Skip to content

Commit

Permalink
Merge pull request #686 from MicrosoftDocs/master
Browse files Browse the repository at this point in the history 
Merging master to live
  • Loading branch information
@kaarins
kaarins authored Oct 5, 2018
2 parents 2f0056d + b426c8b commit 46cecc3
Show file tree
Hide file tree
Showing 3 changed files with 106 additions and 131 deletions.
11 changes: 9 additions & 2 deletions OneDrive/use-group-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,9 @@ Enabling this policy sets the following registry key.
<a name="OptInWithWizard"> </a>

This setting displays the "Set up protection of important folders" window that prompts users to move their Documents, Pictures, and Desktop folders to OneDrive.

> [!NOTE]
> This setting is available in the OneDrive sync client build 18.111.0603.0004 or later.
![OneDrive folder protection start panel](media/ebf0a858-d89f-47f0-8f78-4192a95944f0.png)

Expand All @@ -229,9 +232,10 @@ Enabling this policy sets the following registry key:
### Silently move Windows known folders to OneDrive
<a name="OptInNoWizard"> </a>

In the sync client build 18.171.0823.0001 or later, this setting lets you redirect and move your users' Documents, Pictures, and Desktop folders to OneDrive without user interaction.
Use this policy to redirect your users' Documents, Pictures, and Desktop folders to OneDrive without any user interaction. This setting is available in the OneDrive sync client build 18.111.0603.0004 or later. Before sync client build 18.171.0823.0001, this policy redirected only empty known folders to OneDrive. Now, it redirects known folders that contain content and moves the content to OneDrive.

For previous sync client builds, this setting lets you silently redirect the folders to OneDrive, but not move any folder contents. In these previous builds, the setting works only when all known folders are empty, and on folders redirected to a different OneDrive account. We therefore recommend using this setting together with "Prompt users to move Windows known folders to OneDrive" for previous builds.
> [!NOTE]
> If you're using this setting with a build earlier than 18.171.0823.0001, we recommend also enabling "Prompt users to move Windows known folders to OneDrive."
If you enable this setting and provide your tenant ID, you can choose whether to display a notification to users after their folders have been redirected.

Expand All @@ -253,6 +257,9 @@ Setting this value to 1 displays a notification after successful redirection.
<a name="OptInNoWizardToast"> </a>

This setting forces users to keep their Documents, Pictures, and Desktop folders directed to OneDrive.

> [!NOTE]
> This setting is available in the OneDrive sync client build 18.111.0603.0004 or later.
If you enable this setting, the "Stop protecting" button in the "Set up protection of important folders" window will be disabled and users will receive an error if they try to stop syncing a known folder.

Expand Down
29 changes: 15 additions & 14 deletions SharePoint/SharePointOnline/what-s-new-in-admin-center.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ title: "What's new in the SharePoint admin center"
ms.author: kaarins
author: kaarins
manager: pamgreen
ms.date: 6/1/2018
ms.audience: Admin
ms.topic: reference
ms.service: sharepoint-online
Expand All @@ -14,7 +13,7 @@ search.appverid:
- BSA160
- MET150
ms.assetid: 317eed2b-d266-4c4c-9a37-1aceed9db567
description: "We're continuously adding new features to the new SharePoint admin center (preview) and fixing issues we learn about. Here's a summary of what's included, and what's coming up. You can help us improve the admin center by sending us your suggestions and reporting bugs you encounter. In the lower-right corner of the admin center, click the Feedback button."
description: "Learn about the features currently in the new SharePoint admin center, and those coming soon."
---

# What's new in the SharePoint admin center
Expand All @@ -32,11 +31,11 @@ We're continuously adding new features to the new SharePoint admin center (previ

- Links to the Microsoft 365 admin center for detailed reports, message center posts, and service health info

- Links to the OneDrive admin center and classic SharePoint admin center
- Links to the OneDrive admin center, SharePoint Migration Tool, and classic SharePoint admin center

- A geo location selector for organizations that have set up Multi-Geo in OneDrive and SharePoint

**Site management page**
**Active sites page**

- A list that includes the new types of sites that users create: team sites that belong to Office 365 groups and communication sites

Expand All @@ -45,6 +44,8 @@ We're continuously adding new features to the new SharePoint admin center (previ
- Extensive site info and insights such as site name, template, file and sharing info, and date created and modified

