Kristof Kowalski

As I’ve been getting to grips with SharePoint Server 2010 I’m really starting to appreciate how modular and how WAN friendly the product is.

Our organisation is a large multinational with major regional sites around the world, unfortunately not every regional site has SharePoint Administrators available for their disposal.

With that in mind we wanted to cut down on the administrative overhead around the regions and also centralise most of the common Service Applications. In SharePoint server you can publish certain Service Applications across farms as outlined in the following TechNet article;

Share service applications across farms (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/ff621100.aspx

For now we are very much interested in publishing the User Profile and Search Service Applications. I’ll delve further into the others in later posts. Since we’re embarking on a worldwide My Sites launch, we wanted to centralise the User Profile Service Application on our Enterprise Service Applications Farm and have it consumed by our regional Collaborative farms. We wanted a simple way of allowing the primacy of user profile data without the need of replicating this data by using tools such as the User Profile Replication Engine (UPRE).

On top of this we wanted to centralise our Search Service Application to allow a greater level of relevancy from our search results. One caveat is that the Crawl Components would have to reside on our Enterprise Farm and then crawl all the regional farms, we took this decisions as relevancy takes place this central farm. If we opted for the whole Federation scenario we’d have a disjoined solution where each farm calculates its own relevancy and returns the results back to the end user without taking into effect the results of all the other farms. After all in the search world, relevancy is king.

I’ve been battling away at the steps that Microsoft provided and from what I can see it partially gets you there, so I’ll try and fill in the blanks for everyone. There are several steps you need to take, so grab yourself a strong caffeinated drink and let’s crack on.

Firstly we need to establish a trust between our Publishing (Enterprise) Farm and Consuming (Collaboration) farm. Lets go ahead and exchange trusts certificates between the farms;

- To export the root certificate from the consuming farm
- $rootCert = (Get-SPCertificateAuthority).RootCertificate
- $rootCert.Export(“Cert”) | Set-Content C:\ConsumingFarmRoot.cer -Encoding byte

- To export the STS certificate from the consuming farm
- $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
- $stsCert.Export(“Cert”) | Set-Content C:\ConsumingFarmSTS.cer -Encoding byte

- To export the root certificate from the publishing farm
- $rootCert = (Get-SPCertificateAuthority).RootCertificate
- $rootCert.Export(“Cert”) | Set-Content C:\PublishingFarmRoot.cer -Encoding byte

- Copy all certificates to publishing and consuming farm

- To import the root certificate and create a trusted root authority on the consuming farm
- $trustCert = Get-PfxCertificate C:\PublishingFarmRoot.cer
- New-SPTrustedRootAuthority EnterprisePublishingFarm -Certificate $trustCert

- To import the root certificate and create a trusted root authority on the publishing farm
- $trustCert = Get-PfxCertificate C:\ConsumingFarmRoot.cer
- New-SPTrustedRootAuthority EUConsumingFarm -Certificate $trustCert

- To import the STS certificate and create a trusted service token issuer on the publishing farm
- $stsCert = Get-PfxCertificate c:\ConsumingFarmSTS.cer
- New-SPTrustedServiceTokenIssuer EUConsumingFarm -Certificate $stsCert

On the Publishing farm go the Central Administration > Manage Service Applications

-          For each Service Application you want to publish, select the service application and click Publish

-          In our case we select the User Profile Service Application and Search Service Application

-          Select your connection type. Since I want to user encsyrpted communication I select https.

-         Select Publish this Service Application to other farms check box

-          Now the important part, write down the Service Application Published URL. Not down the urn:….

-          You can place a Description or Information URL. We stick in details of who published it, when and who to contact in case of issues.

On the consuming farm, set the permission to the appropriate service applications.

- To set permission to the Application Discovery and Load Balancing Service Application for a consuming farm
- Get-SPFarm | Select Id
- Write down the Farm Id for later use, in my example the Consuming Farm Id is 66cc8542-a854-4155-8557-27e47ef363e4.

- To set permission to the Application Discovery and Load Balancing Service Application for a publishing farm

- $security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
- $claimprovider=(Get-SPClaimProvider System).ClaimProvider
- $principal=New-SPClaimsPrincipal -ClaimType “http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid” -ClaimProvider $claimprovider -ClaimValue 66cc8542-a854-4155-8557-27e47ef363e4
- Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full Control”
- Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
- Go to Permissions of Published Search SAs and search for 66cc8542-a854-4155-8557-27e47ef363e4, add Full Control
- Check Permissions of Publishing Farm Application Discovery Load Balancer Service Application to ensure the claim provider of the Remote Farm is set

On the consuming farm, connect to the remote service application, go to Central Administration > Manage Service Applications

-          For each Service Application you want to connect, select the service application and click Connect

-          In our case we select the User Profile Service Application Proxy and Search Service Proxy

-          Paste in the Published URL of the Service Application you want consume

-          Select the Service Application and Click OK.

-          Double check in Service Applications that you have each of the Connected to:…  entries listed.

All that is left to do now is test. Create a simple Enterprise Search Centre site and perform a search. Assuming all the steps have been followed correctly we should receive our search results and you will also have a richly populated People Picker with the Enterprise Farms profile properties.

Cheers,

Kristof Kowalski // kristof@kowalski.ms

UPDATE 1: If you get any of the following errors in the ULS logs make sure you re-connect your Service Applications to the Publishing farm again and ensure that you have the correct Claim added to the Application Discovery and Load Balancing Service Application as well as the Search Service Application.

SearchServiceApplicationProxy::GetLocationConfigurations–Error occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channel…