Page History
Table of Contents |
---|
Before You Start
This document describes the steps needed for installing the various Aspire components of the SharePoint 2013 Publisher Endpoint.
On this page:
Table of Contents |
---|
Before You Start
This installation is done through a powershell Powershell script that will setup set up and configure the following components:
- Intermediate Repository. Shared folder created to be used as a SharePoint External Source.
- (IIS Service) Aspire Service. Acts as a data source for the Aspire External Content Type (ECT).
- Reads XML files from the Repository using a separate timestamp file to managed manage updated content.
- Protected using NT LAN Manager (NTLM) authentication mechanism.
Any user accessing this service must be member of the AspireUsers Active Directory or local Windows group.
- (SharePoint Solution) Notification Endpoint. Receives requests for crawling the Aspire Content Source.
- Creates the Content Source specific directory in the publisher file share.
- Creates the Search Service Application Content Source.
- Creates the Business Data Connectivity (BDC) Model and External Content Type (ECT) in in SharePoint Business Data Connectivity Services.
- Security Trimmer. Used to enhance the search query in SharePoint Search using group expansion from Aspire.
- Error Crawl Logs. Used to get crawled document logs from a content source.
Note | ||
---|---|---|
| ||
|
Installation and Prerequisites
- SharePoint 2013 Publisher EndPoint Prerequisites
- SharePoint 2013 Publisher EndPoint Installation
- Removing the SharePoint 2013 Publisher EndPoint
OS and Application information
OS Requirements
- 64-bit edition of Windows Server 2008 R2 Service Pack 1 (SP1) Standard, Enterprise, or Datacenter
- Or 64-bit edition of Windows Server 2012 Standard or Datacenter
Requirements by Component
Notification Service
- SharePoint 2013
Aspire BDC Service
In Windows Server 2008 R2 SP1
- IIS Server role
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- ASP.Net
- .Net Extensibility
- ISAPI Extensions
- ISAPI Filters
- Security
- Basic Authentication
- Windows Authentication
- Digest Authentication
- Client Certificate Mapping Authentication
- IIS Client Certificate Mapping Authentication
- URL Authorization
- Request Filtering
- IP and Domain Restrictions
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- Management Service
- Common HTTP Features
- Application Server role
- All role features (confirm all dependencies)
- Microsoft .NET Framework version 4.5
In Windows Server 2012
- IIS Server role
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- ASP.Net 3.5
- ASP.Net 4.5
- .Net Extensibility 3.5
- .Net Extensibility 4.5
- ISAPI Extensions
- ISAPI Filters
- Server Side Includes
- Security
- Basic Authentication
- Windows Authentication
- Digest Authentication
- Client Certificate Mapping Authentication
- IIS Client Certificate Mapping Authentication
- URL Authorization
- Request Filtering
- IP and Domain Restrictions
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- Management Service
- Common HTTP Features
- Application Server role (confirm all dependencies)
- .Net Framework 4.5
- TCP Port Sharing
- Web Server (IIS) support
- Windows Process Activation Service Support
- Named Pipes Activation
- HTTP Activation
- TCP Activation
Info |
---|
These prerequisites can be installed either manually configuring via Server Manager or running SharePoint 2013 prerequisite installer. |
User Account Requirements
To run the deploy scripts use an account with the following requirements:
- Domain user.
- Member of the Administrators user group.
The following are the user requirements for each component of the Endpoint:
Intermediate Repository
- Domain user
- Member of AspireUsers user group
Aspire BDC Service
- Domain user
- Member of AspireUsers user group
Notification Service
- Domain user
- Member of AspireUsers user group
- SharePoint Shell Admin (user who has SharePoint_Shell_Access role in farm configuration database, and member of WSS_Admin_WPG group)
- The SharePoint Application Pool Account has to be Search Service Application administrator
- Default content access account
- BDC Service Application administrator
- BDC Metadata Store Permissions:
- Edit
- Execute
- Selectable in Clients
- Set Permissions
- “WSS_Content_Application_Pools” administration content database role.
If the user running the SharePoint Application Pool is different from the user you are using to access the Notification Service, then the Application Pool account should be the one that has the Search Service Application administrator permission and not the account that has access to the service. In that case, after setting the application pool account as a Search Service Application administrator, confirm that you have the following permissions on that account in the Search Databases, if not, add them manually:
- SPSearchDBAdmin
- SPSearchDBAdmin
- SPSearchDBAdmin
- SPSearchDBAdmin
Manually add user permissions
- To add a user as a SharePoint Shell Admin execute “Add-SPShellAdmin” cmdlet (http://technet.microsoft.com/en-us/library/ff607596.aspx):
- Start SharePoint shell as administrator.
- Run “Add-SPShellAdmin -UserName <username>".
- Make the SharePoint Application Pool account a Search Service Application administrator:
- Central Admin -> Application Management -> Manage Service Applications.
- Select “Search Service Application” row (not the link).
- Click on the “Administrators” button on the ribbon.
- Add the user and give it “Full Control” permissions.
- Make the user the Default content access account:
- Go to Central Admin -> Application Management -> Manage Service Applications -> Search Service Application.
- Click the current access account.
- Enter the new account credentials
- Make the user a Business Data Connectivity Service administrator:
- Central Admin -> Application Management -> Manage Service Applications.
- Select “Business Data Connectivity Service” row (not the link).
- Click on the “Administrators” button on the ribbon.
- Add the user and give it “Full Control” permissions.
- Give the user Metadata Store permissions:
- Central Admin -> Application Management -> Manage Service Applications -> Business Data Connectivity Service.
- On the ribbon, select "Set Metadata Store Permissions".
- Add the user and select all the permissions.
- Click OK.
- Add administration content database role membership:
- Add database role membership “WSS_Content_Application_Pools” of SharePoint_AdminContent_<GUID> to Notification Endpoint app pool user:
- For search databases, confirm that you have the SPSearchDBAdmin database role. This should be added to the account you set up as the Search Service Application administrator, if not, add them manually.
- To access the list of database roles on SQLSERVER:
- Open the SQL Server Management Studio.
- Go to Security -> Logins.
- Right click on the user and select Properties.
- Select "User Mappings".
- To access the list of database roles on SQLSERVER:
title | Database Permissions Checklist |
---|
After doing all the changes specified previously, this is the complete list of user database roles as they should be.
- SPDataAccess
- SharePoint_Shell_Access
- SPDataAccess
- WSS_Content_Application_Pools
- SharePoint_Shell_Access
- SPDataAccess
- SPSearchDBAdmin
- SPSearchDBAdmin
- SPSearchDBAdmin
- SPSearchDBAdmin
Note |
---|
Since SharePoint setup user and server farm account have these privileges, it is recommended to use one of those accounts for this. Setup user is recommended, since it has machine admin rights as well. |
Security Pre-Trimmer
The Security PreTrimmer requires that the user identity sent to it contains at least one of the following claim types:
- claims/userlogonname: This is for windows authentication. The pretrimmer will use this value to send it to the Aspire Group Expansion.
- claims/primarysid: This is for other types of authentication (e.g. ADFS). The pretrimmer will take the primary SID value and translate it into a valid user id to send it to the Aspire Group Expansion.
SharePoint 2013 Aspire Components Installation
This describes the steps needed for installing the various Aspire components of the SharePoint 2013 Publisher Endpoint.
This installation is done through a powershell script that will setup and configure the following components:
- Intermediate Repository. Shared folder created to be used as a SharePoint External Source.
- (IIS Service) Aspire Service. Acts as a data source for the Aspire ECT.
- Reads XML files from the Repository using a separate timestamp file to managed updated content.
- Protected using NTLM authentication mechanism.
- Any user accessing this service must be member of the AspireUsers Active Directory or local Windows group.
- (SharePoint Solution) Notification Endpoint. Receives requests for crawling the Aspire Content Source.
- Creates the Content Source specific directory in the publisher file share.
- Creates the Search Service Application Content Source.
- Creates the BDC Model and External Content Type (ECT) in SharePoint Business Data Connectivity Services.
- Security Trimmer. Used to enhance the search query in SharePoint Search using group expansion from Aspire.
- Error Crawl Logs. Used to get crawled document logs from a content source.
