SharePoint 2013 Aspire Components Installation
PowerShell Script Signing
In some cases, depending on the windows script execution policy, running PowerShell scripts will require them to be signed, additional information here. There are several solutions for this:
- Remove the script execution restrictions by running Set-ExecutionPolicy. See details here and usage here. For this you'll need to have administrator rights in the machine.
- Paste the script code (including referred scripts) in the PowerShell command line and execute from there. This however might not be practical if the scripts are long.
- Sign the certificates by following these steps:
- Make sure 'makecert.exe' from the Windows SDK is in the path and can be accessed from PowerShell. You might need to install the SDK relevant to the Windows version here.
- You'll need a Certificate Authority (CA) on which to sign the scripts. Either use one of yours or run the following steps to create and register one:
Create the CA certificate:
makecert -n "CN=<the name of the CA>" -r -sv <the name of the CA>.pvk <the name of the CA>.cer
- Register the CA certificate to your Trusted Root Certification Authorities:
- Open certmgr.msc
- Under CurrentUser>Trusted Root Certification Authorities, right click Certificates
- Select All Tasks > Import
- Find the file you just created, import it
- Create a personal certificate and use the new CA cert to sign the new personal certificate:
Run the following:
makecert -sk <Certificate name> -iv <CA Certificate name>.pvk -n "CN=<Certificate name>" -ic <CA Certificate name>.cer <Certificate name>.cer -sr currentuser -ss CRT
- The certificate should be now under CurrentUser>Personal>Certificates, if not, import it as you did with the CA (but under personal this time).
- Configure Windows to run signed scripts:
- Run the following and confirm (y). You might need to specify a scope (see the command documentation):
set-executionpolicy allsigned
- Run the following and confirm (y). You might need to specify a scope (see the command documentation):
Confirm the certificate is up:
gci cert:\CurrentUser\CRT -codesigning
Sign your script (signtool should be in the same path as makecert):
signtool sign /v /n "<Certificate name>" <your script>.ps1
- Open your script and find the encrypted string in it. You should be able to run your script now.
Publisher Installation
Single Server Installation
- Download the latest version of the installation files from our repository
- Log in to a SharePoint 2013 server
- Copy the installation package (Deploy file) to that server
- Extract it to some directory (i.e.: C:\Deploy)
- Fill up the configurationParameters.xml
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\Deploy\scripts”)
Run
.\DeployPublisher.ps1 -configurationFilePath ..\config\configurationParameters.xml
(Optional) Install the Security Trimmer. Run
.\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy and configure Aspire component (SharePoint 2013 Publisher How to configure)
Multi-Server Installation
- Download the latest version of the installation files from our repository
- Install the intermediate repository
- Log in to the server that you plan to install the intermediate repository
- Copy the installation package Deploy File to that server
- Extract it to some directory (C:\DeployRepository)
- Fill up the configurationParameters.xml
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\ DeployRepository\scripts”)
Run
.\DeployIntermediateRepository.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy Aspire BDC Service
- Copy the extracted installation folder content (C:\DeployRepository\...) with updated configuration file, from Intermediate Repository server
- Log in to the server that you planned to install Aspire Service, and paste copied content to some directory (C:\DeployAspireService)
- Make sure the configuration file has been updated from the previous installation and filled piped parameters inside Aspire BDC Service inputs.
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\DeployAspireService\scripts”)
Run
.\DeployAspireBDCService.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy Notification Service
- Copy the installation package (C:\DeployAspireService) with updated configuration file, from Aspire Service server
- Log in to any SharePoint server that you planned to install Notification Service, and paste copied content to some directory (C:\DeployEndpoint)
- Make sure the configuration file has been updated from the previous installation and filled piped parameters inside Notification Service inputs.
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\DeployEndpoint\scripts”)
Run
.\DeployNotificationService.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy and Configure Aspire Component
Security Trimmer Installation
- Fill up the configurationParameters.xml
- Start the SharePoint Management Shell as Administrator.
- cd to scripts directory (cd “C:\DeployEndpoint\scripts”).
Run
.\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
- RESTART The SharePoint Search Host Controller service
Configuration Parameters Example
The configuration file is found here "..\Deploy\config\configurationParameters.xml".
The next is an example on how to fill up the configuration file using the QA\spadmin for all the services.
Section Description
Security
<security> <usersGroupName>AspireUsers</usersGroupName> <ldapGroupQuery>CN=Users,DC=QA,DC=local</ldapGroupQuery> </security>
The security section is an initial approach to have the users group name configurable. Right now it is hardwired to AspireUsers and cannot be changed due to code limitations.
