Thursday, November 20, 2014

Procedure and tips to replace the STS certificate in on-premises environment for SharePoint Server 2013 hybrid solution

When SharePoint Server is installed, the Security Token Service (STS) of the on-premises SharePoint Server farm creates a default certificate to validate incoming tokens. When a trust relationship is needed between two SharePoint Server farms, or when a farm is configured to participate in a hybrid environment in this case, you must use a common STS certificate between the trust members.

Microsoft has published a procedure to replace the STS certificate in on-premises SharePoint environment. There are some tips we will add in the blog to ensure you a smooth and successful configuration to enable the trust between environments.

Before you could  start the STS certificate replacement, you would a certificate that is at least 2048 bits encryption. If a certificate is purchased from a CA, it must be trusted by Azure AD The good news is that most public root CAs are trusted by Azure AD. You could follow the instruction to create a self-signed certificate also for non-production SharePoint environment. Either way, the certification should have a friendly name for easy maintainability. Please refer to different blog to add or modify the friendly name of a certificate.

1. The first step is to prepare the certificate used for STS. If the certificate has been uploaded to IIS server, you’ll use the IIS Manager to export as both formats. File .pfx, which contains the private key and  file .cer, which does not contain the private key.
  • Export the certificate as a .pfx file
    • On a web server in your SharePoint Server farm, click Start -> Administrative Tools -> Internet Information Services (IIS) Manager. 
    • Click on the name of your server. 
    • In the details pane, double-click Server Certificates under IIS. 
    • In the details pane, right-click the new certificate, and then click Export. In Export Certificate, specify a path and name like "O365" to store the .pfx file for the certificate in Export to, and a password like "MyPassword" for the certificate file in Password and Confirm password. 
    • Click Finish, and then click OK twice. 
    • This creates a .pfx file like "O365.pfx" that contains the private key likeMyPassord”.
  • Export the certificate as a .cer file 
    • On the same server, click Start -> Administrative Tools -> Internet Information Services (IIS) Manager. 
    • Click on the name of your server. 
    • In the details pane, double-click Server Certificates (under IIS). 
    • Right-click the new certificate you created in the last step, and then click View. 
    • On the Details tab, click Copy to File. 
    • Click Next on the wizard. 
    • On the Export Private Key page, ensure that No, do not export the private key is selected and then click Next. 
    • On the Export File Format page, choose Base-64 encoded X.509 (.CER),
      and then click Next. Do not use DER encoded binary X.509 (.CER).
    • On the Export Certificate page, type a path and file name like "O365.cer" for the .cer file, and then click Next. 
    • Click Finish, and then click OK twice. 
    • This creates a .cer file like "O365.cer".

2. The second step is to replace STS certificate on each server in the SharePoint Server 2013 farm that includes two processes.
  •     Replace the STS certificate in the certificate store.
  •     Update the settings of the SharePoint security token service (STS) identity provider.
To replace the STS certificate in the certificate store, follow these steps on each server in the SharePoint Server 2013 farm.
  • Verify that the user account running this procedure is a member of the Farm Administrators group. 
  • Click Start > Run. 
  • Type mmc, and then press ENTER. If a User Account Control dialog box is displayed, click Yes. 
  • Go to File > Add/Remove Snap-in > Certificates > Add > Computer account > Next > Finish, and then click OK. 
  • Click the plus sign to expand Certificates, right-click Trusted Root Certification Authorities > All Tasks > Import. 
  • Click Next. The Welcome to the Certificate Import Wizard dialog box is displayed. 
  • Click Browse. Select the *.pfx file name like "O365.pfx" you want to import, click Open, and then click Next. You would need to enter the password
  • Under Certificate Store, click Place all certificates in the following store, make sure Trusted Root Certification Authorities is chosen and then click Next. 
  • Click Finish. 
  • Repeat steps 1 through 9 on the other front-end web and application servers in the SharePoint Server farm.
To verify you have successfully replaced the STS certificate in the certificate store, you could follow the same step as listed above to browse the Trusted Root Certification Authorities as in the screenshot. You should see "O365" in the certificate store.



To update the settings of the SharePoint security token service (STS) identity provider, follow these steps on one server in the SharePoint Server 2013 farm.
  • Start the SharePoint 2013 Management Shell. 
  • At the Windows PowerShell command prompt, paste the following commands:
           $pfxPath = "<path to replacement certificate (.pfx file)>"

           $pfxPass = "<certificate password>"

           $stsCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $pfxPath, $pfxPass, 20

           Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $stsCertificate

           certutil -addstore -enterprise -f -v root $stsCertificate

           iisreset

           net stop SPTimerV4

           net start SPTimerV4
  • On each WFE, please run the following steps
           iisreset

           net stop SPTimerV4

           net start SPTimerV4
  • To validate this step, on each server in the farm, at the Windows PowerShell command prompt type:  $stsCertificate |fl 
  • In the output on the screen, confirm that the certificate has the new friendly name "O365".

As you can see, this verification can be done only just complete the configuration while the powershell still have the caches variables. If you closed the powshell command window and would like to verify the settings of the SharePoint security token service (STS) identity provider certification, you could use the following command.You will find the new updated certification in the list.
 Get-ChildItem cert:\LocalMachine\Sharepoint |fl

You could find the thumbprint for certificate when view the details of the certificate so you could use it for verification.


the In additional, you could use the following commands to verify whether you have the correct certifications.

           $pfxPath = "<path to replacement certificate (.pfx file)>"

           $pfxPass = "<certificate password>"

           $stsCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $pfxPath, $pfxPass, 20

          $stsCertificate 
         (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate

Compare the outputs of the above command to match the thumbprint, which confirms that the STS certificate has been successfully. 

Alternatively, you can follow the following step as well.

    Get-SPServiceApplication

    $stsSA=Get-SPServiceApplication | ? {$_.id -eq "5837da73-b393-444f-ae2c-ac057877df08"} (replace with the ID of the security certificate above)

    $stsSa.SigningCertificate


Now you can confirm that successfully replaced the STS certs in on-premises SharePoint to build server trust with Office 365 servers.

See Ultimate procedure to display SharePoint online hybrid search results in SharePoint Server 2013 for other steps to configure hybrid search.

No comments:

Post a Comment