- The ability to sort, filter, and customize columns, as well as search by all text fields

- The ability to view and filter by hub site association

- Built-in views and the ability to create custom views

Expand All @@ -56,15 +57,19 @@ We're continuously adding new features to the new SharePoint admin center (previ

- The ability to select multiple sites and email site admins

**Recycle bin page**
**Deleted sites page**

- A list of deleted sites with time deleted

- The ability to restore sites individually
- The ability to restore sites (except those connected to an Office 365 group) individually

**Settings page**

- Settings for list and library experience, sync (if your organization used the previous sync client), and notifications

**API management page**

- The ability to view pending and approved web API permissions and approve or reject access requests

## Coming soon

Expand All @@ -74,25 +79,21 @@ Here's a short list of some of the larger features we're working on. Use the Fee

- Improved design for mobile

**Site management page**
**Active sites page**

- Grouping

- More batch operations

- The ability to specify the primary admin when creating communication sites and sites that belong to an Office 365 group

- The ability to view and update Office 365 group owners, and delete sites that belong to an Office 365 group

- The ability to delete sites created by another admin

**Recycle bin page**
**Deleted sites page**

- Batch restore

- The ability to delete (purge)
- The ability to permanently delete sites

**Sharing and device access**
**Sharing and Access control**

- New pages for organization-wide settings

Expand Down
197 changes: 82 additions & 115 deletions ...erver/administration/configure-server-to-server-authentication-in-sharepoint.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,145 +10,112 @@ ms.prod: sharepoint-server-itpro
localization_priority: Normal
ms.collection: IT_Sharepoint_Server_Top
ms.assetid: c77f5006-d023-463f-8256-e4570d32dd1e
description: "Summary: Learn how to configure server-to-server authentication when you share service applications across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms."
description: "Summary: Learn how to configure server-to-server authentication when you share User Profile service application across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms."
---

# Configure server-to-server authentication between publishing and consuming farms
# Configure Server-to-Server authentication between publishing and consuming farms

**Summary:** Learn how to configure server-to-server authentication when you share service applications across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms.
**Summary:** Learn how to configure Server-to-Server authentication when you share the User Profile service application across SharePoint Server 2016 and SharePoint 2013 publishing and consuming farms.

To enable a web application or an application service to request a resource from a web application on another farm on behalf of a user, you must configure server-to-server authentication between the farms. A few examples of SharePoint Server processes that use server-to-server authentication are as follows:
When a farm consumes the User Profile service application of a publishing farm, SharePoint issues requests using Server-to-Server authentication on behalf of the user for some features:

- Follow a document on a Team Sites web application when a user's personal site is located on a My Sites web application. The Team Sites web application makes a request of the My Sites web application on behalf of the user.
- Create or reply to a site feed post for a site that is located on a Team Sites web application but performed through the user's My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply.
- Follow a document on a content web application when a user's personal site is located on a web application in an external farm. The content web application makes a OAuth request to the My Sites web application on behalf of the user.

- Create or reply to a site feed post for a site that is located on a content web application but performed through the user's My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply.

- A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache.

> [!NOTE]
> Web applications or application services that request resources from an application service on another farm do not require server-to-server authentication.

## Before you begin
<a name="begin"> </a>

This article requires that you already shared the User Profile service application between a consuming and a publishing farm. If you haven't done so, see [Share service applications across farms in SharePoint Server](/share-service-applications-across-farms) first to share the User Profile service application.

To understand the procedures in this article, you should be familiar with the basic concepts in the following articles:

[Authentication overview for SharePoint Server](../security-for-sharepoint-server/authentication-overview.md)

[Plan for server-to-server authentication in SharePoint Server](../security-for-sharepoint-server/plan-server-to-server-authentication.md)

> [!IMPORTANT]
> If your consuming farm has web applications that are configured or registered to a Workflow Manager, when you set a Realm value, you will need to register the Workflow Manager with the SharePoint farm. Use the PowerShell [Register-SPWorkflowService](https://docs.microsoft.com/en-us/powershell/module/sharepoint-server/register-spworkflowservice?view=sharepoint-ps) cmdlet to do this.
Verify that you are a member of the Administrators group on the servers on which you are running PowerShell cmdlets.

