One of the feature updated in SharePoint 2010 is the way how to implement and consume shared service (SAA) from other SharePoint farm.

The first thing is to have one SharePoint farm installed and configured, with at least one SAA provisioned.

Be careful, all SAA are not eligible for remote use.

Next, you have to create a second SharePoint farm.

Allow SAA to be consume from other farm

First thing is to configure a trust relationship between the two farms.

This is similar with AD Domains relationships.

To create a trust relationship, go to the Security page and click on the Manage Trust link.

image

image

But, first before continuing you will have to manage SharePoint certificate; indeed, SharePoint trust relationships need certificate exchange.

To perform certificate exchange, open a local session on a SharePoint server and launch the SharePoint PowerShell with administrative elevation.

Export certificates from the consuming farm

  • first certificate to ‘generate’ is the root certificate

$rootCert = (Get-SPCertificateAuthority).RootCertificate

$rootCert.Export("Cert") | Set-Content <replace with the destination path> -Encoding byte

  • second certificate to ‘generate’ is the Security Token Service (STS) certificate

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate

$stsCert.Export("Cert") | Set-Content <replace with the destination path> -Encoding byte

Export certificates from the publishing farm

  • Export the root certificate

$rootCert = (Get-SPCertificateAuthority).RootCertificate

$rootCert.Export("Cert") | Set-Content <replace with the destination path> -Encoding byte

Copy all certificates generated on network share (this will be simpler when you will have to import them).

Once all required certificates have been exported, you can continue the Trust Relationship creation.

To add a trust with another farm, click on the New button.

image

Name your trust and import the root certificate from the other farm and optionally you add an STS certificate if you want to provide trust to other farm (which is my case here).

image

image

Once the relationship is created, you can continue the SAA publication.

Publish SAA

To publish a SAA (once a least one Trust Relationship has been created), go to the Service Applications management page on your Central Administration and select the SAA you want to publish (don’t click on the name but on the empty space just after) and then click on the Publish button.

image

Select the connection type (HTTP or HTTP) and enable the publication (Publish this Service Application to other farms).

Optionally, provide

Important copy the Published URL shown on the wizard, you will need it when you will connect your consuming farm.

image

Once validated, no information are shown. To check if a SAA is published, you have to redo previous steps and off course the settings ‘Publish this Service Application to other farms’ is enabled.

Next step to be performed is to allow the remote farm to connect to the Application Discovery and Load Balancer Service Application. This step has to be done when you publish for the first time a SAA and each time a new farm has to consume your published SAA.

Set permission to Application Discovery and Load Balancer Service Application

By default, only the local farm is allowed to connect to this service.

image

Connect to a SharePoint server from the consuming farm and open a SharePoint PowerShell command windows, type the following commands:

  • Get-SPFarm | Select Id

Then do the same on a SharePoint server fro the publishing farm and execute the following commands:

  • $security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
  • $claimprovider=(Get-SPClaimProvider System).ClaimProvider
  • $principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue <replace with the ID gained fro
    m the consuming farm>
  • Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" – be careful with language pack: you may have the error “Grant-SPObjectSecurity : Le pipeline a été arrêté. (…)
  • Grant-SPObjectSecurity : L’argument Rights n’est pas valide. Les valeurs valides sont : Contrôle total”, in this case change Full Control with the value shown in the message

image

  • Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security

To finalize, open the Central Administration for the publishing farm and go to the Service Applications management page.

Select the Application Discovery and Load Balancer Service Application and click on the Permissions button.

image

The ID for your consuming farm should be displayed with the Full Control rights.

image

If not, click on the Address book button, type the ID and add it.

image

Consume the published SAA

Connect to the Central Administration for the consuming farm and go to the Service Applications management page.

Click on the Connect button and select the SAA you want to consume.

image

Copy the URL you copied earlier when you allowed the SAA to be consumed by other farm.

image

Select the service application you want to consume, and when ask provide a name. Only published Service Applications are list here.

image

image

image

If you have the error: Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details. Check if you have set the permission on Application Discovery and Load Balancer Service Application.

image