Friday, November 12, 2010

Sharepoint 2010 Shared Services Trusts

First what is Application Services sharing... simply put it allows you to configure a service application such Managed Metadata in 1 farm say a Staging Farm or Authoring Farm and use the same database/configuration etc in a Production environment.... This cuts down on maintenance, configuration tasks, and the daunting portions of rentering mass custom settings or in this case keywords etc.

Ok...there's very little out there on doing this and while TechNet does a great job detailing creating the trust it leaves out an extremely important part that the trusts will not work without....  You will recieve this error when trying to consume a published resource

"Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details.”

Luckily I ran across this single post ( http://www.harbar.net/archive/2010/05/03/service-application-federation-with-sharepoint-2010.aspx )

So I've compiled the 2 sets of information to get you to where you need to be in setting up the trusts to use shared service applications between farms.  FYI - this uses PowerShell and cannot be done via GUI until you reach the establishing trust section


Create Trust between farms

To export the root certificate from the consuming farm
  1. On the Start menu, click Administrative Tools.
  2. Click SharePoint 2010 Management Shell.
  3. At the Windows PowerShell command prompt, type each of the following commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content e:\Prod.cer -Encoding byte
To export the STS certificate from the consuming farm
  1. At the Windows PowerShell command prompt, type the following commands:
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert") | Set-Content E:\ProSTS.cer -Encoding byte
To export the root certificate from the publishing farm
  1. On the Start menu, click Administrative Tools.
  2. Click SharePoint 2010 Management Shell.
  3. At the Windows PowerShell command prompt, type the following commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content E:\Authoring.cer -Encoding byte
To copy the certificates
  1. Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.
  2. Copy the root certificate from the server in the publishing farm to a server in the consuming farm.
To import the root certificate and create a trusted root authority on the consuming farm
  1. At the Windows PowerShell command prompt on a server in the consuming farm, type the following commands:
$trustCert = Get-PfxCertificate
New-SPTrustedRootAuthority Authoring -Certificate $trustCert

To establish trust by using Central Administration
  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
  2. On the SharePoint Central Administration Web site, click Security.
  3. On the Security page, in the General Security section, click Manage trust.
  4. On the Trust Relationship page, on the ribbon, click New.
  5. On the Establish Trust Relationship page:
    1. Supply a name that describes the purpose of the trust relationship.
    2. Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Windows PowerShell.
    3. If you are performing this task on the publishing farm, select the check box for Provide Trust Relationship. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm.
    4. Click OK.
After a trust relationship is established, you can modify the Token Issuer description or the certificates that are used by clicking the trust, and then clicking Edit. You can delete a trust by clicking it, and then clicking Delete.

At this point TechNet ends...without the next few commands you will not be able to establish connections to the published resource.  Again a great big thanks to Spencer Harbar
for providing this next section.

Add Remote Farm Permissions

To grant the permissions necessary, on the consumer farm, run the following PowerShell:

(Get-SPFarm).Id
Copy the output. On the publishing farm run the following PowerShell – replacing with the guid from above:

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity



$claimProvider = (Get-SPClaimProvider System).ClaimProvider




$principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue




Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"

Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security


Once all of these have been completed successfully you should be able to connect to published applications.  I will try to get a quick note up shortly explaining how to publish and connect