Publisher Installation
Single Server Installation
- Download the latest version of the installation files from our repository
- Log in to a SharePoint 2013 server
- Copy the installation package (Deploy file) to that server
- Extract it to some directory (i.e.: C:\Deploy)
- Fill up the configurationParameters.xml
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\Deploy\scripts”)
Run
Code Block language text theme FadeToGrey .\DeployPublisher.ps1 -configurationFilePath ..\config\configurationParameters.xml
(Optional) Install the Security Trimmer. Run
Code Block language text theme FadeToGrey .\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy and configure Aspire component (SharePoint 2013 Publisher Configuration Tutorial)
Multi-Server Installation
- Install the intermediate repository
- Log in to the server that you plan to install the intermediate repository
- Copy the installation package Deploy File to that server
- Extract it to some directory (C:\DeployRepository)
- Fill up the configurationParameters.xml
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\ DeployRepository\scripts”)
Run
Code Block language text theme FadeToGrey .\DeployIntermediateRepository.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy Aspire BDC Service
- Copy the extracted installation folder content (C:\DeployRepository\...) with updated configuration file, from Intermediate Repository server
- Log in to the server that you planned to install Aspire Service, and paste copied content to some directory (C:\DeployAspireService)
- Make sure the configuration file has been updated from the previous installation and filled piped parameters inside Aspire BDC Service inputs.
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\DeployAspireService\scripts”)
Run
Code Block language text theme FadeToGrey .\DeployAspireBDCService.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy Notification Service
- Copy the installation package (C:\DeployAspireService) with updated configuration file, from Aspire Service server
- Log in to any SharePoint server that you planned to install Notification Service, and paste copied content to some directory (C:\DeployEndpoint)
- Make sure the configuration file has been updated from the previous installation and filled piped parameters inside Notification Service inputs.
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\DeployEndpoint\scripts”)
Run
Code Block language text theme FadeToGrey .\DeployNotificationService.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy and Configure Aspire Component
Security Trimmer Installation
- Fill up the configurationParameters.xml
- Start the SharePoint Management Shell as Administrator.
- cd to scripts directory (cd “C:\DeployEndpoint\scripts”).
Run
Code Block language text theme FadeToGrey .\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
- RESTART The SharePoint Search Host Controller service
Configuration Parameters Example
The configuration file is found here "..\Deploy\config\configurationParameters.xml".
The next is an example on how to fill up the configuration file using the QA\spadmin for all the services.
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0"?>
<parameters>
<security>
<usersGroupName>AspireUsers</usersGroupName>
<ldapGroupQuery>CN=Users,DC=QA,DC=local</ldapGroupQuery>
</security>
<users>
<AspireBDCServiceAppPool>QA\spadmin</AspireBDCServiceAppPool>
<contentAccess>QA\spadmin</contentAccess>
<aspirePropertyRepositoryUser>QA\spadmin</aspirePropertyRepositoryUser>
<aspirePropertyEndpointUser>QA\spadmin</aspirePropertyEndpointUser>
</users>
<repository>
<inputs>
<folderPath>C:\Repository</folderPath>
<shareName>IntermediateRepository</shareName>
</inputs>
<outputs>
<repositorySharePath></repositorySharePath>
</outputs>
</repository>
<aspireService>
<inputs>
<folderPath>C:\inetpub\wwwroot\AspireService</folderPath>
<repositorySharePath piped="true"></repositorySharePath>
</inputs>
<outputs>
<aspireServiceUrl></aspireServiceUrl>
</outputs>
</aspireService>
<notificationEndpoint>
<outputs>
<notificationEndpointUrl></notificationEndpointUrl>
</outputs>
</notificationEndpoint>
<securityTrimmer>
<inputs>
<groupExpansionService>http://localhost:50505/groupExpansion</groupExpansionService>
<groupExpansionTimeout>15000</groupExpansionTimeout>
<useDomain>false</useDomain>
<claimIssuer>aspire</claimIssuer>
<searchApplicationName>Search Service Application</searchApplicationName>
<id>1</id>
<assemblyVersion>2.2.0.2</assemblyVersion>
</inputs>
</securityTrimmer>
</parameters> |
Section Description
Security
Code Block | ||
---|---|---|
| ||
<security>
<usersGroupName>AspireUsers</usersGroupName>
<ldapGroupQuery>CN=Users,DC=QA,DC=local</ldapGroupQuery>
</security> |
The security section is an initial approach to have the users group name configurable. Right now it is hardwired to AspireUsers and cannot be changed due to code limitations.
