Publishing Service Applications between SharePoint 2010 Farms – Part 1

Foreword : This post has been updated as while it did appear to be working successfully was actually not.  Huge thanks to Todd Klindt for sending me a sneak preview chapter of his and Shane Young?s new book.  Their chapter on Service Applications helped me to work through and figure out why this process was not working for me as it is extremely finicky and will fail if the ordering of these items is incorrect.

I have spent some time recently trying to publish service applications between two different SharePoint 2010 farms.  There is a fairly detailed guide on how to accomplish this over on technet at http://technet.microsoft.com/en-us/library/ff621100.aspx however it seems the articles are incorrect or at least they did not work as expected for me.

I noticed a few problems immediately, one of them being that at least one command is no longer available in the RTM version of SharePoint 2010, this aside it was fairly easy to figure out the replacement commands.  However not just the commands are an issue here, it seems as though the entire process is incomplete.

After spending a lot of time tweaking and investigating how the actual process is meant to work, I found that the problem lay in trust between the farms, In order to consume a service from a remote farm, both farms must have their root certificates installed on each other, and the Consumer farm must have its Secure Token Service certificate installed onto the Providers farm.

Here is my guide on how to publish service applications between farms via PowerShell :

Note : In order to keep things simple, the PROVIDER farm is the Green Powershell Window.  The CONSUMER  farm is the Blue PowerShell Window.

1. On a server in both farms make a directory called certificates on C: – this is just to keep the certificates in one place.

2. Export root certificate from CONSUMER

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content c:\certificates\consumer-root.cer -encoding byte

(See Screenshot below)

3. Export STS Certificate from CONSUMER

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export(“Cert”) | Set-Content c:\certificates\consumer-sts.cer -encoding byte

** Note : You might notice that I am checking out to make sure the $rootCert and $stsCert variables contain the certificate.  I’ve had it not work a few times, so just like to double check prior to exporting a null variable, which will working quite successfully until you try to find the .cer file.

4. Export root certificate from PROVIDER

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content c:\certificates\provider-root.cer -encoding byte

5. Copy certificates between farms

Copy the contents of the c:certificates directory to the other farms.  I don’t think I need to tell you how to do this 🙂

6. Import root certificate from PROVIDER to CONSUMER

$trustedRootCert = Get-PFXCertificate c:\certificates\provider-root.cer
New-SPTrustedRootAuthority “PROVIDER <FARM NAME>” -Certificate $trustedRootCert

7. Import root certificate from CONSUMER to PROVIDER

$trustedRootCert = Get-PFXCertificate c:\certificates\consumer-root.cer
New-SPTrustedRootAuthority “CONSUMER <FARM NAME>” -Certificate $trustedRootCert

8. Import STS certificate from CONSUMER to PROVIDER

$stsCert = Get-PFXCertificate c:\certificates\consumer-sts.cer
New-SPTrustedServiceTokenIssuer “CONSUMER <FARM NAME>” -Certificate $stsCert

9. Publish Service Application

The easiest way to do this is through Central Administration, as it will allow you to select HTTP or HTTPS, as well as and paste the appropriate URI to connect to the topology application.  This URI is a really really long one, make sure you copy the whole thing!

Browse to Service Applications, select the application you wish to publish and click “Publish” on the ribbon.

Then select the connection type, check the checkbox “Publish this service application to other farms” and copy out your Published URL.

10.  Retrieve Farm ID from Consumer Farm

(Get-SPFarm).ID

This will retrieve the GUID of the Consuming Farm.  Keep this for the next step.

11.  Grant Consumer Farm permissions

Note : This step was sourced from http://harbar.net/archive/2010/05/03/service-application-federation-with-sharepoint-2010.aspx – Huge thanks to Spencer as it helped me to get through the exact error listed on his post.

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue <farmid>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full Control”
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security

12.  Check Load Balancer Permissions

You can check to ensure the permissions have been granted successfully by loading up Central Administration on your provider farm, going to ?Manage Service Applications?.

Click on ?Application Discovery and Load Balancer Service Application? and click ?Permissions? from the ribbon.

Your farm GUID should be listed in here with full permissions.

13. Connect to Service Application

Note : I would highly recommend performing this step via Central Administration unless you have done this more than once.  Doing this step via PowerShell can result in no error messages, however the connection may not be established correctly.  Using Central Administration ensures that a error message will be given on failure.  Please see Step 7 of Part 2 of this series for information on how to do this.

New-SPMetadataServiceApplicationProxy -Name “<FARM NAME> Managed Metadata” -Uri “<Insert Service Topology Uri from step 8.>”

Note : This last step will vary based on the service application you wish to publish.  The command should stay in the format “New-SP<ServiceName>ApplicationProxy” and the parameters may vary (some use URL, some use URI)

There we have it!  We have succesfully published a Service Application from one farm to another

In Part 2 I will show you how to do this via Central Administration for the folks who prefer a GUI.