182  CHAPTER 7 UNderstaNdiNg the service aPPlicatioN architectUre Managing Service Application Groups After all that very exciting information about how great these groups are, it is time you learned how to use and consume them. After a brief walk through the GUI tools, we’ll take a look at some of the hardcore things you can do with the SharePoint 2010 Management Shell. Using Your Mouse to Manage Groups Put that fancy mouse you have on your desk to work and follow these steps: 1. Open Central Administration. 2. Click Application Management. 3. In the Service Application section, click Configure service application associations. From this screen you will see a list of all of your service applications and the Application Proxy Group with which each one is associated. This is where all that terminology you studied comes in handy. You already know that “application proxy group” means service application group, and that “application proxies” really means service application connections, right? The nice thing about this screen is you can now click on one of the proxy groups to change its connections if necessary. For example, if you wanted to remove HR Only Metadata from the default group, this is how you would do it: 1. Click on the proxy group Default. 2. Deselect HR Only Metadata. 3. Scroll down the page and click OK. Now all of the web applications that are associated with the default service application group will no longer have access to the HR Only Metadata group. When you first got to the Configure Service Application Associations screen, you may have noticed that because you have multiple Managed Metadata service applications in your farm, one appears as [default] and the other(s) as [set as default], as shown in Figure 7-14. FIGURE 714 This is because you can associate multiple Managed Metadata services with one service application group, so you need to specify which one should be the default. Both are equally accessible; one of Service Application Administration  183 them just needs to be presented to the user first. You will see the set as default option with other ser- vice applications as applicable. This interface for manipulating the service application connections in a service application group is the same whether you are modifying the default, [custom], or even a custom group created with the SharePoint 2010 Management Shell. Using the Keyboard to Manage Groups with Windows PowerShell As with just about everything related to SharePoint 2010 administration, anything you can do in a GUI you can do better with Windows PowerShell cmdlets in the SharePoint 2010 Management Shell. Chapter 10 has all of the awesome details about working with Windows PowerShell for administra- tive tasks. This section covers some of the key cmdlets you can use for service applications, and skips right over all of the details about using the SharePoint 2010 Management Shell. If you are new to Windows PowerShell, you might find it easier to put this section on hold until you have had a chance to dig into Chapter 10. Depending on which components you have installed, there are approximately 105 different components related to service applications. Because it would be impossible to cover all of these without doubling this book’s page count, we will instead take a look at a few of the more important ones. To discover most of the cmdlets, run the following command from the shell: Get-Command *serviceapplication* Have fun with the list that is returned. You will notice that each service application, such as Excel Services, has its own cmdlets, which you can use to provision a new service application without the need to use Central Administration. Creating a New Service Application Group After spending all that time learning about service application groups, you were no doubt dismayed to learn that you cannot create reusable groups in Central Administration. As you might guess, you can create your own group. The cmdlet you need is New-SPServiceApplicationProxyGroup, and you just need to provide the -name property. The command is as follows: New-SPServiceApplicationProxyGroup -name YourCustomGroup Now you have a group called YourCustomGroup. The group is empty, of course, so now you can add a connection to it. To do this, you first need to get the Id of the connection you want to add. To achieve that, run the following cmdlet: Get-SPServiceApplicationProxy This will give you the DisplayName, TypeName, and Id, which is a GUID. The Id is the important part. See Figure 7-15 for example output. Keep in mind that your GUIDs will be different — or at least they should be; if they are not, you have bigger problems than this book can solve. 