Friday, 8 August 2014

Cross farm Service Applications Integration between two separate SharePoint farms


Nice Article by Issa Ayyash

Introduction

A very powerful integration capability is available between SharePoint 2013 and SharePoint 2010/2013, where SharePoint 2010 can still consume service applications from SharePoint 2013 , in this post I will walk you through a step by step guide on how to consume managed meta data service applications resides in SharePoint 2013 from a site resides in SharePoint 2010 farm ,
you can still use the same steps to consume any other service application to achieve cross farm service application, and this post is also applicable if you want to perform the integration between two SP2013 farms.
  • In this sample I assume both farms resides on the same domain.
  • The steps below can still work between two SP2013 farms as well.
clip_image001


1 -Exchange Trust Certificates between farms

An administrator of the consuming farm (SP2010) must provide two trust certificates to the administrator of the publishing farm
  • Root Certificate
  • Security token service (STS) Certificate
Administrator of publishing farm (SP2013) must provide one trust certificate to the consuming farm (SP2010)
  • Root Certificate

To export Certificates from Consuming Farm

a-To export the root certificate from the consuming farm
in PowerShell run the following commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content "C:\ConsumingFarmRoot.cer" -Encoding byte

b-To export the STS certificate from the consuming farm
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert") | Set-Content "C:\ConsumingFarmSTS.cer" -Encoding byte
under C: drive:
clip_image001


To export the root certificate from the publishing farm

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content "C:\PublishingFarmRoot.cer" -Encoding byte
  • Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.
  • Copy the root certificate from the server in the publishing farm to a server in the consuming farm


2-Managing trust certificates by using Central Administration

Certificates must be imported on both consuming farm and publishing farm as the following:

a-Establish trust on Publishing farm (SP2013)

  • open CA -- Security -- manage trusts -- from ribbon click new ,
clip_image001[6]
  • Since this is a publishing farm we need to import the root certificate and STS certificate extracted from the consuming farm SP2010
clip_image002
a new trust will appear
clip_image003


b-Establish trust on Consuming farm SP2010

  • CA - under security -- manage trusts - from ribbon select New
clip_image001[8]
  • since this is a consuming farm you will import only the root certificate of the publishing farm SP2013.
clip_image002[5]
  • a new trust will appear :
clip_image003[5]


3-On the publishing farm, publish the service application

On the publishing farm (SP2013) on which the service application is located, an administrator must explicitly publish the service application. Service applications that are not explicitly published are available to the local farm only
  • From CA -- Manage Service Application -- select the service you wish to publish (Managed metadata service application) then select publish from the ribbon
clip_image001[10]

  • make sure to check publish this service application to other farms
clip_image002[7]

clip_image003[7]
Information URL : this is an optional info where you can for instance create a page within SharePoint 2013 and place its link here, so admins will read more info about this service application
Important: Copy the Published URL , we are going to use it in the consuming farm later on
urn:schemas-microsoft-com:sharepoint:service:63f708f6c0284e4ba8f54ef14c604e4e#authority=urn:uuid:237032cbe6f84d279136cc24a6
360514&authority=https://2013-sp:32844/Topology/topology.svc

4-Set the permission to the appropriate service applications

You must give the consuming farm permission to the Application Discovery and Load Balancing Service Application on the publishing farm
After doing this, give the consuming farm permission to the published service applications that it will be consuming
  • on the consuming farm , you need to get the Farm ID by running the following command:
Get-SPFarm | Select Id
clip_image001[12]
copy the Consuming farm ID : 1ccfc7f5-b62a-4404-962c-359371d2cd60
  • On a server in the publishing farm, open CA - manage service applications - select Application discovery service application then from ribbon select permissions
clip_image002[9]
paste the consuming farm ID you extracted previously, then click check names
clip_image003[9]
add the consuming farm ID and grant it full control then press OK
clip_image004

Tip : Or you can optionally use the PowerShell command to achieve the same to above:
$security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimprovider=(Get-SPClaimProvider System).ClaimProvider
$principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue 1ccfc7f5-b62a-4404-962c-359371d2cd60
where 1ccfc7f5-b62a-4404-962c-359371d2cd60 is the <consumingfarmid> i extracted from the previous step.
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security


5-Do the same steps with the service application you wish to publish (managed meta data)

clip_image005
add the consuming farm ID and grant it full the required permissions in my case full access to term store is granted
clip_image006



On the consuming farm, connect to the remote service application

After the publishing farm has published the service application, an administrator of the consuming farm can connect to that service application from the consuming farm if the address of the specific service application is known
now from consuming farm (SP2010) you can connect to a service application that has been shared by the publishing farm (SP2013) by providing the address of the farm's discovery service or the address of the service application.
to do so from the consuming farm open CA - manage service application - from ribbon select connect
clip_image001[14]
Place the connection info for the service application extracted from the publishing farm (managed meta data service application)
urn:schemas-microsoft-com:sharepoint:service:63f708f6c0284e4ba8f54ef14c604e4e#authority=urn:uuid:237032cbe6f84
d279136cc24a6360514&authority=https://2013-sp:32844/Topology/topology.svc
then click Ok
clip_image002[11]
Important: the server time (clock) should be synchronized to be the time on both consuming and publishing farm or else a consuming farm wont be able to reach the publishing farm service due to The security timestamp is invalid between servers.
select the service application , make sure to be added to default proxy group ,then click ok
clip_image003[11]

clip_image004[5]

clip_image005[5]
now it will appear in the list of service application of the consuming farm (SP2010)
clip_image006[5]



6-Add the shared service application to a Web application proxy group on the consuming farm

An administrator must associate the new service application connection with a local Web application on the consuming farm
in the consuming farm (SP2010) open CA - under service Applications click configure service applications association make sure the new proxy is added to the default group and assigned to the desired web application
clip_image001[16]



7-Validate your work

Open a site within SharePoint 2010 , create a custom list , from ribbon create column
clip_image001[18]
make sure managed Metadata is selected:
clip_image002[13]
scroll down , you should see now the term sets from SP2013 :)
clip_image003[13]


Additional Scenarios

Note: in some scenarios you might need to allow server to server authentication , if your case is one of the below you need then to configure server to server authentication otherwise you are done, no need to perform any additional steps
  • Follow a document on a Team Sites web application when a user’s personal site is located on a My Sites web application. The Team Sites web application makes a request of the My Sites web application on behalf of the user.
  • Create or reply to a site feed post for a site that is located on a Team Sites web application but performed through the user’s My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply.
  • A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache
if you need to extend to achieve one of the above scenarios follow the steps in this post then you will be done :) http://technet.microsoft.com/en-us/library/jj992595.aspx


Reference:

http://blogs.technet.com/b/meamcs/archive/2013/09/03/cross-farm-service-applications-integration-between-two-separate-sharepoint-farms.aspx?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+yahoo%2FZfiM+(Team+blog+of+MCS+%40+Middle+East+and+Africa)

 

No comments:

Post a Comment