Applies to: Exchange Server 2013

Topic Last Modified: 2013-01-15

Microsoft Exchange Server 2013 includes features that work with Microsoft SharePoint Server 2013 and Microsoft Lync Server 2013, known as partner applications. To make sure these partner applications can access each other’s resources, you need to configure server-to-server authentication.

This topic shows you how to configure server-to-server authentication between Exchange 2013 and SharePoint 2013 so users can use the eDiscovery Center in SharePoint 2013 to search Exchange Server 2013 mailbox content. To fully enable this functionality, you must complete additional steps in SharePoint 2013. For details, see Configure eDiscovery in SharePoint 2013 .

What do you need to know before you begin?

  • Estimated time to complete this task: 30 minutes.

  • Procedures in this topic require specific permissions. See each procedure for its permissions information.

  • Exchange 2013 and SharePoint 2013 must be installed in the same domain or the same forest.

  • The SharePoint 2013 site must be configured to use Secure Sockets Layer (SSL).

  • The Exchange Web Services Managed API must be installed on every server that is running SharePoint 2013. Reset Internet Information Server after installation.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

How do you do this?

Step 1: Configure server-to-server authentication for Exchange 2013 on a server running SharePoint Server 2013

Run the following command to create Exchange 2013 as a trusted security token issuer in SharePoint 2013.

Copy Code
New-SPTrustedSecurityTokenIssuer -Name Exchange -MetadataEndPoint https://<Exchange Server Name or FQDN>/autodiscover/metadata/json/1

Run the following commands to grant the Exchange service principal full control permissions to SharePoint site subscription.

Copy Code
$exchange=Get-SPTrustedSecurityTokenIssuer
$app=Get-SPAppPrincipal -Site http://<SharePoint ServerName> -NameIdentifier $exchange.NameId
$site=Get-SPSite http://<SPServerName>
Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.RootWeb -Scope sitesubscription -Right fullcontrol -EnableAppOnlyPolicy

Step 2: Configure server-to-server authentication for SharePoint 2013 on a server running Exchange 2013

Perform this step on an Exchange 2013 server. You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Partner applications - configure" entry in the Sharing and Collaboration Permissions topic.

Run this command to configure the SharePoint partner application.

Copy Code
cd c:\'Program Files'\Microsoft\'Exchange Server'\V15\Scripts
.\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl <path to SharePoint AuthMetadataUrl> -ApplicationType SharePoint

Step 3: Add authorized users to the Discovery Management role group

Add users who need to perform an eDiscovery search using SharePoint 2013 to the Discovery Management role group in Exchange 2013. For details, see Add a User to the Discovery Management Role Group.

Caution:
Adding users to the Discovery Management role group allows them to use In-Place eDiscovery to search all Exchange 2013 mailboxes and access potentially sensitive email content in user mailboxes. By default, this permission isn’t assigned to any user, including members of the Organization Management role group. Check with your organization’s legal or HR departments before assigning this permission to any user.