Today I tried to configure search between two SharePoint 2016 farms.

All of the work was relatively easy. I published my search service  within one farm then I connected from the other farm.  and all was easy.

Then I added a search result web part created a result source but my web parts kept giving me:

1 ¾ System.Net.WebException: The remote server .returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute() at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate() at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest() at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery() at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.RetrieveDataFromRemoteServer(Object unused) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.ProcessRecordCore(IRecord record)

A bit of a strange error starting with 1¾ but this does make it easier to find the error with Google or Bing as the rest of the message is quite generic.

While searching I came across the following SharePoint 2013 article:

Configure server-to-server authentication between publishing and consuming farms

The important clue: ConsumeHostName is the name and port of any SSL-enabled web application of the consuming farm

So I added Self Signed Certs to my application and still no luck as I tried to setup my trust on my farm using the following script:

Add-PSSnapin "Microsoft.SharePoint.PowerShell"

Set-SPAuthenticationRealm -realm "dev3dev2realmname"
$sts=Get-SPSecurityTokenServiceConfig
$Realm=Get-SpAuthenticationRealm
$nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm"
Write-Host "Setting STS NameId to $nameId"
$sts.NameIdentifier = $nameId
$sts.Update()

New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://myhost.mycomp.co.uk/_layouts/15/metadata/json/1" -Name "sp2016dev3"
Setting STS NameId to 00000003-0000-0ff1-ce00-000000000000@dev3dev2realmname

I kept getting:

New-SPTrustedSecurityTokenIssuer : The underlying connection was closed: An unexpected error occurred on a send.

and

New-SPTrustedSecurityTokenIssuer : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

 

The solution was simple at the end.

Instead of using self signed certs I put a proper wild card certificate in place and all suddenly started working.

Advertisements