Share Service Applications between Two SharePoint 2010 Farms

Written by Denis Stadler on . Posted in IT Pro & PowerShell

My test scenario is quite easy: I have two SharePoint farms into the same domain, sharing the same SQL 2008 R2 server. What I would like to do is to publish some of the Service Applications deployed on one of the farms and consume them on the other.
shared-sevices-applications-architecture
As the theory says – in this case the TechNet site :)Share service applications across farms, the following application services could be shared between farms:

  • Business Data Connectivity
  • Managed Metadata
  • User Profile
  • Search
  • Secure Store
  • Web Analytics

In my example I would like to publish the Managed Metadata service on SPStaging and consume it on SPDev.

Exchange trust certificates between the farms

The primary objective is that two certificates from the consuming farm – SPDev must be installed on the publishing farm – SPStaging: a root certificate and a security token service (STS) certificate.

In order to achieve it, the first step is to open the SharePoint 2010 Management Shell on the consuming farm and to run the following commands:

$rootCertificate = (Get-SPCertificateAuthority).RootCertificate
#Check the path for the export - C:\SPDevFarmRoot.cer
$rootCertificate.Export("Cert") | Set-Content C:\SPDevFarmRoot.cer -Encoding byte

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
#Check the path for the export - C:\SPDevFarmSTS.cer
$stsCert.Export("Cert") | Set-Content C:\SPDevFarmSTS.cer -Encoding byte

Then the same operation is repreated on the publishing farm:

$rootCertificate = (Get-SPCertificateAuthority).RootCertificate
#Check the path for the export - C:\SPStagingFarmRoot.cer
$rootCertificate.Export("Cert") | Set-Content C:\SPStagingFarmRoot.cer -Encoding byte

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
#Check the path for the export - C:\SPStagingFarmSTS.cer
$stsCert.Export("Cert") | Set-Content C:\SPStagingFarmSTS.cer -Encoding byte

It is now time to change the certificates: the ones from the consuming farm are copied on the publishing farm and vice versa (the same for publishing to consume).

Establish trust on the consuming farm – SPDev

First it is time to import the publishing farm’s certificate into the consumer farm. To do it, in SharePoint 2010 Management Shell the following commands are typed:

#Check the path for the import - C:\SPStagingFarmRoot.cer
$trustCert = Get-PfxCertificate C:\SPStagingFarmRoot.cer
New-SPTrustedRootAuthority SPStaging -Certificate $trustCert

Establish trust on the publishing farm – SPStaging

Then, on the publishing farm both consuming farm’s root certificate and STS certificate must be imported. Using SharePoint Power Shell the following commands must be run:

#Check the path for the import - C:\SPDevFarmRoot.cer
$trustCert = Get-PfxCertificate C:\SPDevFarmRoot.cer
New-SPTrustedRootAuthority SPDev -Certificate $trustCert

#Check the path for the import - C:\SPDevFarmSTS.cer
$stsCert = Get-PfxCertificate C:\SPDevFarmSTS.cer
New-SPTrustedServiceTokenIssuer SPDev -Certificate $stsCert

If everything worked fine in Central Administration – Security – Manage trust (under General Security) the other farm should be present as trusted (consumer or provider).
spdev-central-admin-trust-relationships
spstaging-central-admin-trust-relationships

On the publishing farm – SPStaging, publish the Managed Metadata service application

On the SPStaging server, open the Service applications page (Central Administration – Application Management – Manage Service Applications). The Managed Metadata service is selected (MMS) and the Publish button is pressed.
publish-service-applications
Select the wanted Connection Type, thick the check box saying Publish this Service Application to other farms and copy the Published URL into a text editor. This URL must be provided to the remote farm – SPDev to connect it to the published service application.
publish-service-applications-details

Set Application Discovery and Load Balancing Service Application permissions on the publishing farm

On the consumer farm – SPDev, the following Power Shell command must be run, in order to find the id of the farm:

Get-SPFarm | Select Id

Then in the SharePoint 2010 Management Shell of the publishing farm run the following commands:

$security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimprovider=(Get-SPClaimProvider System).ClaimProvider

#Replace b59fe8b6-fd58-49b3-bac2-97a7159489ae with your ID
$principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue b59fe8b6-fd58-49b3-bac2-97a7159489ae
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security

Set permissions to the published service application – Managed metadata service – for the consuming farm

First of all, in the SharePoint 2010 Management Shell the Get-SPServiceApplication must be run in order to find out the Id of the service application that we want to have published (in this case is the MMS).
Then the following commands must be run:

#Get SA ID
Get-SPServiceApplication

#Replace 8e90f039-8ed1-4974-b798-9da6b314806a with your Service ID
$security=Get-SPServiceApplication 8e90f039-8ed1-4974-b798-9da6b314806a | Get-SPServiceApplicationSecurity
$claimprovider=(Get-SPClaimProvider System).ClaimProvider

#Replace b59fe8b6-fd58-49b3-bac2-97a7159489ae with your Farm ID
$principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue b59fe8b6-fd58-49b3-bac2-97a7159489ae
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Access to Term Store"

Set-SPServiceApplicationSecurity 8e90f039-8ed1-4974-b798-9da6b314806a -ObjectSecurity $security

The permissions can be always checked from the central administration interface. The consumer farm should be added with full rights.
check-service-application-permissions

Connect to the remote service application from the consumer farm

On the SharePoint Central Administration Web site, click Application Management, and then click Manage service applications, and then Connect from the ribbon.
connect-to-a-remote-service-application
Insert the copied Published URL and click ok. Select the remote available service and click OK.
remote-mms
The new service should be now available into the Service Applications list.

Tags: , , ,

Trackback from your site.

Denis Stadler

I'm a technology enthusiast, with more than 10 years of experience in SharePoint and Dynamics CRM projects. To find more details about, please visit the about me page.

Leave a comment

*