Docs update tracker

Updates from: 10/07/2022 02:20:14

Service	Microsoft Docs article	Related commit history on GitHub	Change details
SharePoint	B2b Sync	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/b2b-sync.md	Title: "B2B Sync" --++ audience: Admin f1.keywords: description: "Learn how the OneDrive sync app allows users to sync folders share The OneDrive sync app now lets users sync libraries or folders in Microsoft SharePoint or Microsoft OneDrive that have been shared from other organizations. This scenario is often referred to as Business-to-Business (B2B) Collaboration. We're calling this new feature in the OneDrive sync app "B2B Sync". -Azure Active Directory (AAD) guest accounts play a key role in making B2B Collaboration possible. A guest account at one organization links to a member account at another organization. Once created, a guest account allows Microsoft 365 services like OneDrive and SharePoint to grant a guest permission to sites and folders the same way a member within the organization is granted permission. Since the accounts at two organizations are linked, the user only needs to remember the username and password for the account at their organization. As a result, a single sign-in to their account enables access to content from their own organization and from any other organizations that have created guest accounts for them. +Azure Active Directory (Azure AD) guest accounts play a key role in making B2B Collaboration possible. A guest account at one organization links to a member account at another organization. Once created, a guest account allows Microsoft 365 services like OneDrive and SharePoint to grant a guest permission to sites and folders the same way a member within the organization is granted permission. Since the accounts at two organizations are linked, the user only needs to remember the username and password for the account at their organization. As a result, a single sign-in to their account enables access to content from their own organization and from any other organizations that have created guest accounts for them. > [!IMPORTANT] > We recommend that you enable [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration) to help ensure that the required Azure AD guest account for the share recipient is created in your organization's directory. For people outside your organization to sync shared libraries and folders: - External sharing must be enabled for the site or OneDrive. - The content must be shared with people outside the organization at the site or folder level. If a folder is shared, it must be through a link that requires sign-in. - Sharing recipients must have a Microsoft 365 work or school account (in Azure AD). +- Any Azure AD conditional access policies must be compatible with guests ([more below](#ensure-any-azure-ad-conditional-access-ca-policies-are-compatible-with-external-access)). - ADAL must not be enabled if using builds before 19.086.*. This article gives an overview of the B2B Sync experience and describes these requirements in more detail. This article gives an overview of the B2B Sync experience and describes these re - On the Mac, Files On-Demand thumbnails will not display from external organization's sites. Thumbnails will display correctly for files from the user's own organization. - On the Mac, if the guest account was created with a different email address format than the form they are using with the sync app, the external site's content cannot be synced. For example, first.last@fabrikam.com vs alias@fabrikam.com. - On the Mac, the external content may be placed on the local computer in the user's own organization's folder instead of one with the external organization's name.-- Multifactor authentication from an external organization is not yet supported. Only guest accounts that don't require MFA will sync. +- Interactive authentication UI for guest accounts from an external organization is not supported by the sync client. ## Overview of the B2B Sync experience To view or change the sharing setting for any site, use the new SharePoint admin 3. If you need to, [change the external sharing setting for a site](/sharepoint/manage-sites-in-new-admin-center#change-the-external-sharing-setting-for-a-site). +## Ensure any Azure AD Conditional Access (CA) policies are compatible with external access + +The tenant admin can enable several kinds of conditional access policies at their tenant. When a guest is going to access a tenant's content, those policies may need to be adjusted for the guests so they can gain access. + +- Currently the sync client does not support interactive authentication UI when syncing external content. Any policy that would require a sign-in UI such as MFA (multi-factor authentication) or TOU (terms of use) prompt, will prevent the syncing of the external content from that tenant. If a tenant admin deploys such a policy before a guest starts syncing from that tenant, the user will be unable