- **Securityadmin** fixed server role on the SQL Server instance.
- **db_owner** fixed database role on all databases that are to be updated.
An administrator can use the **Add-SPShellAdmin** cmdlet to grant permissions to use SharePoint Server cmdlets.
> [!NOTE]
> If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](http://technet.microsoft.com/library/2ddfad84-7ca8-409e-878b-d09cb35ed4aa.aspx).
> For more information about setting a Realm value and registering a Workflow Manager with a SharePoint farm, see [Fix the HTTP 401 error with provider-hosted add-ins and issues with workflow and cross farm trust scenarios in SharePoint](https://support.microsoft.com/en-us/help/4010011/provider-hosted-add-ins-stop-working-and-http-401-error) and [Move Workflow Manager to a new farm in a new domain](https://sharepoint.stackexchange.com/questions/132524/move-workflow-manager-to-new-farm-in-a-new-domain).
## Configure server-to-server authentication between publishing and consuming farms
<a name="begin"> </a>

The following procedure describes how to configure server-to-server authentication between the publishing and consuming farms.

**To configure server-to-server authentication between publishing and consuming farms**

1. Choose a realm name that will be common to both farms.

2. Verify that you are a member of the Administrators group on the server on which you are running PowerShell cmdlets.

- **Securityadmin** fixed server role on the SQL Server instance.

- **db_owner** fixed database role on all databases that are to be updated.

An administrator can use the **Add-SPShellAdmin** cmdlet to grant permissions to use SharePoint Server cmdlets.

The following procedure describes how to configure server-to-server authentication and grant just the necessary permissions to allow social features to work. Each farm keeps its own, unique authentication realm.

### Authorize consuming farm to send OAuth requests to the publishing farm

1. In a SharePoint server in the publishing farm, start the SharePoint Management Shell.

2. Register the consuming farm as a trusted issuer:

```powershell
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<ConsumingFarmHostName>/_layouts/<15or16>/metadata/json/1" -Name "<ConsumingFarmFriendlyName>"
```

> [!NOTE]
> If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](http://technet.microsoft.com/library/2ddfad84-7ca8-409e-878b-d09cb35ed4aa.aspx).
3. In the SharePoint Server environment on both the publishing and consuming farms, start the SharePoint Management Shell.

4. To configure the publishing farm for the common realm name, type the following command at the PowerShell command prompt on a server in the publishing farm:

```
Set-SPAuthenticationRealm -realm <RealmName>
```

Where:

_RealmName_ is the name that you chose in step 1.

5. To configure the Name ID for the SharePoint Security Token Service (STS) on the publishing farm to include the common realm name, type the following commands at the PowerShell command prompt on a server in the publishing farm:

```
$sts=Get-SPSecurityTokenServiceConfig
$Realm=Get-SpAuthenticationRealm
$nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm"
Write-Host "Setting STS NameId to $nameId"
$sts.NameIdentifier = $nameId
$sts.Update()
```

6. To configure the consuming farm for the common realm name, type the following command at the PowerShell command prompt on a server in the consuming farm:

```
Set-SPAuthenticationRealm -realm <RealmName>
```

Where:

_RealmName_ is the name that you chose in step 1.

7. To configure the Name ID for the SharePoint STS on the consuming farm to include the common realm name, type the following commands at the PowerShell command prompt on a server in the consuming farm:

```
$sts=Get-SPSecurityTokenServiceConfig
$Realm=Get-SpAuthenticationRealm
$nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm"
Write-Host "Setting STS NameId to $nameId"
$sts.NameIdentifier = $nameId
$sts.Update()
```

8. To configure the publishing farm for server-to-server authentication with the consuming farm, type the following command at the PowerShell command prompt on a server in the publishing farm:

```
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<ConsumeHostName>/_layouts/<15or16>/metadata/json/1" -Name "<ConsumeFriendlyName>"
```

Where:

- _ConsumeHostName_ is the name and port of any SSL-enabled web application of the consuming farm.

- _15or16_ is the directory for the SharePoint Server version.

- _ConsumeFriendlyName_ is a friendly name for the consuming farm.

This creates the server-to-server authentication trust with the consuming farm.

