Explanation/Reference:
Scenario:
A new remote web application named App1 will be hosted in the adatum.com domain. App1 will require access to SharePoint resources in the fabrikam.com domain. SharePoint administrators inthe fabrikam.com domain must be able to administer App1 by using Windows PowerShell.
Fabrikam has an AD DS domain named fabrikam.com
Fabrikam users must be able to directly access internal SharePoint resources in the adatum.com domain.
O. Datum users must not be able to access resources in the fabrikam.com domain.
SharePoint administrators in the fabrikam.com domain must be able to administer App1 by using Windows PowerShell. -> App1 is Service Application A trust relationship must be established between SharePoint farms that share service application functionality. In this relationship, one SharePoint farm (the "publisher") publishes a service application that can then be consumed by a different SharePoint farm (the
"consumer").
This relationship is established in a secure fashion via the use of three distinct certificates:
A root certificate, which is exported from the "consuming" farm
An STS certificate, which is exported from the consuming farm
Another root certificate, which is exported from the "publishing" farm
You have to copy the files between farms, as follows:
Copy the ConsumingFarmRoot.cer andConsumingFarmSTS.cer files from the consuming farm to the publishing farm.
Copy the PublishingFarmRoot.cer file from the publishing farm to the consuming farm.
Establishing the trust on the consuming farm
The trust is established on the consuming farm whenthe publishing farm's root certificate is imported (using the New-SPTrustedRootAuthority cmdlet). Follow these steps:
Open the SharePoint 2013 Management Shell (run as administrator) on the consuming farm.
Locate the publishing root certificate on the file system (C:\PublishingFarmRoot.cer).
Run the following Windows PowerShell to create the new Trusted Root Authority and call the farm PublishingFarm.
Establishing the trust on the publishing farm
The trust is established on the Publishing farm when the Consuming farm's root certificate is imported (using the New-SPTrustedRootAuthority cmdlet).
Open the SharePoint 2013 Management Shell (run as Administrator) on the Publishing farm.
Locate the consuming root certificate on the file system (C:\ConsumingFarmRoot.cer).
Run the following Windows PowerShell to create the new Trusted Root Authority. Call the farm ConsumingFarm:
* Add Certificate to the SharePoint Trusted Root Certificate Authority
Step 1: Export the Security Certificate Here fromFabrikam.
Step 2: Import the Security Certificate into SharePoint Trusted Root Certificate authority Here in Adatum.com Reference: Add Certificate to the SharePoint Trusted Root Certificate Authority With regards to configuring the SharePoint farms at both sides to service App1.
User (NL, 19.05.13):
It is not evident what answers would be correct.
Reading through http://technet.microsoft.com/en-us/library/ff621100.aspx I noticed the following text:
> Web applications or application services that request resources from an application service on another farm do not require server-to-server authentication.
This is in line with two lines from the scenario:
App1 will require access to SharePoint resources in the fabrikam.com domain.
A Datum users must not beable to access resources in the fabrikam.com domain.
An identity provider is not required as the user identity should not be part of the communication between App1 and fabrikam.com! Albeit misleading; cross farm trust is mostly applied to service applications.
Possibly App1 is a service application? So one should only configure Exchange trust certificates between farms in SharePoint 2013, see http://technet.microsoft.com/en-us/library/ee704552.aspx > An administrator of the consuming farm must provide twotrust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm.
In my opinion the right answers to give are thus:
From the adatum.com SharePoint environment, export the security token certificate.
From the Fabrikam.com SharePoint environment, create a trusted root authority.
From the adatum.com SharePoint environment, create a trusted root authority.
Strangly, the sequence of these three steps is irrelevant; as they are independent, without mentioning the other required steps involved.