to establish the sync relationship. If the policy is deployed after a guest is syncing content from the tenant, that guest will receive an error and be unable to continue to sync from the tenant. + +- Tenants may update their Terms of Use (TOU) from time to time. A policy can trigger the user to view and accept the updated TOU via an interactive authentication prompt. Since sync doesn't support external tenant sign-in UI, sync will indicate it is unable to sync the external site's content. + +- Device Compliance requires user machines to be managed by the tenant and then to be up to date with requirements. For guests, their machines are likely to be managed by their own organization and thus are incompatible with requiring their machines to be managed by the content sharing tenant. + +- Location-based conditional access policies are typically used to enforce additional requirements like MFA when the user is not connecting from a trusted location (such as the tenant's office network). Typically in a guest scenario the client machine won't be located at the trusted locations, and since sync doesn't support MFA, you likely do not want this policy to apply to your guests. + +For more information see [Authentication and Conditional Access for External Identities](/azure/active-directory/external-identities/authentication-conditional-access). + ## Methods of sharing Sites and folders can be shared in different ways in SharePoint and OneDrive:
SharePoint	Block File Types	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/block-file-types.md	description: "In this article, you'll learn how to prevent users from uploading You can prevent users from uploading specific file types when they sync their OneDrive files. +This setting prevents file types from being uploaded but not downloaded. If users already have blocked file types in their OneDrive, the files will sync to their computer, but any changes they make on their computer won't be uploaded. + > [!NOTE] -> This setting prevents file types from being uploaded but not downloaded. If users already have blocked file types in their OneDrive, the files will sync to their computer, but any changes they make on their computer won't be uploaded. +> The OneDrive sync app doesn't sync .tmp, .ini, and .lnk files. - To block uploading of specific file types 1. Go to <a href="https://go.microsoft.com/fwlink/?linkid=2185072" target="_blank">Settings in the SharePoint admin center</a>, and sign in with an account that has [admin permissions](/sharepoint/sharepoint-admin-role) for your organization.
SharePoint	Configure Sync Intune	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/configure-sync-intune.md	Title: "Use administrative templates in Intune" --++ audience: Admin f1.keywords:
SharePoint	Create And Manage Terms	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/create-and-manage-terms.md	To take any of the following actions, first select the term that you want to upd <a name="__copy_the_term"> </a> - Select Copy term. This action shows the name of the new term as \<original term name\> - Copy. No child terms for the source term are copied. + +### Copy term with children +<a name="__Copy_term_with_children"> </a> + +Select Copy term with children. This action is only available on terms having at least one child term. This action shows the name of the new term as \<original term name\> - Copy. Children terms of the source term are also copied. Names of children terms are preserved as they are in the source term. ### Move term <a name="__move_a_term"> </a>
SharePoint	Deploy And Configure On Macos	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/deploy-and-configure-on-macos.md	Title: "Deploy and configure the OneDrive sync app for Mac" --++ audience: Admin f1.keywords:
SharePoint	Deploy On Windows	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/deploy-on-windows.md	Title: "Deploy OneDrive apps using Microsoft Endpoint Configuration Manager" --++ audience: Admin f1.keywords:
SharePoint	Enable Conditional Access	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/enable-conditional-access.md	Title: "Enable conditional access support in the OneDrive sync app" --++ audience: Admin f1.keywords:
SharePoint	Exclude Or Uninstall Previous Sync Client	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/exclude-or-uninstall-previous-sync-client.md	Title: "Control Groove.exe installation when deploying Office using Click-to-Run" --++ audience: Admin f1.keywords:
SharePoint	Files On Demand Mac	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/files-on-demand-mac.md	Title: "Set Files On-Demand states on Mac" --++ audience: Admin f1.keywords:
SharePoint	Files On Demand Windows	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/files-on-demand-windows.md	Title: "Set Files On-Demand states in Windows" --++ audience: Admin f1.keywords:
SharePoint	Ideal State Configuration	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/ideal-state-configuration.md	Title: "Recommended sync app configuration" --++ audience: ITPro f1.keywords:
