With SharePoint 2010 we can now connect the service applications we have in one SharePoint 2010 farm to another and have a central metadata or user profile service application. We can connect more than just these two service applications. In this example below we will be doing this with the metadata service application.
There are a few steps before we just connect a service application to the other farm. We first have to create a trust between the two farms. To do this we need to use some powershell commands to export certificates and then import them into each others farms.
For this scenario we will call the farms, Publishing Farm and Receive Farm.
Exporting Required Certificates
Open the SharePoint 2010 Management Shell by going to Start, All Programs, Microsoft SharePoint 2010 Products and right clicking on SharePoint 2010 management Shell and selecting Run as administrator.
We now need to run 2 powershell commands to first collect the certificate and the other to place it in a folder.
1: $rootCert = (Get-SPCertificateAuthority).RootCertificate
This will collect the certificate
1: $rootCert.Export("Cert") | Set-Content C:CertPublishingFarmRoot.cer -Encoding byte
Note: I have create the folder c:cert to store the certificate files in. If you have not created this folder you will receive an error message.
The Publish Farm only need to pass 1 certificate to the other farm where as the receiving farm must pass 2. The receiving farm will pass the root certificate as the commands above but it must also pass the Security Token Service (STS) certificate
On your receiving farm open the Powershell Management Shell as above and then run
1: $rootCert = (Get-SPCertificateAuthority).RootCertificate
This will collect the certificate
1: $rootCert.Export("Cert") | Set-Content C:CertRecievingFarmRoot.cer -Encoding byte
We now need to export the Security Token Service certificate
1: $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
This will collect the certificate
1: 1: $stsCert.Export("Cert") | Set-Content C:CertReceivingFarmSTS.cer -Encoding byte
Copying the Certificates
You are going to need the certificates on the other server farms.
Copy the Publishing Certificate to the Receiving Server
Copy the 2 receiving Certificates to the Publishing Server
Creating the Trust
On the receiving server open SharePoint 2010 Management Shell as described above and import the publishing farm certificate using the below scripts.
1: $trustCert = Get-PfxCertificate C:certPublishingFarmRoot.cer
We now need to register the certificate into the farm
In the below script you will see PublishingFarm. This is the name of the trust. You may want to change this depending if you are going to be publish and receiving many SharePoint 2010 farms.
1: New-SPTrustedRootAuthority PublishingFarm -Certificate $trustCert
On the publishing server open SharePoint 2010 Management Shell as described above and import the receiving certificates using the below scripts.
First we will import the root certificate.
1: $trustCert = Get-PfxCertificate C:CertReceivingFarmRoot.cer
We now need to register the certificate into the farm
In the below script you will see PublishingFarm. This is the name of the trust. You may want to change this depending if you are going to be publish and receiving many SharePoint 2010 farms.
1: New-SPTrustedRootAuthority ReceivingFarm -Certificate $trustCert
As we exported the STS Certificate we will now import that into the Publishing Farm
1: $stsCert = Get-PfxCertificate c:CertreceivingFarmSTS.cer
Now register the Certificate
1: New-SPTrustedServiceTokenIssuer ReceivingFarm -Certificate $stsCert
Checking the Trust
We have imported all the certificates and we want to check that these certificates have been registred in our two SharePoint farms
We are going to check both farms.
Navigate to Security and then Manage Trust
On the Publishing farm you will see something similar to this
The receiving farm will have some thing similar but with PublishingFarm instead. If you have both of these you have successfully created your trust.
Permission of Farm Topology
Even though we have not trusted these 2 farms with each other you need to give permission for the farms to talk.
This is not currently documented on Technet but I found this great post by Spence Harbar (SharePoint MVP and MCM) that did this through a PowerShell command. Thanks to Spence for this.
We need the SharePoint Farm ID from the receiving farm. Log onto the receiving farm and open the SharePoint Management Shell and run the following.
1: (Get-SPFarm).Id
You will get something like this in returns
Now run the following command replacing <FarmID> with the GUID number above.
1: $security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
2: $claimProvider = (Get-SPClaimProvider System).ClaimProvider
3: $principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue <farmid>
4: Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
5: Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
Your farms are now trusted to connect Service Applications from the Publishing Farm to the Receiving Farm
In part 2 (click here we will connect service applications to the receiving farm)
4 thoughts on “Connecting SharePoint 2010 Farms with Service Applications: Part 1”