To allow service applications to be consumed by remote farms, you must exchange trust
certificates with the remote farm, explicitly publish the service
application on the farm that it resides on, and explicitly connect the
service application on the farm that is consuming it.
You use the
SharePoint Central Administration website to publish a cross-farm
service application. Publishing a cross-farm service entails the same
three steps as publishing service applications to remote farms. First,
you must exchange trust
certificates with the remote farm, then explicitly publish the service
applications, and finally, explicitly connect the service applications.
1. Step 1: Exchange Trust Certificates with the Remote Farm
In the first step of
publishing service applications to remote farms, you export the root
certificate from the consuming farm, export the STS certificate from the
consuming farm, and export the root certificate from the publishing
farm. Copy those certificates. Establish trust on the consuming farm and
then import the certificates.
1.1. Exporting the Root Certificate from the Consuming Farm
To export the root certificate from the consuming farm, complete the following steps.
On
a server that is running SharePoint 2010 on the consuming farm, verify
that you meet the following minimum requirements of being a member of
the SharePoint_Shell_Access role on the configuration database and a
member of the WSS_ADMIN_WPG local group on the computer where SharePoint
2010 Products is installed (see Figure 1).
On the Start menu, click Administrative Tools.
Click SharePoint 2010 Management Shell.
At
the Windows PowerShell command prompt (that is, PS C:\>), type each
of the following commands, pressing Enter after each command. Replace
<C:\ConsumingFarmRoot.cer> with the path of the root certificate, as illustrated in the example in Figure 2.
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte
1.2. Exporting the STS Certificate from the Consuming Farm
To export the STS
certificate from the consuming farm, go to the Windows PowerShell
command prompt and type the following commands, pressing Enter after
each command. Replace <C:\ConsumingFarmSTS.cer> with the path of the STS certificate, as illustrated in the example in Figure 3.
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert") | Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte
1.3. Exporting the Root Certificate from the Publishing Farm
To export the root certificate from the publishing farm, complete the following steps.
On
a server that is running SharePoint 2010 on the publishing farm, verify
that you meet the following minimum requirements: You are a member of
the SharePoint_Shell_Access role on the configuration database and a
member of the WSS_ADMIN_WPG local group on the computer where SharePoint
2010 Products is installed.
On the Start menu, click Administrative Tools.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt, type the following commands, pressing Enter after each command. Replace <C:\PublishingFarmRoot.cer> with the path of the root certificate, as illustrated in the example shown in Figure 4.
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte
1.4. Copying the Exported Certificates
Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm. Copy the root certificate from the server in the publishing farm to the server in the consuming farm.
1.5. Establishing Trust on the Consuming Farm
To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority.
1.6. Importing the Root Certificate and Creating a Trusted Root Authority on the Consuming Farm
To import the root
certificate and create a trusted root authority on the consuming farm,
go to the Windows PowerShell command prompt on a server in the consuming
farm and type the following commands, pressing Enter after each
command. Replace <C:\PublishingFarmRoot.cer> with the path of the root certificate that you copied to the consuming farm from the publishing farm and replace <PublishingFarm> with a unique name that identifies the publishing farm, as illustrated in the example in Figure 5. Each trusted root authority must have a unique name.
$trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer>
New-SPTrustedRootAuthority <PublishingFarm> -Certificate $trustCert
1.7. Establishing Trust on the Publishing Farm
To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root
authority. You must then import the STS certificate that was copied
from the consuming farm and create a trusted service token issuer.
1.8. Importing the Root Certificate and Creating a Trusted Root Authority on the Publishing Farm
To import the root
certificate and create a trusted root authority on the publishing farm,
go to the Windows PowerShell command prompt on a server in the
publishing farm and type the following commands, pressing Enter after
each command. Replace <C:\ConsumingFarmRoot.cer>
with the name and location of the root certificate that you copied to
the publishing farm from the consuming farm and replace <ConsumingFarm> with a unique name that identifies the consuming farm, as illustrated in the example in Figure 6. Each trusted root authority must have a unique name.
$trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer>
New-SPTrustedRootAuthority <ConsumingFarm> -Certificate $trustCert
1.9. Importing the STS Certificate and Creating a Trusted Service Token Issuer on the Publishing Farm
To import the STS
certificate and create a trusted service token issuer on the publishing
farm, go to the Windows PowerShell command prompt on a server in the
publishing farm and type the following commands, pressing Enter after
each command. Replace <C:\ConsumingFarmSTS.cer> with the path of the STS certificate that you copied to the publishing farm from the consuming farm and replace <ConsumingFarm> with a unique name that identifies the consuming farm, as illustrated in the example in Figure 7. Each trusted service token issuer must have a unique name.
$stsCert = Get-PfxCertificate <c:\ConsumingFarmSTS.cer>
New-SPTrustedServiceTokenIssuer <ConsumingFarm> -Certificate $stsCert
1.10. Setting Up and Enabling the Application Discovery And Load Balance Service Application
After creating the trusts and
certificates, you need to activate the Application Discovery And Load
Balance service application. This is also known as the Topology Service. This service provides other farms with the information needed so they can consume those cross-farm service applications.
First
you must get the farm ID of the consuming farm. Use the following
Windows PowerShell command to discover this, as shown in Figure 8.
(Get-SPFarm).Id
After obtaining the farm ID of the consuming farm, go to the publishing
farm and tell the service the ID of the farm so it can make it
available to that farm. To do this, use the following Windows PowerShell
commands (as shown in Figure 9).
$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/
sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue
<farmid from previous command>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full
Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity
-ObjectSecurity $securit
2. Step 2: Explicitly Publish the Service Application
In step 1, you saw how to set up the exchange of trust certificates between the consuming and publishing
farms. Now you must publish the service application that you want to
have the consuming farm connect to in step 3. To publish the service
application, follow these steps.
Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
Open a browser and go to the SharePoint Central Administration website.
Under Application Management, click Manage Service Applications.
Select
the row that contains the service application that you want to publish.
Notice that after you select a service application, the commands on the
Ribbon become available.
Click Publish on the Ribbon to open the Publish Service Application screen.
The Publish Service Application dialog box allows you to configure the service application as follows.
Select the Connection Type that you want from the drop-down list.
Select
the check box for Publish This Service Application To Other Farms to
allow the service application to be consumed by other farms.
Under Trusted Farms, click the Click Here To Add A Trust Relationship With Another Farm link to edit or add certificates.
Note:
Step 1 in this section added the certificates through Windows PowerShell.
Copy
the published URL into Notepad or another text editor. You must provide
this URL to remote farms to connect the remote farms to the published
service application. The URL will be similar to this: urn:schemas-microsoft-com:sharepoint:service:9c1870b7ee97445888d9e846519cfa27#authority=urn:uuid:02a493b92a5547828e21386e28056cba&authority=https://ua_powershell:32844/Topology/topology.svc.
You can optionally provide descriptive text and a link to a Web page that will be visible to administrators of remote farms.
After you have specified the publication options that you want, click OK to publish the service application.
3. Step 3: Explicitly Connect the Service Application
After you have exchanged trust certificates with a publishing and consuming farm and explicitly
published the service application, you must connect to the service
application from the consuming farm to complete the process of publishing a service application to remote farms.
Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
Open a browser and go to the SharePoint Central Administration website.
Under Application Management, click Manage Service Applications.
Select the Connect option on the Ribbon and choose the service you want to connect to, as shown in Figure 10.
In
the Connect To A Remote Service Application, enter the Farm or Service
address URL and then click OK. The URL is found in the Published URL
section when you publish the service application, as shown in Figure 11.
As shown in Figure 12, you will see the service application and its availability.
Next,
select the service application and click OK. If you do not want to add
the default proxy list, clear the check box, as shown in Figure 13.
Next, create a unique name for your cross-farm service application and click OK.
A
summary screen appears, telling you that you have successfully
connected to a remote service application. Click OK. The service
application will appear at the end of the list of service applications.