SharePoint	Intelligent Internet Overview	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/intelligent-internet-overview.md	Keep employees informed and engaged by providing a shared place to securely view ![Intelligent intranet overview](media/intelligent_intranet_overview1.png) ### Build an intelligent intranet -Learn how to move through the [process of creating an intranet](https://resources.techcommunity.microsoft.com/intelligent-intranet/align/) for your organization. Get familiar with [common intranet planning and creation roles](./intranet-roles-tasks.md), design stages, and the [intranet lifecycle](https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/raw/public/SharePoint/SharePointOnline/spodownloads/Intranet%20lifecycle.pdf). Learn how to align goals into priority scenarios that you can [get started implementing](https://resources.techcommunity.microsoft.com/intelligent-intranet/implement/) quickly. Then, learn how to [engage with viewers](https://resources.techcommunity.microsoft.com/intelligent-intranet/engage/) and maintain your intranet over time as the organization changes and scales. +Learn how to move through the [process of creating an intranet](https://aka.ms/IntelligentIntranet) for your organization. Get familiar with [common intranet planning and creation roles](./intranet-roles-tasks.md), design stages, and the [intranet lifecycle](https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/raw/public/SharePoint/SharePointOnline/spodownloads/Intranet%20lifecycle.pdf). Learn how to align goals into priority scenarios that you can [get started implementing](https://aka.ms/Implement-Intranet) quickly. Then, learn how to [engage with viewers](https://aka.ms/Engage-Intranet) and maintain your intranet over time as the organization changes and scales. ### Help your organization engage and inform Use SharePoint to achieve specific business outcomes like narrowing the distance ## Overview of how to set up an intelligent intranet -Harness the power of the intelligent intranet to communicate effectively across the organization, engage employees, and connect with relevant information and knowledge. Learn more about [intranet planning and implementation phases](https://resources.techcommunity.microsoft.com/intelligent-intranet) and how to get started, and considerations like how to design your home site and use multi-lingual features. Then, use the [intranet roadmap](./intranet-team-overview.md) to prepare business owners, stakeholders, site owners, and content authors. +Harness the power of the intelligent intranet to communicate effectively across the organization, engage employees, and connect with relevant information and knowledge. Learn more about [intranet planning and implementation phases](https://aka.ms/Implement-Intranet) and how to get started, and considerations like how to design your home site and use multi-lingual features. Then, use the [intranet roadmap](./intranet-team-overview.md) to prepare business owners, stakeholders, site owners, and content authors. ![Intranet set up overview](media/intelligent_intranet_overview2.png) ### 1 - Explore what's possible -Start by getting inspired by what you can accomplish with SharePoint by viewing [compelling business scenarios](https://resources.techcommunity.microsoft.com/intelligent-intranet/explore/), the [SharePoint look book](https://lookbook.microsoft.com/), and [guided walkthroughs](https://support.microsoft.com/office/guided-walkthroughs-creating-sites-for-your-organization-7cc52ac9-394e-417e-85fe-33070e0cd13c). +Start by getting inspired by what you can accomplish with SharePoint by viewing [compelling business scenarios](https://aka.ms/Explore-Intranet), the [SharePoint look book](https://lookbook.microsoft.com/), and [guided walkthroughs](https://support.microsoft.com/office/guided-walkthroughs-creating-sites-for-your-organization-7cc52ac9-394e-417e-85fe-33070e0cd13c). - Identify your key sponsors and stakeholders-- [Organize priorities](https://resources.techcommunity.microsoft.com/intelligent-intranet/align/#goals) +- [Organize priorities](https://aka.ms/Align-Intranet) - Align goals with SharePoint capabilities - Document and share the vision with others
SharePoint	Network Utilization Planning	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/network-utilization-planning.md	Title: "Network utilization planning for the OneDrive sync app" --++ audience: ITPro f1.keywords:
SharePoint	Per Machine Installation	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/per-machine-installation.md	Title: Install the sync app per-machine (Windows) --++ audience: Admin f1.keywords:
SharePoint	Prevent Installation	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/prevent-installation.md	Title: "Prevent users from installing the OneDrive sync app" --++ Last updated 06/21/2018 audience: Admin
