SharePoint 2010 : Publishing Service Applications to Remote Farms

3/13/2011 3:34:39 PM

To allow service applications to be consumed by remote farms, you must exchange trust certificates with the remote farm, explicitly publish the service application on the farm that it resides on, and explicitly connect the service application on the farm that is consuming it.

You use the SharePoint Central Administration website to publish a cross-farm service application. Publishing a cross-farm service entails the same three steps as publishing service applications to remote farms. First, you must exchange trust certificates with the remote farm, then explicitly publish the service applications, and finally, explicitly connect the service applications.

1. Step 1: Exchange Trust Certificates with the Remote Farm

In the first step of publishing service applications to remote farms, you export the root certificate from the consuming farm, export the STS certificate from the consuming farm, and export the root certificate from the publishing farm. Copy those certificates. Establish trust on the consuming farm and then import the certificates.

1.1. Exporting the Root Certificate from the Consuming Farm

To export the root certificate from the consuming farm, complete the following steps.

On a server that is running SharePoint 2010 on the consuming farm, verify that you meet the following minimum requirements of being a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed (see Figure 1).
On the Start menu, click Administrative Tools.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt (that is, PS C:\>), type each of the following commands, pressing Enter after each command. Replace <C:\ConsumingFarmRoot.cer> with the path of the root certificate, as illustrated in the example in Figure 2.
```
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte

					  
```

Figure 1. The SQL 2008 SharePoint_Shell_Access Role

Figure 2. Windows PowerShell commands to export the root certificate

1.2. Exporting the STS Certificate from the Consuming Farm

To export the STS certificate from the consuming farm, go to the Windows PowerShell command prompt and type the following commands, pressing Enter after each command. Replace <C:\ConsumingFarmSTS.cer> with the path of the STS certificate, as illustrated in the example in Figure 3.

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert") | Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte

Figure 3. Windows PowerShell commands to export the STS certificate

1.3. Exporting the Root Certificate from the Publishing Farm

To export the root certificate from the publishing farm, complete the following steps.

On a server that is running SharePoint 2010 on the publishing farm, verify that you meet the following minimum requirements: You are a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed.
On the Start menu, click Administrative Tools.
Click SharePoint 2010 Management Shell.
At the Windows PowerShell command prompt, type the following commands, pressing Enter after each command. Replace <C:\PublishingFarmRoot.cer> with the path of the root certificate, as illustrated in the example shown in Figure 4.
```
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte

					  
```

Figure 4. Windows PowerShell commands to export the publishing root certificate

1.4. Copying the Exported Certificates

Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm. Copy the root certificate from the server in the publishing farm to the server in the consuming farm.

1.5. Establishing Trust on the Consuming Farm

To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority.

1.6. Importing the Root Certificate and Creating a Trusted Root Authority on the Consuming Farm

To import the root certificate and create a trusted root authority on the consuming farm, go to the Windows PowerShell command prompt on a server in the consuming farm and type the following commands, pressing Enter after each command. Replace <C:\PublishingFarmRoot.cer> with the path of the root certificate that you copied to the consuming farm from the publishing farm and replace <PublishingFarm> with a unique name that identifies the publishing farm, as illustrated in the example in Figure 5. Each trusted root authority must have a unique name.

$trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer>
New-SPTrustedRootAuthority <PublishingFarm> -Certificate $trustCert

Figure 5. Creating a root certificate on the consuming farm

1.7. Establishing Trust on the Publishing Farm

To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root authority. You must then import the STS certificate that was copied from the consuming farm and create a trusted service token issuer.

1.8. Importing the Root Certificate and Creating a Trusted Root Authority on the Publishing Farm

To import the root certificate and create a trusted root authority on the publishing farm, go to the Windows PowerShell command prompt on a server in the publishing farm and type the following commands, pressing Enter after each command. Replace <C:\ConsumingFarmRoot.cer> with the name and location of the root certificate that you copied to the publishing farm from the consuming farm and replace <ConsumingFarm> with a unique name that identifies the consuming farm, as illustrated in the example in Figure 6. Each trusted root authority must have a unique name.

$trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer>
New-SPTrustedRootAuthority <ConsumingFarm> -Certificate $trustCert

Figure 6. Creating the root certificate on the publishing farm

1.9. Importing the STS Certificate and Creating a Trusted Service Token Issuer on the Publishing Farm

To import the STS certificate and create a trusted service token issuer on the publishing farm, go to the Windows PowerShell command prompt on a server in the publishing farm and type the following commands, pressing Enter after each command. Replace <C:\ConsumingFarmSTS.cer> with the path of the STS certificate that you copied to the publishing farm from the consuming farm and replace <ConsumingFarm> with a unique name that identifies the consuming farm, as illustrated in the example in Figure 7. Each trusted service token issuer must have a unique name.

$stsCert = Get-PfxCertificate <c:\ConsumingFarmSTS.cer>
New-SPTrustedServiceTokenIssuer <ConsumingFarm> -Certificate $stsCert

Figure 7. Creating a trusted service token issuer

1.10. Setting Up and Enabling the Application Discovery And Load Balance Service Application

After creating the trusts and certificates, you need to activate the Application Discovery And Load Balance service application. This is also known as the Topology Service. This service provides other farms with the information needed so they can consume those cross-farm service applications.

First you must get the farm ID of the consuming farm. Use the following Windows PowerShell command to discover this, as shown in Figure 8.
```
(Get-SPFarm).Id
```
Figure 8. Windows PowerShell command to get the farm ID

After obtaining the farm ID of the consuming farm, go to the publishing farm and tell the service the ID of the farm so it can make it available to that farm. To do this, use the following Windows PowerShell commands (as shown in Figure 9).

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType   "http://schemas.microsoft.com/
sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue
<farmid from previous command>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full
Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity
-ObjectSecurity $securit

Figure 9. Enabling a farm to be seen with the Topology Service

2. Step 2: Explicitly Publish the Service Application

In step 1, you saw how to set up the exchange of trust certificates between the consuming and publishing farms. Now you must publish the service application that you want to have the consuming farm connect to in step 3. To publish the service application, follow these steps.

Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
Open a browser and go to the SharePoint Central Administration website.
Under Application Management, click Manage Service Applications.
Select the row that contains the service application that you want to publish. Notice that after you select a service application, the commands on the Ribbon become available.
Click Publish on the Ribbon to open the Publish Service Application screen.
The Publish Service Application dialog box allows you to configure the service application as follows.
- Select the Connection Type that you want from the drop-down list.
- Select the check box for Publish This Service Application To Other Farms to allow the service application to be consumed by other farms.
- Under Trusted Farms, click the Click Here To Add A Trust Relationship With Another Farm link to edit or add certificates.
  Note:
  
  Step 1 in this section added the certificates through Windows PowerShell.
- Copy the published URL into Notepad or another text editor. You must provide this URL to remote farms to connect the remote farms to the published service application. The URL will be similar to this: urn:schemas-microsoft-com:sharepoint:service:9c1870b7ee97445888d9e846519cfa27#authority=urn:uuid:02a493b92a5547828e21386e28056cba&authority=https://ua_powershell:32844/Topology/topology.svc.
- You can optionally provide descriptive text and a link to a Web page that will be visible to administrators of remote farms.
After you have specified the publication options that you want, click OK to publish the service application.

3. Step 3: Explicitly Connect the Service Application

After you have exchanged trust certificates with a publishing and consuming farm and explicitly published the service application, you must connect to the service application from the consuming farm to complete the process of publishing a service application to remote farms.

Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
Open a browser and go to the SharePoint Central Administration website.
Under Application Management, click Manage Service Applications.
Select the Connect option on the Ribbon and choose the service you want to connect to, as shown in Figure 10.

Figure 10. Connecting to a published service application
In the Connect To A Remote Service Application, enter the Farm or Service address URL and then click OK. The URL is found in the Published URL section when you publish the service application, as shown in Figure 11.

Figure 11. Adding a published service application URL to the consuming farm
As shown in Figure 12, you will see the service application and its availability.

Figure 12. Connected to a cross-farm service
Next, select the service application and click OK. If you do not want to add the default proxy list, clear the check box, as shown in Figure 13.

Figure 13. Selecting a cross-farm published service application
Next, create a unique name for your cross-farm service application and click OK.
A summary screen appears, telling you that you have successfully connected to a remote service application. Click OK. The service application will appear at the end of the list of service applications.