OS and Application information
OS Requirements
- 64-bit edition of Windows Server 2008 R2 Service Pack 1 (SP1) Standard, Enterprise, or Datacenter
- Or 64-bit edition of Windows Server 2012 Standard or Datacenter
Requirements by Component
Notification Service
- SharePoint 2013
Aspire BDC Service
In Windows Server 2008 R2 SP1
- IIS Server role
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- ASP.Net
- .Net Extensibility
- ISAPI Extensions
- ISAPI Filters
- Security
- Basic Authentication
- Windows Authentication
- Digest Authentication
- Client Certificate Mapping Authentication
- IIS Client Certificate Mapping Authentication
- URL Authorization
- Request Filtering
- IP and Domain Restrictions
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- Management Service
- Common HTTP Features
- Application Server role
- All role features (confirm all dependencies)
- Microsoft .NET Framework version 4.5
In Windows Server 2012
- IIS Server role
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- ASP.Net 3.5
- ASP.Net 4.5
- .Net Extensibility 3.5
- .Net Extensibility 4.5
- ISAPI Extensions
- ISAPI Filters
- Server Side Includes
- Security
- Basic Authentication
- Windows Authentication
- Digest Authentication
- Client Certificate Mapping Authentication
- IIS Client Certificate Mapping Authentication
- URL Authorization
- Request Filtering
- IP and Domain Restrictions
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- Management Service
- Common HTTP Features
- Application Server role (confirm all dependencies)
- .Net Framework 4.5
- TCP Port Sharing
- Web Server (IIS) support
- Windows Process Activation Service Support
- Named Pipes Activation
- HTTP Activation
- TCP Activation
These prerequisites can be installed either manually configuring via Server Manager or running SharePoint 2013 prerequisite installer.
User Account Requirements
To run the deploy scripts use an account with the following requirements:
- Domain user.
- Member of the Administrators user group.
The following are the user requirements for each component of the Endpoint:
Intermediate Repository
- Domain user
- Member of AspireUsers user group
Aspire BDC Service
- Domain user
- Member of AspireUsers user group
Notification Service
- Domain user
- Member of AspireUsers user group
- SharePoint Shell Admin (user who has SharePoint_Shell_Access role in farm configuration database, and member of WSS_Admin_WPG group)
- The SharePoint Application Pool Account has to be Search Service Application administrator
- Default content access account
- BDC Service Application administrator
- BDC Metadata Store Permissions:
- Edit
- Execute
- Selectable in Clients
- Set Permissions
- “WSS_Content_Application_Pools” administration content database role.
If the user running the SharePoint Application Pool is different from the user you are using to access the Notification Service, then the Application Pool account should be the one that has the Search Service Application administrator permission and not the account that has access to the service. In that case, after setting the application pool account as a Search Service Application administrator, confirm that you have the following permissions on that account in the Search Databases, if not, add them manually:
Database Name | Role |
---|---|
Search_Service_Application_AnalyticsReportingStoreDB_<GUID> |
|
Search_Service_Application_CrawlStoreDB_<GUID> |
|
Search_Service_Application_DB_<GUID> |
|
Search_Service_Application_LinksStoreDB_<GUID> |
|
Manually add user permissions
- To add a user as a SharePoint Shell Admin execute “Add-SPShellAdmin” cmdlet (http://technet.microsoft.com/en-us/library/ff607596.aspx):
- Start SharePoint shell as administrator.
- Run “Add-SPShellAdmin -UserName <username>".
- Make the SharePoint Application Pool account a Search Service Application administrator:
- Central Admin -> Application Management -> Manage Service Applications.
- Select “Search Service Application” row (not the link).
- Click on the “Administrators” button on the ribbon.
- Add the user and give it “Full Control” permissions.
- Make the user the Default content access account:
- Go to Central Admin -> Application Management -> Manage Service Applications -> Search Service Application.
- Click the current access account.
- Enter the new account credentials
- Make the user a Business Data Connectivity Service administrator:
- Central Admin -> Application Management -> Manage Service Applications.
- Select “Business Data Connectivity Service” row (not the link).
- Click on the “Administrators” button on the ribbon.
- Add the user and give it “Full Control” permissions.
- Give the user Metadata Store permissions:
- Central Admin -> Application Management -> Manage Service Applications -> Business Data Connectivity Service.
- On the ribbon, select "Set Metadata Store Permissions".
- Add the user and select all the permissions.
- Click OK.