SharePoint	Redirect Known Folders Macos	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/redirect-known-folders-macos.md	Title: "Redirect and move macOS known folders to OneDrive" --++ audience: Admin f1.keywords:
SharePoint	Redirect Known Folders	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/redirect-known-folders.md	Title: "Redirect and move Windows known folders to OneDrive" --++ audience: Admin f1.keywords:
SharePoint	Sharepoint Sync	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sharepoint-sync.md	Title: Sync in SharePoint and OneDrive --++ recommendations: true audience: Admin
SharePoint	Sharepoint View In Edge	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sharepoint-view-in-edge.md	Title: "View SharePoint files with File Explorer in Microsoft Edge" --++ recommendations: true audience: Admin
SharePoint	Sync Client Update Process	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sync-client-update-process.md	Title: "The OneDrive sync app update process" --++ audience: Admin f1.keywords:
SharePoint	Sync Health	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sync-health.md	Title: "OneDrive sync reports in the Apps Admin Center" --++ audience: Admin f1.keywords:
SharePoint	Sync Process	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sync-process.md	Title: "How sync works" --++ audience: Admin f1.keywords:
SharePoint	Sync Vdi Support	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sync-vdi-support.md	Title: "Use the sync app on virtual desktops" --++ audience: Admin f1.keywords:
SharePoint	Transition From Previous Sync Client	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/transition-from-previous-sync-client.md	Title: "Transition from the previous OneDrive for Business sync app" --++ audience: Admin f1.keywords:
SharePoint	Use Group Policy	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/use-group-policy.md	Title: "Use OneDrive policies to control sync settings" --++ audience: Admin f1.keywords: Enabling this policy sets the following registry key value to 1: This setting lets you enter keywords to prevent the OneDrive sync app (OneDrive.exe) from uploading certain files to OneDrive or SharePoint. You can enter complete names, such as "setup.exe" or use the asterisk () as a wildcard character to represent a series of characters, such as .pst. Keywords aren't case-sensitive. +> [!NOTE] +> The OneDrive sync app doesn't sync .tmp, .ini, and .lnk files. + If you enable this setting, the sync app doesn't upload new files that match the keywords you specified. No errors appear for the skipped files, and the files remain in the local OneDrive folder. > [!NOTE]
SharePoint	Use Silent Account Configuration	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/use-silent-account-configuration.md	Title: "Silently configure user accounts" --++ audience: ITPro f1.keywords:
SharePoint	Exchange Trust Certificates Between Farms	https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/administration/exchange-trust-certificates-between-farms.md	Title: "Exchange trust certificates between farms in SharePoint Server"-+ - IT_Sharepoint_Server - IT_Sharepoint_Server_Top - Strat_SP_server-+ ms.assetid: 6d8a9d37-d400-4d7c-b4f1-bf3c5643c98c description: "Learn how to exchange trust certificates between the publishing farm and the consuming farm in SharePoint Server." description: "Learn how to exchange trust certificates between the publishing fa # Exchange trust certificates between farms in SharePoint Server [!INCLUDE[appliesto-2013-2016-2019-SUB-xxx-md](../includes/appliesto-2013-2016-2019-SUB-xxx-md.md)] - -In SharePoint Server, a farm can connect to and consume a service application that is published on another SharePoint Server farm. For this to occur, the farms must exchange trust certificates. - + +In SharePoint Server, a farm can connect to and consume a service application that is published on another SharePoint Server farm. For this to occur, the farms must exchange trust certificates. + Both farms must participate in this exchange for service application sharing to work. - + For more information about how to share service applications across farms see [Share service applications across farms in SharePoint Server](share-service-applications-across-farms.md). - + You must use Microsoft PowerShell commands to export and copy the certificates between farms. After the certificates are exported and copied, you can use either PowerShell commands or Central Administration to manage the trusts within the farm. - + The instructions here assume the following criteria: - + - That the servers that are used for these procedures are running PowerShell. - - That the administrator will select and use the same server in each farm for all steps in the process. - - If User Account Control (UAC) is turned on, you must run the PowerShell commands with elevated privileges. - - -Before you begin this operation, review [Share service applications across farms in SharePoint Server](share-service-applications-across-farms.md) for information about prerequisites. - + +Before you begin this operation, review [Share service applications across farms in SharePoint Server](share-service-applications-across-farms.md) for information about prerequisites. + ## Exporting and copying certificates <a name="Section2"> </a> An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm. - + You can only export and copy certificates by using Windows PowerShell 3.0 or later. - + ### To export the root certificate from the consuming farm 1. On a server that is running SharePoint Server on the consuming farm, verify that you have the following memberships: - - - securityadmin fixed server role on the SQL Server instance. - - - db_owner fixed database role on all databases that are to be updated. - + + - securityadmin fixed server role on the SQL Server instance. + - db_owner fixed database role on all databases that are to be updated. - Administrators group on the server on which you are running the PowerShell cmdlets. - - Add memberships that are required beyond the minimums above. - - An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. - + + An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. + > [!NOTE] - > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). - -2. Start the SharePoint Management Shell. - -3. At the PowerShell command prompt, type the following command: - - ```powershell - $rootCert = (Get-SPCertificateAuthority).RootCertificate - ``` + > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). + +2. In the SharePoint Management Shell, run the following commands: ```powershell - $rootCert.Export("Cert") \| Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte + $CFrootCert = (Get-SPCertificateAuthority).RootCertificate + + [System.IO.File]::WriteAllBytes('C:\ConsumingFarmRoot.cer', $CFrootCert.Export("Cert")) ``` - Where _\<C:\ConsumingFarmRoot.cer\>_ is the path of the root certificate. - + + Where `C:\ConsumingFarmRoot.cer` is the path of the root certificate. + ### To export the STS certificate from the consuming farm 1. Verify that you have the following memberships: - - - securityadmin fixed server role on the SQL Server instance. - - - db_owner fixed database role on all databases that are to be updated. - + + - securityadmin fixed server role on the SQL Server instance. + - db_owner fixed database role on all databases that are to be updated. - Administrators group on the server on which you are running the PowerShell cmdlets. - - Add memberships that are required beyond the minimums above. - - An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. - + + An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. + > [!NOTE] - > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). - -2. Start the SharePoint Management Shell. - -3. At the PowerShell command prompt, type the following command: - + > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). + +2. In the SharePoint Management Shell, run the following commands: + ```powershell $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate - ``` - ```powershell - $stsCert.Export("Cert") \| Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte + [System.IO.File]::WriteAllBytes('C:\ConsumingFarmSTS.cer', $stsCert.Export("Cert")) ``` - Where _\<C:\ConsumingFarmSTS.cer\>_ is the path of the STS certificate. - + Where `C:\ConsumingFarmSTS.cer` is the path of the STS certificate. + ### To export the root certificate from the publishing farm 1. On a server that is running SharePoint Server on the publishing farm, verify that you have the following memberships: - - - securityadmin fixed server role on the SQL Server instance. - - - db_owner fixed database role on all databases that are to be updated. - + + - securityadmin fixed server role on the SQL Server instance. + - db_owner fixed database role on all databases that are to be updated. - Administrators group on the server on which you are running the PowerShell cmdlets. - - Add memberships that are required beyond the minimums above. - - An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. - + + An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. + > [!NOTE] - > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). - -2. Start the SharePoint Management Shell. - -3. At the PowerShell command prompt, type the following command: - - ```powershell - $rootCert = (Get-SPCertificateAuthority).RootCertificate - ``` + > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). + +2. In the SharePoint Management Shell, run the following commands: ```powershell - $rootCert.Export("Cert") \| Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte + $PFrootCert = (Get-SPCertificateAuthority).RootCertificate + + [System.IO.File]::WriteAllBytes('C:\PublishingFarmRoot.cer', $PFrootCert.Export("Cert")) ``` - Where _\<C:\PublishingFarmRoot.cer\>_ is the path of the root certificate. - + Where `C:\PublishingFarmRoot.cer` is the path of the root certificate. + ### To copy the certificates -1. Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm. - -2. Copy the root certificate from the server in the publishing farm to a server in the consuming farm. - +1. Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm. +2. Copy the root certificate from the server in the publishing farm to a server in the consuming farm. + ## Managing trust certificates by using PowerShell <a name="Section2a"> </a> Managing trust certificates in a farm involves establishing trust. This section describes how to establish trust on both the consuming and publishing farms by using PowerShell commands. - + ### Establishing trust on the consuming farm <a name="Section3"> </a> To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority. - + #### To import the root certificate and create a trusted root authority on the consuming farm 1. Verify that you have the following memberships: - - - securityadmin fixed server role on the SQL Server instance. - - - db_owner fixed database role on all databases that are to be updated. - + + - securityadmin fixed server role on the SQL Server instance. + - db_owner fixed database role on all databases that are to be updated. - Administrators group on the server on which you are running the PowerShell cmdlets. - - Add memberships that are required beyond the minimums above. - - An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. - + + An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. + > [!NOTE] - > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). - -2. Start the SharePoint Management Shell. - -3. At the PowerShell command prompt, type the following command: - - ```powershell - $trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer> - ``` + > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). + +2. In the SharePoint Management Shell, run the following commands: ```powershell - New-SPTrustedRootAuthority <PublishingFarm> -Certificate $trustCert + $trustCert = Get-PfxCertificate "<C:\PublishingFarmRoot.cer>" + + New-SPTrustedRootAuthority "<PublishingFarm>" -Certificate $trustCert ``` Where: - - - _\<C:\PublishingFarmRoot.cer\>_ is the path of the root certificate that you copied to the consuming farm from the publishing farm. - - - _\<PublishingFarm\>_ is a unique name that identifies the publishing farm. Each trusted root authority must have a unique name. - + + - _\<C:\PublishingFarmRoot.cer\>_ is the path of the root certificate that you copied to the consuming farm from the publishing farm. + - _\<PublishingFarm\>_ is a unique name that identifies the publishing farm. Each trusted root authority must have a unique name. + ### Establishing trust on the publishing farm <a name="Section3"> </a> To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root authority. You must then import the STS certificate that was copied from the consuming farm and create a trusted service token issuer. - + #### To import the root certificate and create a trusted root authority on the publishing farm 1. Verify that you have the following memberships: - - - securityadmin fixed server role on the SQL Server instance. - - - db_owner fixed database role on all databases that are to be updated. - + + - securityadmin fixed server role on the SQL Server instance. + - db_owner fixed database role on all databases that are to be updated. - Administrators group on the server on which you are running the PowerShell cmdlets. - - Add memberships that are required beyond the minimums above. - - An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. - + + An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. + > [!NOTE] - > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). - -2. Start the SharePoint Management Shell. - -3. At the PowerShell command prompt, type the following command: - - ```powershell - $trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer> - ``` + > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). + +2. In the SharePoint Management Shell, run the following commands: ```powershell - New-SPTrustedRootAuthority <ConsumingFarm> -Certificate $trustCert + $trustCert = Get-PfxCertificate "<C:\ConsumingFarmRoot.cer>" + + New-SPTrustedRootAuthority "<ConsumingFarm>" -Certificate $trustCert ``` Where: - - - _\<C:\ConsumingFarmRoot.cer\>_ is the name and location of the root certificate that you copied to the publishing farm from the consuming farm. - - - _\<ConsumingFarm\>_ is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name. - + + - _\<C:\ConsumingFarmRoot.cer\>_ is the name and location of the root certificate that you copied to the publishing farm from the consuming farm. + - _\<ConsumingFarm\>_ is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name. + ### To import the STS certificate and create a trusted service token issuer on the publishing farm <a name="Section3"> </a> 1. Verify that you have the following memberships: - - - securityadmin fixed server role on the SQL Server instance. - - - db_owner fixed