In some cases, depending on the windows script execution policy, running PowerShell scripts will require them to be signed, additional information here. There are several solutions for this:
Create the CA certificate:
makecert -n "CN=<the name of the CA>" -r -sv <the name of the CA>.pvk <the name of the CA>.cer
Run the following:
makecert -sk <Certificate name> -iv <CA Certificate name>.pvk -n "CN=<Certificate name>" -ic <CA Certificate name>.cer <Certificate name>.cer -sr currentuser -ss CRT
set-executionpolicy allsigned
Confirm the certificate is up:
gci cert:\CurrentUser\CRT -codesigning
Sign your script (signtool should be in the same path as makecert):
signtool sign /v /n "<Certificate name>" <your script>.ps1
Run
.\DeployPublisher.ps1 -configurationFilePath ..\config\configurationParameters.xml
(Optional) Install the Security Trimmer. Run
.\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
Run
.\DeployIntermediateRepository.ps1 -configurationFilePath ..\config\configurationParameters.xml
Run
.\DeployAspireBDCService.ps1 -configurationFilePath ..\config\configurationParameters.xml
Run
.\DeployNotificationService.ps1 -configurationFilePath ..\config\configurationParameters.xml
Run
.\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
The configuration file is found here "..\Deploy\config\configurationParameters.xml".
The next is an example on how to fill up the configuration file using the QA\spadmin for all the services.
<?xml version="1.0"?> <parameters> <security> <usersGroupName>AspireUsers</usersGroupName> <ldapGroupQuery>CN=Users,DC=QA,DC=local</ldapGroupQuery> </security> <users> <AspireBDCServiceAppPool>QA\spadmin</AspireBDCServiceAppPool> <contentAccess>QA\spadmin</contentAccess> <aspirePropertyRepositoryUser>QA\spadmin</aspirePropertyRepositoryUser> <aspirePropertyEndpointUser>QA\spadmin</aspirePropertyEndpointUser> </users> <repository> <inputs> <folderPath>C:\Repository</folderPath> <shareName>IntermediateRepository</shareName> </inputs> <outputs> <repositorySharePath></repositorySharePath> </outputs> </repository> <aspireService> <inputs> <folderPath>C:\inetpub\wwwroot\AspireService</folderPath> <repositorySharePath piped="true"></repositorySharePath> </inputs> <outputs> <aspireServiceUrl></aspireServiceUrl> </outputs> </aspireService> <notificationEndpoint> <outputs> <notificationEndpointUrl></notificationEndpointUrl> </outputs> </notificationEndpoint> <securityTrimmer> <inputs> <groupExpansionService>http://localhost:50505/groupExpansion</groupExpansionService> <groupExpansionTimeout>15000</groupExpansionTimeout> <useDomain>false</useDomain> <claimIssuer>aspire</claimIssuer> <searchApplicationName>Search Service Application</searchApplicationName> <id>1</id> <assemblyVersion>2.2.0.2</assemblyVersion> </inputs> </securityTrimmer> </parameters>
<security> <usersGroupName>AspireUsers</usersGroupName> <ldapGroupQuery>CN=Users,DC=QA,DC=local</ldapGroupQuery> </security>
The security section is an initial approach to have the users group name configurable. Right now it is hardwired to AspireUsers and cannot be changed due to code limitations.
Right now this configuration is used to determine if the AspireUsers group exists as an Active Directory group and if not, it will create it locally.
Field | Description |
---|---|
Users Group Name | User group to which the users must belong to. |
LDAP Group Query | The LDAP query (minus the group name) that will be used to check for the existence of the group. |
<users> <aspireServiceAppPool>QA\spadmin</aspireServiceAppPool> <contentAccess>QA\spadmin</contentAccess> <aspirePropertyRepositoryUser>QA\spadmin</aspirePropertyRepositoryUser> <aspirePropertyEndpointUser>QA\spadmin</aspirePropertyEndpointUser> </users>
The users section specifies the users for each component.
Field | Description |
---|---|
Aspire Service app pool user | User who runs the app pool of Aspire BDC Service |
Content access user | SharePoint default content access account |
Aspire property repository user | Intermediate Repository user, which is specified in Aspire PublishToSP2013 application properties. This can be any domain user |
Aspire property endpoint user | Endpoint user, which is specified in Aspire PublishToSP2013 application properties. This can be any domain user |
<repository> <inputs> <folderPath>C:\Repository</folderPath> <shareName>IntermediateRepository</shareName> </inputs> <outputs> <repositorySharePath></repositorySharePath> </outputs> </repository>
The Repository section defines the directory where the batches that Aspire generates will be stored until SharePoint crawls them and then get cleaned up.
Only the properties under the inputs node must be defined.
Field | Description |
---|---|
Folder Path | Location used to map the Shared folder |
Share Name | Name of the Shared folder that will be exposed to the smb protocol |
<aspireService> <inputs> <folderPath>C:\inetpub\wwwroot\AspireBDCService</folderPath> <repositorySharePath piped="true"></repositorySharePath> </inputs> <outputs> <aspireServiceUrl></aspireServiceUrl> </outputs> </aspireService>
The Aspire BDC Service section defines the destination of the service's assemblies and the url to the intermediate repository.
Only the properties under the inputs node that don't have the piped attribute as true must be defined.
Field | Description |
---|---|
Folder Path | Destination of the service's assemblies |
Repository Share Path | The repository's url. This value is generated when running the script to set the repository. |
<notificationService> <inputs> <webAppUrl></webAppUrl> </inputs> <outputs> <notificationServiceUrl></notificationServiceUrl> </outputs> </notificationService>
The Notification Service section defines the SharePoint web application where the Notification Service will be deployed.
Only the properties under the inputs node can be defined.
Field | Description |
---|---|
Web App Url | Optional. Defines the SharePoint web application where the notification service will be deployed. If no web app is defined it will deploy in all web apps in the farm. It can be deployed in the central admin as long as a Web Front End service is enabled in that server. |
<securityTrimmer> <inputs> <groupExpansionService>http://localhost:50505/groupExpansion</groupExpansionService> <groupExpansionTimeout>15000</groupExpansionTimeout> <useDomain>false</useDomain> <claimIssuer>aspire</claimIssuer> <searchApplicationName>Search Service Application</searchApplicationName> <id>1</id> <assemblyVersion>2.2.0.2</assemblyVersion> </inputs> </securityTrimmer>
The Security Trimmer section defines the properties that the Trimmer component needs to access the group expansion service in order to verify the claims of a user requesting documents.
Field | Description |
---|---|
Group Expansion Service | Url of the Aspire Group Expansion service |
Group Expansion Timeout | Timeout to wait for Group Expansion response |
Use Domain | Use domain in security trimmer |
Claim Issuer | If you are using "Use Aspire" option in the SharePoint2013 Publisher, type "aspire" |
Search Application Name | Name of the Seach Application |
Id | The trimmer instance Id in SharePoint. Default is 1. |
Assembly Version | Version of the trimmer dll registered on the GAC |
Check in your drive that the folder was created. The location can be found in the output parameter <repositorySharePath>.