184  CHAPTER 7 UNderstaNdiNg the service aPPlicatioN architectUre FIGURE 715 To add the Access Services connection to the group, you would run the following command: Add-SPServiceApplicationProxyGroupMember YourCustomGroup -member 9bc562cc-84ad-4d18-98d9-8c27e472271e Remember that you need to enter the GUID for your service application. If you are thinking that was a very long way to go to add a service application connection, you’re right. An Easier Way to Add Connections Let’s cheat. Now that you have the new group, you can go back to the GUI and do a little click, click, click to add the other connections to it. Navigate back to Central Administration  Application Management Configure service application associations. Confused? When you get to that page, you will not see YourCustomGroup. You will not be able to see it on this page until you associate it with a web application. To change a web application’s service application group association, follow these steps: 1. From the Application Management page, select Manage web applications. 2. Select the service application for which you want to change associations. 3. From the Ribbon, click Service Connections. 4. From the drop-down, select YourCustomGroup. 5. Scroll down the page and click OK. Now go back to Configure service application associations. You should see YourCustomGroup. Click YourCustomGroup. A simple web interface will appear for selecting the service application connec- tions you want to include in the group. Publishing a Service Application Across Farms Time for some more fun with Windows PowerShell cmdlets. Publishing a service application and con- suming it isn’t too terribly difficult and can mostly be done through the UI. The tricky part is setting Service Application Administration  185 up the farm trusts and getting the Application Discovery and Load Balancer Service Application secured properly. Once you knock out those two pieces the rest is a breeze. Setting Up the Farm Trust Follow these steps to set up the farm trust: 1. On the publishing server, create a folder at c:\PubCerts. 2. From the publishing server, open the SharePoint 2010 Management Shell. To get the certificate, type the following line and press Enter: $rootCert = Get-SPCertificateAuthority | Select RootCertificate 3. To export the certificate, type the following line and press Enter: $rootCert.Export(“Cert”) | Set-Content C:\PubCerts\PublishingRoot.cer -Encoding byte 4. Copy the c:\PubCerts folder from the publishing server to the consuming server. 5. On the consuming server, create a folder at c:\ConsumerCerts. 6. From the publishing server, open the SharePoint 2010 Management Shell. 7. To get the certificate, type the following line and press Enter: $rootCert = Get-SPCertificateAuthority | Select RootCertificate 8. To export the certificate, type the following line and press Enter: $rootCert.Export(“Cert”) | Set-Content C:\ConsumerCerts\ConsumingRoot.cer -Encoding byte 9. To get the STS certificate, type the following line and press Enter: $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate 10. To export the STS certificate, type the following line and press Enter: $stsCert.Export(“Cert”) | Set-Content “C:\ConsumerCerts\ConsumingSTS.cer” -Encoding byte 11. Copy the c:\ConsumerCerts folder to the publishing server. 12. Still on the consuming server, to load the publishing server’s certificate, type the following line and press Enter: $trustCert = Get-PfxCertificate “C:\PubCerts\PublishingRoot.cer” 13. To set up the trust using the certificate, type the following line and press Enter: New-SPTrustedRootAuthority PublishingFarm -Certificate $trustCert 14. Return to the shell on the publishing server. 186  CHAPTER 7 UNderstaNdiNg the service aPPlicatioN architectUre 15. To load the consuming server’s certificate, type the following line and press Enter: $trustCert = Get-PfxCertificate “c:\ConsumerCerts\ConsumingRoot.cer” 16. To set up the trust using the certificate, type the following line and press Enter: New-SPTrustedRootAuthority Collaboration -Certificate $trustCert 17. To load the consuming server’s STS certificate, type the following line and press Enter: $stsCert = Get-PfxCertificate “c:\ConsumerCerts\ConsumingSTS.cer” 18. To add the STS certificate to the trust, type the following line and press Enter: New-SPTrustedServiceTokenIssuer Collaboration -Certificate $stsCert 19. Return to the shell on the consuming server. 20. Type the following line and press Enter: Get-SPFarm | Select Id 21. Record that number for use later. 22. Return to the Shell on the publishing server. 23. To get the security object for the topology service application, type the following line and press Enter: $security = Get-SPTopologyServiceApplication | Get-SPServiceApplication Security 24. To get the farm’s claim provider object, type the following line and press Enter: $claimProvider = (Get-SPClaimProvider System).ClaimProvider 25. To set up the new claim principal for the consuming farm, type the following line and press Enter: $principal = New-SPClaimsPrincipal -ClaimType “http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid” -ClaimProvider $claimProvider -ClaimValue <Type the ID from Step 21, don’t include the <>> 26. To give that principal permissions in your publishing farm to the topology service applica- tion, type the following line and press Enter: Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full Control” 27. To set the access just given, type the following line and press Enter: Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security Service Application Administration  187 That does it. You now have completed the process of establishing a trust between the two farms so that the publishing server can serve up service applications to the consuming farm. If you want to look at the trusts or possibly remove one, you can do that through the GUI by navigating to Central AdministrationSecurityManage trust. Publishing a Service Application For this part, you could dive back into PowerShell, or you could use the GUI in Central Administration. Let’s be “efficient” (aka lazy) and use the GUI. For this example, we will publish a managed metadata service application: 1. On the publishing server, open Central Administration. 