but performed through the user's My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply. +- Create or reply to a site feed post for a site that is located on a content web application but performed through the user's My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the content web application on behalf of the user to write the post or the reply. -- A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache. +- A User Profile service application task to repopulate the feed cache has to read from the personal site or content site. If the User Profile Service application is running in a different farm, it sends a OAuth request to the My Sites web application or content web application to read the user or site feed data into the cache. ## Before you begin -This article requires that you already shared the User Profile service application between a consuming and a publishing farm. If you haven't done so, see [Share service applications across farms in SharePoint Server](/share-service-applications-across-farms) first to share the User Profile service application. +The procedure in this article requires that you already configured the following: -To understand the procedures in this article, you should be familiar with the basic concepts in the following articles: +- Shared the User Profile service application between a consuming and a publishing farm as documented in [Share service applications across farms in SharePoint Server](share-service-applications-across-farms.md). +- Configured the Subscription Settings and App Management service applications on both publishing and consuming farms as documented in [section "Configure the Subscription Settings and App Management service applications" of this article](https://docs.microsoft.com/en-us/sharepoint/administration/configure-an-environment-for-apps-for-sharepoint#configure-the-subscription-settings-and-app-management-service-applications) -[Authentication overview for SharePoint Server](../security-for-sharepoint-server/authentication-overview.md) - -[Plan for server-to-server authentication in SharePoint Server](../security-for-sharepoint-server/plan-server-to-server-authentication.md) - -Verify that you are a member of the Administrators group on the servers on which you are running PowerShell cmdlets. +Verify that you have the following memberships: - **Securityadmin** fixed server role on the SQL Server instance. - **db_owner** fixed database role on all databases that are to be updated. + - Member of built-in Administrators group on the server on which you are running the PowerShell cmdlets. An administrator can use the **Add-SPShellAdmin** cmdlet to grant permissions to use SharePoint Server cmdlets. > [!NOTE] > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](http://technet.microsoft.com/library/2ddfad84-7ca8-409e-878b-d09cb35ed4aa.aspx). @@ -47,24 +45,16 @@ Verify that you are a member of the Administrators group on the servers on which ## Configure server-to-server authentication between publishing and consuming farms -The following procedure describes how to configure server-to-server authentication and grant just the necessary permissions to allow social features to work. Each farm keeps its own, unique authentication realm. +The following procedure describes how to configure server-to-server authentication between publishing and consuming farms, and grant just the necessary permissions to allow social features to work. Each farm keeps its own, unique authentication realm. ### Authorize consuming farm to send OAuth requests to the publishing farm -1. In a SharePoint server in the publishing farm, start the SharePoint Management Shell. - -2. Register the consuming farm as a trusted issuer: +In a SharePoint server in the publishing farm, start the SharePoint Management Shell and run this PowerShell script to register the consuming farm as a trusted issuer, get its app principal and grant it the required authorizations: ```powershell -New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" -``` - - > [!NOTE] - > This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms). +# Register the consuming farm as a trusted issuer using information in its metedata file +$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" -3. Get the app principal and set required authorizations: - -```powershell # Get the app principal and set required authorizations $mySiteHost = Get-SPWeb "http:///_layouts/<15or16>/metadata/json/1" -Name "" -``` - - > [!NOTE] - > This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms). - -3. Get the app principal and set required authorizations: -```powershell # Get the app principal -$centralAdminWeb = Get-SPWeb "http://sp:5000/" +$centralAdminWeb = Get-SPWeb "http:// Date: Mon, 8 Oct 2018 11:26:13 +0200 Subject: [PATCH 2/4] Updated links --- ...igure-server-to-server-authentication-in-sharepoint.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 830f978f4b..572103e8e5 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -53,7 +53,7 @@ In a SharePoint server in the publishing farm, start the SharePoint Management S ```powershell # Register the consuming farm as a trusted issuer using information in its metedata file -$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/<15or16>/metadata/json/1" -Name "" +$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/15/metadata/json/1" -Name "" # Get the app principal and set required authorizations $mySiteHost = Get-SPWeb "http:///_layouts/<15or16>/metadata/json/1" -Name "" +$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/15/metadata/json/1" -Name "" # Get the app principal $centralAdminWeb = Get-SPWeb "http:// Date: Mon, 8 Oct 2018 11:31:48 +0200 Subject: [PATCH 3/4] Updated text --- ...nfigure-server-to-server-authentication-in-sharepoint.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 572103e8e5..62dcb499b2 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -49,7 +49,7 @@ The following procedure describes how to configure server-to-server authenticati ### Authorize consuming farm to send OAuth requests to the publishing farm -In a SharePoint server in the publishing farm, start the SharePoint Management Shell and run this PowerShell script to register the consuming farm as a trusted issuer, get its app principal and grant it the required authorizations: +In a SharePoint server in the **publishing farm**, start the SharePoint Management Shell and run this PowerShell script to register the consuming farm as a trusted issuer, get its app principal and grant it the required authorizations: ```powershell # Register the consuming farm as a trusted issuer using information in its metedata file @@ -72,14 +72,14 @@ $mgr.AddSiteSubscriptionPermission($appPrincipal, $socialPermissionProviderId, [ ### Authorize publishing farm to send OAuth requests to the consuming farm -In a SharePoint server in the consuming farm, start the SharePoint Management Shell and run this PowerShell script to register the publishing farm as a trusted issuer, get its app principal and grant it the required authorizations: +In a SharePoint server in the **consuming farm**, start the SharePoint Management Shell and run this PowerShell script to register the publishing farm as a trusted issuer, get its app principal and grant it the required authorizations: ```powershell # Register the publishing farm as a trusted issuer using information in its metedata file $trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/15/metadata/json/1" -Name "" # Get the app principal -$centralAdminWeb = Get-SPWeb "http:// Date: Mon, 8 Oct 2018 15:41:53 +0200 Subject: [PATCH 4/4] Updated text --- ...-server-to-server-authentication-in-sharepoint.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md index 62dcb499b2..300374436e 100644 --- a/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md +++ b/SharePoint/SharePointServer/administration/configure-server-to-server-authentication-in-sharepoint.md @@ -47,13 +47,13 @@ Verify that you have the following memberships: The following procedure describes how to configure server-to-server authentication between publishing and consuming farms, and grant just the necessary permissions to allow social features to work. Each farm keeps its own, unique authentication realm. -### Authorize consuming farm to send OAuth requests to the publishing farm +### Authorize consuming farm to send OAuth requests to the farm hosting the MySites web application -In a SharePoint server in the **publishing farm**, start the SharePoint Management Shell and run this PowerShell script to register the consuming farm as a trusted issuer, get its app principal and grant it the required authorizations: +In a SharePoint server in the **farm running the MySites web application** (which might not be the publishing farm), start the SharePoint Management Shell and run this PowerShell script to register the consuming farm as a trusted issuer, get its app principal and grant it the required authorizations: ```powershell -# Register the consuming farm as a trusted issuer using information in its metedata file -$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/15/metadata/json/1" -Name "" +# Register the consuming farm as a trusted issuer using information in its metadata file +$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/15/metadata/json/1" -Name "" # Get the app principal and set required authorizations $mySiteHost = Get-SPWeb "http:///_layouts/15/metadata/json/1" -Name "" +# Register the publishing farm as a trusted issuer using information in its metadata file +$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https:///_layouts/15/metadata/json/1" -Name "" # Get the app principal $centralAdminWeb = Get-SPWeb "http://