- Add administration content database role membership:
- Add database role membership “WSS_Content_Application_Pools” of SharePoint_AdminContent_<GUID> to Notification Endpoint app pool user:
- For search databases, confirm that you have the SPSearchDBAdmin database role. This should be added to the account you set up as the Search Service Application administrator, if not, add them manually.
- To access the list of database roles on SQLSERVER:
- Open the SQL Server Management Studio.
- Go to Security -> Logins.
- Right click on the user and select Properties.
- Select "User Mappings".
- To access the list of database roles on SQLSERVER:
Database Permissions Checklist
After doing all the changes specified previously, this is the complete list of user database roles as they should be.
Database Name | Role |
---|---|
SharePoint_Config |
|
SharePoint_AdminContent_<GUID> |
|
Bdc_Service_DB_<GUID> |
|
Search_Service_Application_AnalyticsReportingStoreDB_<GUID> |
|
Search_Service_Application_CrawlStoreDB_<GUID> |
|
Search_Service_Application_DB_<GUID> |
|
Search_Service_Application_LinksStoreDB_<GUID> |
|
Since SharePoint setup user and server farm account have these privileges, it is recommended to use one of those accounts for this. Setup user is recommended, since it has machine admin rights as well.
Security Pre-Trimmer
The Security PreTrimmer requires that the user identity sent to it contains at least one of the following claim types:
- claims/userlogonname: This is for windows authentication. The pretrimmer will use this value to send it to the Aspire Group Expansion.
- claims/primarysid: This is for other types of authentication (e.g. ADFS). The pretrimmer will take the primary SID value and translate it into a valid user id to send it to the Aspire Group Expansion.
SharePoint 2013 Aspire Components Installation
This describes the steps needed for installing the various Aspire components of the SharePoint 2013 Publisher Endpoint.
This installation is done through a powershell script that will setup and configure the following components:
- Intermediate Repository. Shared folder created to be used as a SharePoint External Source.
- (IIS Service) Aspire Service. Acts as a data source for the Aspire ECT.
- Reads XML files from the Repository using a separate timestamp file to managed updated content.
- Protected using NTLM authentication mechanism.
- Any user accessing this service must be member of the AspireUsers Active Directory or local Windows group.
- (SharePoint Solution) Notification Endpoint. Receives requests for crawling the Aspire Content Source.
- Creates the Content Source specific directory in the publisher file share.
- Creates the Search Service Application Content Source.
- Creates the BDC Model and External Content Type (ECT) in SharePoint Business Data Connectivity Services.
- Security Trimmer. Used to enhance the search query in SharePoint Search using group expansion from Aspire.
- Error Crawl Logs. Used to get crawled document logs from a content source.
Publisher Installation
Single Server Installation
- Download the latest version of the installation files from our repository
- Log in to a SharePoint 2013 server
- Copy the installation package (Deploy file) to that server
- Extract it to some directory (i.e.: C:\Deploy)
- Fill up the configurationParameters.xml
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\Deploy\scripts”)
Run
.\DeployPublisher.ps1 -configurationFilePath ..\config\configurationParameters.xml
(Optional) Install the Security Trimmer. Run
.\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy and configure Aspire component (SharePoint 2013 Publisher Configuration Tutorial)
Multi-Server Installation
- Install the intermediate repository
- Log in to the server that you plan to install the intermediate repository
- Copy the installation package Deploy File to that server
- Extract it to some directory (C:\DeployRepository)
- Fill up the configurationParameters.xml
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\ DeployRepository\scripts”)
Run
.\DeployIntermediateRepository.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy Aspire BDC Service
- Copy the extracted installation folder content (C:\DeployRepository\...) with updated configuration file, from Intermediate Repository server
- Log in to the server that you planned to install Aspire Service, and paste copied content to some directory (C:\DeployAspireService)
- Make sure the configuration file has been updated from the previous installation and filled piped parameters inside Aspire BDC Service inputs.
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\DeployAspireService\scripts”)
Run
.\DeployAspireBDCService.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy Notification Service
- Copy the installation package (C:\DeployAspireService) with updated configuration file, from Aspire Service server
- Log in to any SharePoint server that you planned to install Notification Service, and paste copied content to some directory (C:\DeployEndpoint)
- Make sure the configuration file has been updated from the previous installation and filled piped parameters inside Notification Service inputs.
- Start PowerShell as administrator
- cd to scripts directory (cd “C:\DeployEndpoint\scripts”)
Run
.\DeployNotificationService.ps1 -configurationFilePath ..\config\configurationParameters.xml
- Reboot the server to ensure security group memberships are updated
- Deploy and Configure Aspire Component
Security Trimmer Installation
- Fill up the configurationParameters.xml
- Start the SharePoint Management Shell as Administrator.