Right now this configuration is used to determine if the AspireUsers group exists as an Active Directory group and if not, it will create it locally.
| Field | Description |
|---|---|
| Users Group Name | User group to which the users must belong to. |
| LDAP Group Query | The LDAP query (minus the group name) that will be used to check for the existence of the group. |
Users
<users> <aspireServiceAppPool>QA\spadmin</aspireServiceAppPool> <contentAccess>QA\spadmin</contentAccess> <aspirePropertyRepositoryUser>QA\spadmin</aspirePropertyRepositoryUser> <aspirePropertyEndpointUser>QA\spadmin</aspirePropertyEndpointUser> </users>
The users section specifies the users for each component.
| Field | Description |
|---|---|
| Aspire Service app pool user | User who runs the app pool of Aspire BDC Service |
| Content access user | SharePoint default content access account |
| Aspire property repository user | Intermediate Repository user, which is specified in Aspire PublishToSP2013 application properties. This can be any domain user |
| Aspire property endpoint user | Endpoint user, which is specified in Aspire PublishToSP2013 application properties. This can be any domain user |
Repository
<repository>
<inputs>
<folderPath>C:\Repository</folderPath>
<shareName>IntermediateRepository</shareName>
</inputs>
<outputs>
<repositorySharePath></repositorySharePath>
</outputs>
</repository>
The Repository section defines the directory where the batches that Aspire generates will be stored until SharePoint crawls them and then get cleaned up.
Only the properties under the inputs node must be defined.
| Field | Description |
|---|---|
| Folder Path | Location used to map the Shared folder |
| Share Name | Name of the Shared folder that will be exposed to the smb protocol |
Aspire BDC Service
<aspireService>
<inputs>
<folderPath>C:\inetpub\wwwroot\AspireBDCService</folderPath>
<repositorySharePath piped="true"></repositorySharePath>
</inputs>
<outputs>
<aspireServiceUrl></aspireServiceUrl>
</outputs>
</aspireService>
The Aspire BDC Service section defines the destination of the service's assemblies and the url to the intermediate repository.
Only the properties under the inputs node that don't have the piped attribute as true must be defined.
| Field | Description |
|---|---|
| Folder Path | Destination of the service's assemblies |
Repository Share Path | The repository's url. This value is generated when running the script to set the repository. |
Notification Service
<notificationService>
<inputs>
<webAppUrl></webAppUrl>
</inputs>
<outputs>
<notificationServiceUrl></notificationServiceUrl>
</outputs>
</notificationService>
The Notification Service section defines the SharePoint web application where the Notification Service will be deployed.
Only the properties under the inputs node can be defined.
| Field | Description |
|---|---|
| Web App Url | Optional. Defines the SharePoint web application where the notification service will be deployed. If no web app is defined it will deploy in all web apps in the farm. It can be deployed in the central admin as long as a Web Front End service is enabled in that server. |
Security Trimmer
<securityTrimmer>
<inputs>
<groupExpansionService>http://localhost:50505/groupExpansion</groupExpansionService>
<groupExpansionTimeout>15000</groupExpansionTimeout>
<useDomain>false</useDomain>
<claimIssuer>aspire</claimIssuer>
<searchApplicationName>Search Service Application</searchApplicationName>
<id>1</id>
<assemblyVersion>2.2.0.2</assemblyVersion>
</inputs>
</securityTrimmer>
The Security Trimmer section defines the properties that the Trimmer component needs to access the group expansion service in order to verify the claims of a user requesting documents.
| Field | Description |
|---|---|
| Group Expansion Service | Url of the Aspire Group Expansion service |
| Group Expansion Timeout | Timeout to wait for Group Expansion response |
| Use Domain | Use domain in security trimmer |
| Claim Issuer | If you are using "Use Aspire" option in the SharePoint2013 Publisher, type "aspire" |
| Search Application Name | Name of the Seach Application |
| Id | The trimmer instance Id in SharePoint. Default is 1. |
| Assembly Version | Version of the trimmer dll registered on the GAC |
Installation Verification
Repository
Check in your drive that the folder was created. The location can be found in the output parameter <repositorySharePath>.
Aspire BDC Service
- Go to IIS.
- On the left side (on the Connections Panel).
- Expand in your server, the "Sites" folder.
- Check that "AspireBDCService" is in there.
- Right click on it -> Manage WebSite -> Browse.
- You should see something like this:
Notification Service
- Go to http://<sp2013_server>/_vti_bin/AspireNotificationService/AspireNotificationService.svc
- Verify that the URL provided by the Notification Service installation is the correct one. In some cases you'll have to use the fully quallified DNS name instead of hostname only or change the URL protocol (http/https). It should be the root site of an existing web application or the Central Administration web application site.
- You should see something like:
Security Trimmer
- Open SharePoint 2013 Management Shell
- Run the following command: Get-SPEnterpriseSearchServiceApplication -Identity MySSA | Get-SPEnterpriseSearchSecurityTrimmer
- You should see something like this:
Overview
Content Tools