2. Navigate to Application ManagementManage service applications. 3. Click to the right of the service application you want to make available. 4. In the Ribbon, click Publish. 5. On the Publish Service Application page, check the box for Publish this Service Application to other farms. 6. For the Publish URL, copy all of the string that begins with “urn:” and ends with “.svc.” For example, it will be similar to the following: urn:schemas-microsoft-com:sharepoint:service:ac40e8f87daa43d9bec93f9fa99360c7 #authority=urn:uuid:de389296913c4f00b7970f50ea298fd4&authority =https://server:32844/Topology/topology.svc 7. Scroll down the page and click OK. 8. Click to the right of the service application. 9. From the Ribbon, click Permissions. 10. Enter the Farm Id of the consuming farm. You found this using step 21 in the previous section, “Setting Up theFarm Trust.” 11. Click Add. 12. Highlight the Remote Farm: <Your Farm Id>. 13. For permissions, check the box to assign the permissions you wish to give to the remote farm. The permissions available will vary based on the service application being published. 14. Open Central Administration on the consuming farm. 15. Navigate to Application Management Manage service applications. 16. From the Ribbon, click Connect. 17. Enter the URL for the service application you want to access from step 6 in this section. 188  CHAPTER 7 UNderstaNdiNg the service aPPlicatioN architectUre 18. Click OK. 19. Click the service application name so that it is highlighted in yellow. 20. You can choose whether or not to include this service application in the default service appli- cation group. When you are done, click OK. 21. Now you can accept the default connection name or enter your own. When you are finished, click OK. 22. At the success screen, click OK. You can now work with the service application just as if it were part of your farm. The first time you work through this process, take your time; it is very easy to make a small mistake that causes yourself hours of troubleshooting. MULTITENANCY IN SHAREPOINT 2010 No conversation about service applications would be complete without digging into the multi- tenant capabilities that have been built into SharePoint 2010. Under normal circumstance, the multi-tenant discussion usually pertains to hosted environments where a SharePoint farm is providing services to any number of different companies. But as you will see in this section, the concepts of multi-tenancy apply very directly to the enterprise as well. Segmentation of Data and Processing In SharePoint 2007, the walls of security and the isolation of data and services fell along the lines of Web Application to Site Collections to webs (if you need a refresher check out the “Terminology” section Chapter 3). New to SharePoint 2010 is the capability to create a new layer of segregation of data and services between the Application layer and the associated site collections. This segmentation is possible through the use of site subscriptions. Site subscriptions enable you to group together site collections that are part of the same web application. Site subscriptions are a logical group of site collections that can share settings (in the Subscription Settings database), features, and service data. Site Subscriptions are identified with a subscription ID. The subscription ID is used to map services, features, and sites to tenants, and to partition service data by tenant. Note the following characteristics of site subscriptions: A site can be a member of only one site subscription at a time. This prevents any conflicts  with licensing schemas. There is no Central Administration interface for managing site subscriptions. Management  must be handled through PowerShell, including creating, managing, and removing sites from a site subscription. Sites can only join a site group in the same web application as that specific site subscription.  Sites can’t join site groups associated with other Web Applications. Site subscriptions can span multiple content databases.  . group created with the SharePoint 2010 Management Shell. Using the Keyboard to Manage Groups with Windows PowerShell As with just about everything related to SharePoint 2010 administration, anything. similar to the following: urn:schemas-microsoft-com :sharepoint: service:ac40e8f87daa43d9bec93f9fa99360c7 #authority=urn:uuid:de38 9296 913c4f00b7970f50ea298fd4&authority =https://server:32844/Topology/topology.svc . troubleshooting. MULTITENANCY IN SHAREPOINT 2010 No conversation about service applications would be complete without digging into the multi- tenant capabilities that have been built into SharePoint 2010. Under normal