database role on all databases that are to be updated. - + + - securityadmin fixed server role on the SQL Server instance. + - db_owner fixed database role on all databases that are to be updated. - Administrators group on the server on which you are running the PowerShell cmdlets. - - Add memberships that are required beyond the minimums above. - - An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. - + + An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets. + > [!NOTE] - > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). - -2. Start the SharePoint Management Shell. - -3. At the PowerShell command prompt, type the following command: - - ```powershell - $stsCert = Get-PfxCertificate - <c:\ConsumingFarmSTS.cer> - ``` + > If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/Add-SPShellAdmin?view=sharepoint-ps&preserve-view=true). + +2. In the SharePoint Management Shell, run the following commands: ```powershell - New-SPTrustedServiceTokenIssuer <ConsumingFarm> -Certificate $stsCert + $stsCert = Get-PfxCertificate "<c:\ConsumingFarmSTS.cer>" + + New-SPTrustedServiceTokenIssuer "<ConsumingFarm>" -Certificate $stsCert ``` Where: - - - _\<C:\ConsumingFarmSTS.cer\>_ is the path of the STS certificate that you copied to the publishing farm from the consuming farm. - - - _\<ConsumingFarm\>_ is a unique name that identifies the consuming farm. Each trusted service token issuer must have a unique name. - + + - _\<C:\ConsumingFarmSTS.cer\>_ is the path of the STS certificate that you copied to the publishing farm from the consuming farm. + - _\<ConsumingFarm\>_ is a unique name that identifies the consuming farm. Each trusted service token issuer must have a unique name. + For more information about these PowerShell cmdlets, see the following articles: - - - - - - + +- [Get-SPCertificateAuthority](/powershell/module/sharepoint-server/Get-SPCertificateAuthority?view=sharepoint-ps&preserve-view=true) +- [Get-SPSecurityTokenServiceConfig](/powershell/module/sharepoint-server/Get-SPSecurityTokenServiceConfig?view=sharepoint-ps&preserve-view=true) +- [New-SPTrustedRootAuthority](/powershell/module/sharepoint-server/New-SPTrustedRootAuthority?view=sharepoint-ps&preserve-view=true) +- [New-SPTrustedServiceTokenIssuer](/powershell/module/sharepoint-server/New-SPTrustedServiceTokenIssuer?view=sharepoint-ps&preserve-view=true) +- [Get-PfxCertificate](https://go.microsoft.com/fwlink/?LinkID=717913&clcid=0x409) + For information about how to use a script to automate part of this process, see [Exchange trust certificates between farms](/samples/browse/?redirectedfrom=TechNet-Gallery). - + ## Managing trust certificates by using Central Administration <a name="Section4"> </a> -You can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm. - +You can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm. + ### To establish trust by using Central Administration 1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group. - + 2. On the SharePoint Central Administration website, click Security. - + 3. On the Security page, in the General Security section, click Manage trust. - + 4. On the Trust Relationship page, on the ribbon, click New. - + 5. On the Establish Trust Relationship page, do the following steps: - - - Supply a name that describes the purpose of the trust relationship. - - - Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Microsoft PowerShell, as described in [Exporting and copying certificates](exchange-trust-certificates-between-farms.md#Section2). - + + - Supply a name that describes the purpose of the trust relationship. + + - Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Microsoft PowerShell, as described in [Exporting and copying certificates](exchange-trust-certificates-between-farms.md#Section2). + - If you are performing this task on the publishing farm, select the check box for Provide Trust Relationship. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm, as described in [Exporting and copying certificates](exchange-trust-certificates-between-farms.md#Section2). - + - Click OK. - + After a trust relationship is established, you can modify the Token Issuer description or the certificates that are used by clicking the trust, and then clicking Edit. You can delete a trust by clicking it, and then clicking Delete. - + ## See also <a name="Section4"> </a> -#### Concepts +### Concepts [Plan for user authentication methods in SharePoint Server](../security-for-sharepoint-server/plan-user-authentication.md) -#### Other Resources + +### Other Resources [Create a web application in SharePoint Server](/previous-versions/office/sharepoint-server-2010/cc261875(v=office.14)) - -[Configure SAML-based claims authentication with AD FS in SharePoint Server](/previous-versions/office/sharepoint-server-2010/hh305235(v=office.14)) + +[Configure SAML-based claims authentication with AD FS in SharePoint Server](/previous-versions/office/sharepoint-server-2010/hh305235(v=office.14))