9. To configure the consuming farm for server-to-server authentication with the publishing farm, type the following command at the PowerShell command prompt on a server in the consuming farm:

```
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<PublishHostName>/_layouts/<15or16>/metadata/json/1" -Name "<PublishFriendlyName>"
```

Where:

- _PublishHostName_ is the name and port of any SSL-enabled web application of the publishing farm.

- _15or16_ is the directory for the SharePoint Server version.

- _PublishFriendlyName_ is a friendly name for the publishing farm.

This creates the server-to-server authentication trust with the publishing farm.

> This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms).

3. Get the app principal and set required authorizations:

```powershell
# Get the app principal and set required authorizations
$mySiteHost = Get-SPWeb "http://<MySiteHostUrl/"
$appPrincipal = Get-SPAppPrincipal -Site $mySiteHost -NameIdentifier $trustedIssuer.NameId
# Grant permissions AppOnly and Write on the MySite host
Set-SPAppPrincipalPermission -EnableAppOnlyPolicy -Site $mySiteHost -AppPrincipal $appPrincipal -Scope SiteSubscription -Right Write
# Grant permissions Manage on the PrivateAPI and Read on the SocialPermissionProvider
$privateAPITypeId = New-Object -TypeName System.Guid ("a2ccc2e2-1703-4bd9-955f-77b2550d6f0d")
$socialPermissionProviderId = New-Object -TypeName System.Guid ("fcaec196-a98c-4f8f-b60f-e1a82272a6d2")
$mgr = New-Object -TypeName Microsoft.SharePoint.SPAppPrincipalPermissionsManager ($mySiteHost)
$mgr.AddSiteSubscriptionPermission($appPrincipal, $privateAPITypeId, [Microsoft.SharePoint.SPAppPrincipalPermissionKind]::Manage)
$mgr.AddSiteSubscriptionPermission($appPrincipal, $socialPermissionProviderId, [Microsoft.SharePoint.SPAppPrincipalPermissionKind]::Read)
```

### Authorize publishing farm to send OAuth requests to the consuming farm

1. In a SharePoint server in the consuming farm, start the SharePoint Management Shell.

2. Register the farm running User Profile service application as a trusted issuer:

```powershell
$trustedIssuer = New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<PublishingFarmHostName>/_layouts/<15or16>/metadata/json/1" -Name "<PublishingFarmFriendlyName>"
```

> [!NOTE]
> This assumes that you already added the root certificate of the consuming farm to the trusted root authorities as explained in article [Exchange trust certificates between farms in SharePoint Server](/exchange-trust-certificates-between-farms).

3. Get the app principal and set required authorizations:

```powershell
# Get the app principal
$centralAdminWeb = Get-SPWeb "http://sp:5000/"
$appPrincipal = Get-SPAppPrincipal -Site $centralAdminWeb -NameIdentifier $trustedIssuer.NameId
# Grant app only permission and Read on the SiteSubscription
Set-SPAppPrincipalPermission -EnableAppOnlyPolicy -AppPrincipal $appPrincipal -Site $centralAdminWeb -Scope SiteSubscription -Right Read
# Grant permissions Manage on the PrivateAPI
$privateAPITypeId = New-Object -TypeName System.Guid ("a2ccc2e2-1703-4bd9-955f-77b2550d6f0d")
$mgr = New-Object -TypeName Microsoft.SharePoint.SPAppPrincipalPermissionsManager ($centralAdminWeb)
$mgr.AddSiteSubscriptionPermission($appPrincipal, $privateAPITypeId, [Microsoft.SharePoint.SPAppPrincipalPermissionKind]::Manage)
```

## See also
<a name="begin"> </a>

#### Concepts
### Concepts

[Share service applications across farms in SharePoint Server](share-service-applications-across-farms.md)
#### Other Resources

[Get-SPAuthenticationRealm](http://technet.microsoft.com/library/7ec6c10c-283e-4533-addf-6bdd2d804c28.aspx)

[Set-SPAuthenticationRealm](http://technet.microsoft.com/library/d3d60059-4883-4591-a3a7-d3002c999e68.aspx)
### Other Resources

[New-SPTrustedSecurityTokenIssuer](http://technet.microsoft.com/library/9ab7aac9-4c9a-4cba-8dd6-ffead217c2fa.aspx)

0 comments on commit 46cecc3

Please sign in to comment.