Configuring SharePoint and Exchange as Partner Applications

To enable SharePoint eDiscovery of Lync archive data, SharePoint 2013 must be configured as a partner application to Exchange 2013 as opposed to Lync 2013. The reason for this is that Lync 2013 must first be configured to archive content to Exchange 2013 before SharePoint eDiscovery can be used to search that data. Similar to the configuration of Lync and Exchange as partner applications, the Exchange 2013 Autodiscover service must be configured and operational as a prerequisite before SharePoint and Exchange can be configured as partner applications.

After Autodiscover is configured, SharePoint and Exchange can be configured as partner applications by exchanging the certificates using the authentication metadata documents exposed on each side. On the Exchange 2013 side, a PowerShell script named Configure-EnterprisePartnerApplication.ps1 is provided, and is used to connect to the URL of the SharePoint 2013 metadata document and retrieve the required information from it. The default URL for the SharePoint authentication metadata document is https://<SPfqdn>/_layouts/15/metadata/json/1, where <SPfqdn> is the fully qualified domain name of any SSL-enabled web application on the SharePoint 2013 farm. For example, the following procedure would be used to configure SharePoint as a partner application for the companyabc.com Exchange 2013 deployment:

1. Log on to a system where the Exchange 2013 administrative tools are installed using an account that has administrative rights to Exchange.

2. Open the Exchange Management Shell, and navigate to the Exchange scripts directory, which is by default C:Program FilesMicrosoftExchange ServerV15Scripts.

3. Execute the following command:

.Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl https://abcsite.companyabc.com/_layouts/15/metadata/json/1 -ApplicationType sharepoint.

4. If the command is successful, the script creates a disabled user account linked to the partner application, and assigns several Exchange management roles to the account to grant the required permissions.

On the SharePoint 2013 side, the Exchange Web Services Managed API V2.0 must first be installed, and then the New-SPTrustedSecurityTokenIssuer cmdlet is used to configure Exchange 2013 as a partner application for SharePoint. The default URL for the Exchange authentication metadata document is https://autodiscover.<domain>/autodiscover/metadata/json/1, where <domain> is the DNS domain of the Exchange systems. For example, the following procedure would be used to configure Exchange as a partner application for the companyabc.com SharePoint deployment:

1. Log on to a system where the SharePoint administrative tools are installed using an account that has SharePoint administrative rights.

2. Download Exchange Web Services Managed API V2.0 from the Microsoft Download Center, and install the software using the default installation options.

3. Open the SharePoint Management Shell, and execute the following series of commands:

Click here to view code image

New-SPTrustedSecurityTokenIssuer -name "Exchange" -MetadataEndPoint https://autodiscover.companyabc.com/autodiscover/metadata/json/1
$sts=Get-SPSecurityTokenServiceConfig
$sts.HybridStsSelectionEnabled = $true
$sts.AllowMetadataOverHttp = $false
$sts.AllowOAuthOverHttp = $false
$sts.Update()
$exchange=Get-SPTrustedSecurityTokenIssuer "Exchange"
$app=Get-SPAppPrincipal -Site https://abcsite.companyabc.com -NameIdentifier $exchange.NameId
$site=Get-SPSite https://abcsite.companyabc.com
Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.RootWeb -Scope sitesubscription -Right fullcontrol -EnableAppOnlyPolicy