Friday, December 19, 2014

Procedure, tips, and verification scripts to build a server-to server trust between SharePoint Server 2013 and SharePoint Online for one-way outbound hybrid search

After replacing the STS certificate in the on-premises SharePoint farm described in previous blog, you should be ready to set up server-to-server authentication for hybrid environments. You need to create a trust relationship between your on-premises SharePoint farm and your SharePoint Online tenant, which uses Azure Active Directory as a trusted token signing service. This process described in technet will be done on one of the SharePoint on-premises WFE server that has online service management tools installed. Since there are several errors in the technet, we had to cross check other two instructions. One is published by Microsoft escalation engineer MANAS BISWAS and  Bill Baer. Here are the detailed steps, tips, and tricks.

1. First, you need to install the following online service management tools on ONE on-premises SharePoint Server 2013 web server.

There are some tricks and tips.

  • After Microsoft Online Services Sign-In Assistant for IT Professionals installed, the registries will be updated and server bounce is required. If the install did not prompt you to restart the server, reinstall and do a repair. It will then ask you to bounce the server.

By adding the required Windows PowerShell modules and snap-ins, the following process can occur in a single Windows PowerShell window on the on-premises SharePoint web server. 

2. Second, you will execute the following powershell on on-premises SharePoint WFE to create the trust and proxy.

# Set environment
Add-PSSnapin Microsoft.SharePoint.PowerShell
Import-Module Microsoft.PowerShell.Utility
Import-Module MSOnline -force –verbose
Import-Module MSOnlineExtended -force –verbose
Import-Module Microsoft.Online.SharePoint.PowerShell -force

# Set the certificate

# Update the Certificate on the STS - You could skip this if you already done this
$pfxCertificate=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $stscertpfx, $stscertpassword, 20
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $pfxCertificate

# Type Yes when prompted with the following message.
#You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer to the following article for instructions on how to change this certificate: Are you sure, you want to continue?

#Restart IIS so STS Picks up the New Certificate - need to be done on all SharePoint servers
net stop SPTimerV4
net start SPTimerV4

#To validate that the above commands has run successfully, you can run any of the following cmdlets. The certs should be matching

#Do Some Conversions With the Certificates to Base64
$pfxCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $stscertpfx,$stscertpassword
$pfxCertificateBin = $pfxCertificate.GetRawCertData()
$cerCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cerCertificateBin = $cerCertificate.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($cerCertificateBin)

# Establish Remote Windows PowerShell Connection with Office 365

#When prompted with Are you sure you want to perform this action? type Yes for all of the actions.

# Log on as a Global Administrator for Office 365

#When prompted, provide the Global Admin account for your Office 365 tenant. This would have been sent to your corporate e-mail address when you signed up for the tenant.

# Register the On-Premise STS as Service Principal in Office 365
New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue

# Add an SPN for your public domain name to Azure Active Directory
$SharePoint = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $SharePoint.ServicePrincipalNames
Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
$sponameidentifier = "$spoappprincipalID@$spocontextID"

# Set the SharePoint authentication realm
$site=Get-Spsite "$spsite"
$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"
Set-SPAuthenticationRealm -realm $spocontextID

# Configure an on-premises proxy for Azure Active Directory and establish in the On-Premise Farm a Trust with the ACS
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "" -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "" -IsTrustBroker -Name "ACS"

3. Third, you need to verify the O365 certs match the on-premises, proxy configured, and ready for hybrid search configuration.

A. Verify SharePoint server and STS service have the identical certificates. You could use the following powershell and verify the thumbprint.

# Verify whether the SahrePoint on-premises server certificate match the STS service certificate   
Add-PSSnapin *sh* -ea 0

#Validated STS Token Signing certifciate thumbprint
$pfxCertificate=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $stscertpfx, $stscertpassword, 20

# This cert is from SharePoint STS service


B. Verify certificate uploaded to O365 not expired using the following commands.
Get-MsolServicePrincipalCredential -AppPrincipalId "00000003-0000-0ff1-ce00-000000000000"

You need to press enter and see the output with expiration data for the cert.

C. Validate SPNs setup properly in O365 using the commands.
$app = Get-MsolServicePrincipal -AppPrincipalId "00000003-0000-0ff1-ce00-000000000000"

You can verify the domain for the SharePoint on-premises should be in the list.

PS C:\Users\SPdev1> $app = Get-MsolServicePrincipal -AppPrincipalId "00000003-0000-0ff1-ce00-000000000000"

D. Validate User Profile Service Application Status and it should be "online"
$upa=Get-SPServiceApplication | where-object {$_.TypeName -match "User Profile Service Application"}

E. Validaye on premises ACS Proxy created and it should be the named you configured in previous script. In this case, it's "ACS".
Get-SPServiceApplicationProxy | ? {$_.Name -eq "ACS"} | fl

You could check SharePoint central administration->Manage Service Applications. You should see new ACS Azure Access Control Service Application Proxy listed.

F. You can also verify the trust from SharePoint central administration->Security->Manage trust. The ACS proxy should be created as in the following screenshot.

Next it is ready to continue the search hybrid configuration. Please note there are some errors in the Microsoft technet article and the procedure we verified is based on Microsoft escalation engineer Manas.

One tip is you could suppress the  users import like login name, password, and the confirmation when you run the above powershell commands. You could also encrypt the password in the file.

Here is the procedure to encrypt the password. Login as the user account to window server and run the following script and the password will be encripted in the file.

read-host -AsSecureString | ConvertFrom-SecureString | out-file C:\cred.txt

You could use this file to auto accept the password. Here is the automated commands that will not prompt any input. The highlighted parameters are the key for the automation.

$o365admin = ""
$password = get-content C:\cred.txt | convertto-securestring
$Creds = New-Object System.Management.Automation.PSCredential($o365admin, $password)

enable-psremoting -Force

#When prompted with Are you sure you want to perform this action? type Yes for all of the actions.

# Log on as a Global Administrator for Office 365
Connect-MsolService -Credential $Creds

See Ultimate procedure to display SharePoint online hybrid search results in SharePoint Server 2013 for other steps to configure hybrid search. 

No comments:

Post a Comment