Publishing Service Applications between SharePoint 2010 Farms ? Part 2

Foreword : Huge thanks to Todd Klindt for sending me a sneak preview chapter of his and Shane Young’s new book.  Their chapter on Service Applications helped me to work through and figure out why this process was not initially working for me as it is extremely finicky and will fail if the ordering of these items is incorrect.

In Part 1 I discussed how to create a trust between farms, establish permissions, publish a service application and finally consume it from a remote farm all through

PowerShell, well mostly through PowerShell. So there are a few downsides with that, sure its easy and repeatable but to a lot of people it is not terribly friendly.  There is also the fact that while it works, in situations where there are issues PowerShell will smile and let you continue blindly down the path while you might not realise that the end process is going to fail.

So with all of that in mind, how do we publish Service Applications between SharePoint 2010 farms in Central Administration”  Well not all of it can be done easily through Central Administration.

The first few steps “exporting the certificates” still need to be done in PowerShell.

1. Export and copy all certificates between Farms

First off, lets do steps 1-5 from Part 1 (

This should get us to the point where all certificates have been exported and are ready to be imported on their respective servers.

2. Import root certificate from PROVIDER to CONSUMER

On the CONSUMER farm:

Open up Central Administration, and browse to “Security” then click on “Manage Trust”

Click “New” on the ribbon.

A new screen should pop up labelled “Establish Trust Relationship”.  Put in the name.  I generally use “PROVIDER [FARM NAME]” to denote a certificate imported from a PROVIDER farm, and vice versa for CONSUMER.

Next click “Browse” and select the “Provider-root.cer” file that was exported to c:certificates

Do not tick the box for “Provide Trust Relationship” or upload another cert as this is all you need on the consumer farm.

Click “OK” and you should now have a new Consumer trust established.

2. Import Root and STS certificates from CONSUMER to PROVIDER

On the PROVIDER farm:

As per the previous steps open up Central Administration, and browse to “Security” then click on “Manage Trust”, then click “New” on the ribbon.

The “Establish Trust Relationship” screen should appear.  Put in the name, this time lead with “CONSUMER [FARM NAME]”

Next click “Browse” and select the “Consumer-root.cer” file that was exported to c:certificates.

Under “Token Issuer Description” put in a description such as “CONSUMER [FARMNAME] STS”

Tick the box for “Provide Trust Relationship” and click “Browse” to upload the “Consumer-STS.cer” from c:certificates

Click “OK”

You should now have a new trust appearing on your provider.

Note : On a farm providing services, the trust will be labelled as “Trusted Service Provider” and on a farm consuming services, the trust will be labelled as “Trusted Service Consumer”.  Please note that this denotes the trust itself, not the certificates or the farm, hence why the naming may seem confusing.

3.  Establish Consumer Farm permissions on Provider Farm

At this point we really need to return to PowerShell to do steps 10 and 11 from the previous blog post.  It is a bit annoying, but unfortunately I don’t know of any way to establish the permissions, or even retrieve the farm ID from Central Administration.

4. Check that the permissions have been established.

On the provider farm you can check to ensure the permissions have been granted successfully by loading up Central Administration and going to “Manage Service Applications”.

Click on “Application Discovery and Load Balancer Service Application” and click “Permissions” from the ribbon.

Your farm GUID should be listed in here with full permissions.

5. Publish a Service Application

On your Provider Farm :

Browse to Service Applications, select the application you wish to publish and click “Publish” on the ribbon.

Then select the connection type, check the checkbox “Publish this service application to other farms” and be sure to copy out your Published URL to your clipboard.

6. Connect to a Service Application

On your CONSUMER farm:

Open Central Administration and browse to “Manage Service Applications”

Click on “Connect” from the ribbon and select the appropriate Service Application Proxy Type.

Paste in the URL you copied in the last step from the Provider’s Farm and Click “OK”

After a few seconds it should come back with the below screen.  Select the application and click “OK”

Choose an appropriate name and click “OK”

Congratulations, your service application is connected.  Click “OK”

7. Connected Service Application Properties

Now select your new service application and click “Properties” from the ribbon.

You should see a screen that depending on the service application will allow you some degree of customization.   For example,this is for a Managed Metadata Service Connection :

If you can see this screen and edit the properties then you can be fairly confident the connection has worked successfully!

I personally find that the easiest way to do this on a repeatable basis is via PowerShell, however in almost all situations I will use Step 7 from this post to connect as it is just easier, and if for some reason it fails then it will actually tell you.

While none of these steps is especially difficult, putting them together in a cohesive order that works every time took a bit of juggling.  I hope these posts have been helpful.


10 Responses to Publishing Service Applications between SharePoint 2010 Farms ? Part 2

  1. Pingback: Publishing Service Applications between SharePoint 2010 Farms – Part 1 « Mark Rhodes

  2. Mike Wise says:

    Nicely documented Mark.

    This worked fine, up until the last step (configuring the Connected Service Application Properties) when I got an error “The website declined to show this webpage”… “This error (HTTP 403 Forbidden)…. Since both farms are in the same domain and I am logged into both as the domain administrator, I don’t see how it can be a permissions problem. Will post again when I figure it out 🙂

  3. Mike Wise says:

    Found it.

    Turned out I could not configure or use it, it did not show up as a choice when I tried to add a Metadata column.

    Fixed it by going to the publisher farm, going to the published service and highlighting it by clicking to the right of its name, then hitting the “Permissions” button above and adding “All Authenticated Users” (maybe a bit too broad – but hey, its a lab) full permissions.

    That fixed both issues – I could configure it, and use it.

    • Mark Rhodes says:

      Very interesting, I have done this few times now and have never had a problem like that. You did not skip the farm permissions on the load balancing service did you? That’s the only thing I can think of


  4. Vinay says:

    I had to do the same thing that Mike did (give read permissions to all authenticated users). Giving the consumer farm permissions on the provider alone did not help

  5. Chris says:

    I didn’t want to add all authenticated users so I added the consumer farm account to the permissions tab on the published service itself. I was then able to see the configuration page and customize settings.

    One thing to note as well, since the farms were on different SQL instances, the consumer farm tries to access the instance servicing the provider farm. I’m having that port opened by our networking team to see if it fixes some of the issues I’m still seeing.

  6. Corbinator says:

    I successfully published the metadata service, but when I tried to publish the Excel Services Application, I did not get the full screen displayed in “Step 5” of this post. It only showed an option for “Connection type” http or https, and the other sections shown in the post “Publish to other farms”, “Trusted farms”, and most importantly “Published URL” did not show.
    Although I know how to get the URN, when you go to step 6 of this post on the consumer farm, after you have published from the provider farm, you enter the URN and it does not join.
    Anyone have an explanation why Excel Services doesn’t show the same as the other services when you try to publish.

  7. MC says:

    I had to add the farm id copied from the consumer farms (Get-SPFarm).ID PS command, into the permissions and give the appropriate level (in this case read), and then the properties showed up.

  8. BobG says:

    Thank you so much for this – it saved the day. The Technet documentation does not work; yours does!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: