- Microsoft SharePoint 2010 Administration Cookbook
- Peter Serzo
- 635字
- 2025-03-31 05:26:47
To be able to subscribe to another farm's content, there has to be a trust relationship set up between the two farms. This gives the two server farms, the ability to communicate. This is accomplished through certificates that uniquely identify the farms.
In this recipe you will see how to set this up.
Because we are showing this with PowerShell, you must be a member of the SharePoint_Shell_Access database role on the configuration database of both the publishing farm and consuming farm. You also must be a member of the WSS_ADMIN_WPG local group on the chosen servers.
Finally, the two servers you will be using (one on the Publishing Farm and one on the Consuming Farm) must be selected ahead of time and the same two servers must be used throughout the process. The suggested servers to use are the ones hosting Central Administration.
- On the chosen publishing farm server, select Start | All Programs | Microsoft SharePoint 2010 Products | SharePoint 2010 Management Shell.
- In the PowerShell command prompt, type in the following two commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert")|Set-Content C:\pubfarm.cer -Encoding byte
- On the consuming farm server, select Start | All Programs | Microsoft SharePoint 2010 Products | SharePoint 2010 Management Shell.
- In the PowerShell command prompt, type in the following four commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert")|Set-Content C:\consumingfarm.cer -Encoding byte $stsCert=(Get-SPSecurityTokenServiceConfig) LocalLoginProvider.SigningCertificate $stsCert.Export("Cert")|Set-Content c:\consumingfarmsts.cer -Encoding byte
- Copy the
consumingfar.cerand theconsumingfarmsts.cerfile from the consuming farm and put them in theC:\tempfolder on the chosen server in the publishing farm. - In the PowerShell command prompt, type in the following four commands:
$trustCert=GetPfxCertificate c:\temp\consumingfarm.cer New-SPTrustedRootAuthority ConsumingFarm -Certificate $trustCert $stsCert=GetPFXCertificate c:\temp\consumingfarmsts.cer New-SPTrustedServiceTokenIssuer ConsumingFarm -Certificate $stsCert
- Copy the
pubfarm.cerfile from the publishing farm and put it in theC:\tempfolder on the consuming farm. - In the PowerShell command prompt, type in the following two commands:
$trustCert=GetPfxCertificate c:\temp\pubfarm.cer New-SPTrustedRootAuthority PublishingFarm -Certificate $trustCert
Step 2 under How to do it... section comprises of two parts—setting the $rooCert variable to RootCertificate and then exporting that certificate to a physical file, pubfarm.cer.
Step 4 does the same thing except the fact that this is an extra step to provide the publishing farm with a Security Token Service (STS) certificate.
In steps 6 and 8, there are two italicized parameters—ConsumingFarm and PublishingFarm. These are unique names created by us as administrators. The names represent the purpose of the farm. It is recommended to give them more meaningful names so that their purpose is clear.
Both the publishing and consuming farms must exchange certificates. In addition, the consuming farm must export a security token service certificate, which the publishing farm imports.
Most of the service applications utilize web services to access the SharePoint databases. Web services do this on behalf of an authenticated client. In SharePoint 2010, it is the STS that authenticate clients. The clients in this chapter are service applications who provide credentials to the STS. Once authenticated, the STS issues a security token to the service application, which is their "passport" to obtain the information they are requesting.
While exporting must be done with PowerShell, there is a user interface in Central Administration for importing certificates.
- Navigate to Central Administration and click Security.
- Under the General Security section, click Manage trust.
The ribbon will light up after clicking on the name of the farm. Now you can click New to establish a trust relationship, or you can click Edit to modify the Token issuer description or the certificates that are used.
Finally, there is a Delete option to allow you to remove a trust relationship.