Cross-certifying Groove Server Manager domains


Applies to: Groove Server 2010

Topic Last Modified: 2010-02-11

The following procedure shows how to set up cross-domain certification between two Groove Server Manager domains. This configuration allows members from another management domain to collaborate with your Groove workspace users. The Groove Server Manager cross certification policy lets you extend trusted collaboration beyond a single management domain, to other management domains that may or may not belong to your organization. The Groove Server Manager and Groove clients rely on a native Public Key Infrastructure (PKI) authentication scheme to support cross certification.

These procedures require that Groove Server Manager is installed as described in Install and configure Groove Server 2010 Manager.

In this article:

  • Exchanging management domain certificates

  • Viewing and deleting cross-certified domains

Exchanging management domain certificates

Typically, cross-domain certification applies to two domains, where each sets up a trust relationship with the other for Microsoft SharePoint Workspace users in Groove workspaces. This process has two parts: you send your domain certificate to the administrator of another domain so that external domain members can establish trust with your domain, and you import a certificate from the external domain. You can also set up cross certification in one direction only, where one certificate is sent from one domain administrator to another.

Once cross certification is in place, SharePoint Workspace contact lists use text color to distinguish SharePoint Workspace user identities from the cross-certified domain. Note that this process does not prevent certified and uncertified SharePoint Workspace users from communicating but simply informs users of the certification status of their contacts. You can strengthen security by setting an identity policy that controls how certified users in your domain interact with uncertified users, as described in Setting SharePoint Workspace user verification policy.


Cross certification is appropriate only when administrators from cooperating domains trust each other to the extent of maintaining secure and correct bindings between each other’s user public keys and contact information.

To exchange cross-certified domain certificates

  1. Log on to the Groove Server Manager administrative Web site and click the management domain in the navigation pane.

  2. Click the Domain Properties tab.

  3. In the Cross Certification section of the page, click the Export Certificate button to export the certificate (that contains the domain public key) for your management domain. A File Download pop-up window appears.

  4. Click the Save option, and then click OK. A Save As pop-up window appears.

  5. Accept the path and default name of the certificate file (such as domain1.cer) or edit the entries, and then click OK. This saves the local domain certificate file in a local directory. This is the file that each administrator sends the other in order to set up cross-domain management.

  6. Open the directory of your local certificate file, copy the file, and send it via e-mail or Groove workspace to the administrator of the remote domain.

  7. Request the remote administrator to send you a Groove Server Manager domain certificate by performing the procedure previously described.

  8. When you receive a certificate from the remote administrator, save it in a directory on your local computer.

  9. Authenticate the remote domain as follows:

    1. Contact the remote administrator by telephone or in person and make sure that you trust the person whom you are contacting.

    2. View the certificate that you received by opening the Windows Certificate Viewer, double-clicking the.cer file, and checking the certificate’s digital fingerprint (the certificate's hash or “thumbprint” as shown in the Windows Certificate Viewer). Ask the remote administrator to do the same and to report the fingerprint. It should match what you see on your screen. Then, reverse the procedure and report your certificate’s fingerprint to the remote administrator.

  10. Return to the Cross Domain Certification section on the Domain Properties page and then click the Add Certificate button. The cross certification pop-up window appears.

  11. In the File location field, browse to the remote administrator’s .cer file on your computer.

  12. Optionally, if the domain is in your organization, select The domain is in the organization. Text color distinguishes SharePoint Workspace user identities from cross-certified domains that are within your organization.

  13. Click OK.

  14. Consider setting a user verification policy, as described in Setting SharePoint Workspace user verification policy.

Viewing and deleting cross-certified domain certificates

You can review and delete cross-certified domain certificates as described in the following procedure.

To view or delete cross-certified domain certificates

  1. Log on to the Groove Server Manager administrative Web site and click management domain in the navigation pane.

  2. Click the Domain Properties tab.

  3. In the Cross Domain Certification section of the page, review your cross-certified domains below the Export and Add buttons. You can click the certificate entry to view certificate details, including the installation path.

  4. To delete a cross-certified domain certificate, click the Delete option after the certificate entry.