- cd to scripts directory (cd “C:\DeployEndpoint\scripts”).
Run
.\DeployAspireSecurityTrimmer.ps1 -configurationFilePath ..\config\configurationParameters.xml
- RESTART The SharePoint Search Host Controller service
Configuration Parameters Example
The configuration file is found here "..\Deploy\config\configurationParameters.xml".
The next is an example on how to fill up the configuration file using the QA\spadmin for all the services.
Section Description
Security
<security> <usersGroupName>AspireUsers</usersGroupName> <ldapGroupQuery>CN=Users,DC=QA,DC=local</ldapGroupQuery> </security>
The security section is an initial approach to have the users group name configurable. Right now it is hardwired to AspireUsers and cannot be changed due to code limitations.
Right now this configuration is used to determine if the AspireUsers group exists as an Active Directory group and if not, it will create it locally.
Field | Description |
---|---|
Users Group Name | User group to which the users must belong to. |
LDAP Group Query | The LDAP query (minus the group name) that will be used to check for the existence of the group. |
Users
<users> <aspireServiceAppPool>QA\spadmin</aspireServiceAppPool> <contentAccess>QA\spadmin</contentAccess> <aspirePropertyRepositoryUser>QA\spadmin</aspirePropertyRepositoryUser> <aspirePropertyEndpointUser>QA\spadmin</aspirePropertyEndpointUser> </users>
The users section specifies the users for each component.
Field | Description |
---|---|
Aspire Service app pool user | User who runs the app pool of Aspire BDC Service |
Content access user | SharePoint default content access account |
Aspire property repository user | Intermediate Repository user, which is specified in Aspire PublishToSP2013 application properties. This can be any domain user |
Aspire property endpoint user | Endpoint user, which is specified in Aspire PublishToSP2013 application properties. This can be any domain user |
Repository
<repository> <inputs> <folderPath>C:\Repository</folderPath> <shareName>IntermediateRepository</shareName> </inputs> <outputs> <repositorySharePath></repositorySharePath> </outputs> </repository>
The Repository section defines the directory where the batches that Aspire generates will be stored until SharePoint crawls them and then get cleaned up.
Only the properties under the inputs node must be defined.
Field | Description |
---|---|
Folder Path | Location used to map the Shared folder |
Share Name | Name of the Shared folder that will be exposed to the smb protocol |
Aspire BDC Service
<aspireService> <inputs> <folderPath>C:\inetpub\wwwroot\AspireBDCService</folderPath> <repositorySharePath piped="true"></repositorySharePath> </inputs> <outputs> <aspireServiceUrl></aspireServiceUrl> </outputs> </aspireService>
The Aspire BDC Service section defines the destination of the service's assemblies and the url to the intermediate repository.
Only the properties under the inputs node that don't have the piped attribute as true must be defined.
Field | Description |
---|---|
Folder Path | Destination of the service's assemblies |
Repository Share Path | The repository's url. This value is generated when running the script to set the repository. |
Notification Service
<notificationService> <inputs> <webAppUrl></webAppUrl> </inputs> <outputs> <notificationServiceUrl></notificationServiceUrl> </outputs> </notificationService>
The Notification Service section defines the SharePoint web application where the Notification Service will be deployed.
Field | Description |
---|---|
Web App Url | Optional. Defines the SharePoint web application where the notification service will be deployed. If no web app is defined it will deploy in all web apps in the farm. It can be deployed in the central admin as long as a Web Front End service is enabled in that server.
|
Security Trimmer
<securityTrimmer> <inputs> <groupExpansionService>http://localhost:50505/groupExpansion</groupExpansionService> <groupExpansionTimeout>15000</groupExpansionTimeout> <useDomain>false</useDomain> <claimIssuer>aspire</claimIssuer> <searchApplicationName>Search Service Application</searchApplicationName> <id>1</id> <assemblyVersion>2.2.0.2</assemblyVersion> </inputs> </securityTrimmer>
The Security Trimmer section defines the properties that the Trimmer component needs to access the group expansion service in order to verify the claims of a user requesting documents.
Field | Description |
---|---|
Group Expansion Service | Url of the Aspire Group Expansion service |
Group Expansion Timeout | Timeout to wait for Group Expansion response |
Use Domain | Use domain in security trimmer |
Claim Issuer | If you are using "Use Aspire" option in the SharePoint2013 Publisher, type "aspire" |
Search Application Name | Name of the Seach Application |
Id | The trimmer instance Id in SharePoint. Default is 1. |
Assembly Version | Version of the trimmer dll registered on the GAC |