Exchange trust certificates between farms (SharePoint Server 2010)
Si applica a: SharePoint Foundation 2010, SharePoint Server 2010
Ultima modifica dell'argomento: 2016-11-30
In Microsoft SharePoint Server 2010, a SharePoint farm can connect to and consume a service application that is published on another SharePoint Server 2010 farm. For this to occur, the farms must exchange trust certificates.
This article describes how to exchange trust certificates between the publishing farm and the consuming farm. Note that both farms must participate in this exchange for service application sharing to work.
Importante
Before you start to share service applications, we highly recommend that you read the articles Share service applications across farms (SharePoint Server 2010) and Pianificazione dell'architettura dei servizi (SharePoint Server 2010).
You must use Windows PowerShell 2,0 commands to export and copy the certificates between farms. After the certificates are exported and copied, you can use either Windows PowerShell 2,0 commands or Central Administration to manage the trusts within the farm.
The instructions here assume the following criteria:
That the servers that are used for these procedures are running Windows PowerShell 2,0.
That the administrator will select and use the same server in each farm for all steps in the process.
If User Account Control (UAC) is turned on, you must run the Windows PowerShell 2,0 commands with elevated privileges.
In this article:
Exporting and copying certificates
Managing trust certificates by using Windows Powershell
Managing trust certificates by using Central Administration
Exporting and copying certificates
An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm.
You can only export and copy certificates by using Windows PowerShell 2,0.
To export the root certificate from the consuming farm
On a server that is running SharePoint Server 2010 on the consuming farm, verify that you meet the following minimum requirements: vedere Add-SPShellAdmin.
On the Start menu, click Administrative Tools.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt, type each of the following commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert") | Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte
Where <C:\ConsumingFarmRoot.cer> is the path of the root certificate.
To export the STS certificate from the consuming farm
At the Windows PowerShell command prompt, type the following commands:
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate $stsCert.Export("Cert") | Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte
Where <C:\ConsumingFarmSTS.cer> is the path of the STS certificate.
To export the root certificate from the publishing farm
On a server that is running SharePoint Server 2010 on the publishing farm, verify that you meet the following minimum requirements: vedere Add-SPShellAdmin.
On the Start menu, click Administrative Tools.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt, type the following commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte
Where <C:\PublishingFarmRoot.cer> is the path of the root certificate.
To copy the certificates
Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.
Copy the root certificate from the server in the publishing farm to a server in the consuming farm.
Managing trust certificates by using Windows Powershell
Managing trust certificates within a farm involves establishing trust. This section describes how to establish trust on both the consuming and publishing farms, using Windows PowerShell 2,0 commands.
Establishing trust on the consuming farm
To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority.
To import the root certificate and create a trusted root authority on the consuming farm
At the Windows PowerShell command prompt on a server in the consuming farm, type the following commands:
$trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer> New-SPTrustedRootAuthority <PublishingFarm> -Certificate $trustCert
Where:
<C:\PublishingFarmRoot.cer> is the path of the root certificate that you copied to the consuming farm from the publishing farm.
<PublishingFarm> is a unique name that identifies the publishing farm. Each trusted root authority must have a unique name.
Establishing trust on the publishing farm
To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root authority. You must then import the STS certificate that was copied from the consuming farm and create a trusted service token issuer.
To import the root certificate and create a trusted root authority on the publishing farm
At the Windows PowerShell command prompt on a server in the publishing farm, type the following commands:
$trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer> New-SPTrustedRootAuthority <ConsumingFarm> -Certificate $trustCert
Where:
<C:\ConsumingFarmRoot.cer> is the name and location of the root certificate that you copied to the publishing farm from the consuming farm.
<ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name.
To import the STS certificate and create a trusted service token issuer on the publishing farm
At the Windows PowerShell command prompt on a server in the publishing farm, type the following commands:
$stsCert = Get-PfxCertificate <c:\ConsumingFarmSTS.cer> New-SPTrustedServiceTokenIssuer <ConsumingFarm> -Certificate $stsCert
Where:
<C:\ConsumingFarmSTS.cer> is the path of the STS certificate that you copied to the publishing farm from the consuming farm.
<ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted service token issuer must have a unique name.
For more information about these Windows PowerShell 2,0 cmdlets, see the following articles:
For information about using a script to automate part of this process, see Exchange trust certificates between farms (https://go.microsoft.com/fwlink/p/?LinkId=230666).
Managing trust certificates by using Central Administration
You can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm.
To establish trust by using Central Administration
Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
On the SharePoint Central Administration Web site, click Security.
On the Security page, in the General Security section, click Manage trust.
On the Trust Relationship page, on the ribbon, click New.
On the Establish Trust Relationship page:
Supply a name that describes the purpose of the trust relationship.
Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Windows PowerShell, as described in Exporting and copying certificates.
If you are performing this task on the publishing farm, select the check box for Provide Trust Relationship. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm, as described in Exporting and copying certificates.
Click OK.
After a trust relationship is established, you can modify the Token Issuer description or the certificates that are used by clicking the trust, and then clicking Edit. You can delete a trust by clicking it, and then clicking Delete.
See Also
Concepts
Pianificare i metodi di autenticazione (SharePoint Server 2010)
Configurare l'autenticazione basata sulle attestazioni (SharePoint Server 2010)
Configurare il servizio token di sicurezza (SharePoint Server 2010)
Other Resources
Resource Center: Security and Authentication for SharePoint Server 2010