Right now this configuration is used to determine if the AspireUsers group exists as an Active Directory group and if not, it will create it locally.
Users
Code Block | ||
---|---|---|
| ||
<users>
<aspireServiceAppPool>QA\spadmin</aspireServiceAppPool>
<contentAccess>QA\spadmin</contentAccess>
<aspirePropertyRepositoryUser>QA\spadmin</aspirePropertyRepositoryUser>
<aspirePropertyEndpointUser>QA\spadmin</aspirePropertyEndpointUser>
</users> |
The users section specifies the users for each component.
Repository
Code Block | ||
---|---|---|
| ||
<repository>
<inputs>
<folderPath>C:\Repository</folderPath>
<shareName>IntermediateRepository</shareName>
</inputs>
<outputs>
<repositorySharePath></repositorySharePath>
</outputs>
</repository> |
The Repository section defines the directory where the batches that Aspire generates will be stored until SharePoint crawls them and then get cleaned up.
Note |
---|
Only the properties under the inputs node must be defined. |
Aspire BDC Service
Code Block | ||
---|---|---|
| ||
<aspireService>
<inputs>
<folderPath>C:\inetpub\wwwroot\AspireBDCService</folderPath>
<repositorySharePath piped="true"></repositorySharePath>
</inputs>
<outputs>
<aspireServiceUrl></aspireServiceUrl>
</outputs>
</aspireService> |
The Aspire BDC Service section defines the destination of the service's assemblies and the url to the intermediate repository.
Note |
---|
Only the properties under the inputs node that don't have the piped attribute as true must be defined. |
Repository Share Path
The repository's url.
Note |
---|
This value is generated when running the script to set the repository. |
Notification Service
Code Block | ||
---|---|---|
| ||
<notificationService>
<inputs>
<webAppUrl></webAppUrl>
</inputs>
<outputs>
<notificationServiceUrl></notificationServiceUrl>
</outputs>
</notificationService> |
The Notification Service section defines the SharePoint web application where the Notification Service will be deployed.
Note |
---|
Only the properties under the inputs node can be defined. |
Optional. Defines the SharePoint web application where the notification service will be deployed. If no web app is defined it will deploy in all web apps in the farm. It can be deployed in the central admin as long as a Web Front End service is enabled in that server.
Security Trimmer
Code Block | ||
---|---|---|
| ||
<securityTrimmer>
<inputs>
<groupExpansionService>http://localhost:50505/groupExpansion</groupExpansionService>
<groupExpansionTimeout>15000</groupExpansionTimeout>
<useDomain>false</useDomain>
<claimIssuer>aspire</claimIssuer>
<searchApplicationName>Search Service Application</searchApplicationName>
<id>1</id>
<assemblyVersion>2.2.0.2</assemblyVersion>
</inputs>
</securityTrimmer> |
The Security Trimmer section defines the properties that the Trimmer component needs to access the group expansion service in order to verify the claims of a user requesting documents.
Installation Verification
Repository
Check in your drive that the folder was created. The location can be found in the output parameter <repositorySharePath>.
Aspire BDC Service
- Go to IIS.
- On the left side (on the Connections Panel).
- Expand in your server, the "Sites" folder.
- Check that "AspireBDCService" is in there.
- Right click on it -> Manage WebSite -> Browse.
- You should see something like this:
Notification Service
- Go to http://<sp2013_server>/_vti_bin/AspireNotificationService/AspireNotificationService.svc
- Verify that the URL provided by the Notification Service installation is the correct one. In some cases you'll have to use the fully quallified DNS name instead of hostname only or change the URL protocol (http/https). It should be the root site of an existing web application or the Central Administration web application site.
- You should see something like:
Security Trimmer
- Open SharePoint 2013 Management Shell
- Run the following command: Get-SPEnterpriseSearchServiceApplication -Identity MySSA | Get-SPEnterpriseSearchSecurityTrimmer
- You should see something like this: