Time for some more fun with Windows PowerShell cmdlets. Publishing a service application and con- suming it isn’t too terribly difficult and can mostly be done through the UI. The tricky part is setting
service application administration ❘ 185
up the farm trusts and getting the Application Discovery and Load Balancer Service Application secured properly. Once you knock out those two pieces the rest is a breeze.
Setting Up the Farm Trust
Follow these steps to set up the farm trust:
1 . On the publishing server, create a folder at c:\PubCerts.
2 . From the publishing server, open the SharePoint 2010 Management Shell. To get the certificate, type the following line and press Enter:
$rootCert = Get-SPCertificateAuthority | Select RootCertificate
3 . To export the certificate, type the following line and press Enter:
$rootCert.Export(“Cert”) | Set-Content C:\PubCerts\PublishingRoot.cer -Encoding byte
4 . Copy the c:\PubCerts folder from the publishing server to the consuming server.
5 . On the consuming server, create a folder at c:\ConsumerCerts.
6 . From the publishing server, open the SharePoint 2010 Management Shell.
7 . To get the certificate, type the following line and press Enter:
$rootCert = Get-SPCertificateAuthority | Select RootCertificate
8 . To export the certificate, type the following line and press Enter:
$rootCert.Export(“Cert”) | Set-Content C:\ConsumerCerts\ConsumingRoot.cer -Encoding byte
9 . To get the STS certificate, type the following line and press Enter:
$stsCert =
(Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
10 . To export the STS certificate, type the following line and press Enter:
$stsCert.Export(“Cert”) | Set-Content “C:\ConsumerCerts\ConsumingSTS.cer”
-Encoding byte
11 . Copy the c:\ConsumerCerts folder to the publishing server.
12 . Still on the consuming server, to load the publishing server’s certificate, type the following line and press Enter:
$trustCert = Get-PfxCertificate “C:\PubCerts\PublishingRoot.cer”
13 . To set up the trust using the certificate, type the following line and press Enter:
New-SPTrustedRootAuthority PublishingFarm -Certificate $trustCert
14 . Return to the shell on the publishing server.
15 . To load the consuming server’s certificate, type the following line and press Enter:
$trustCert = Get-PfxCertificate “c:\ConsumerCerts\ConsumingRoot.cer”
16 . To set up the trust using the certificate, type the following line and press Enter:
New-SPTrustedRootAuthority Collaboration -Certificate $trustCert
17 . To load the consuming server’s STS certificate, type the following line and press Enter:
$stsCert = Get-PfxCertificate “c:\ConsumerCerts\ConsumingSTS.cer”
18 . To add the STS certificate to the trust, type the following line and press Enter:
New-SPTrustedServiceTokenIssuer Collaboration -Certificate $stsCert
19 . Return to the shell on the consuming server.
20 . Type the following line and press Enter:
Get-SPFarm | Select Id
21 . Record that number for use later.
22 . Return to the Shell on the publishing server.
23 . To get the security object for the topology service application, type the following line and press Enter:
$security = Get-SPTopologyServiceApplication | Get-SPServiceApplication Security
24 . To get the farm’s claim provider object, type the following line and press Enter:
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
25 . To set up the new claim principal for the consuming farm, type the following line and press Enter:
$principal = New-SPClaimsPrincipal -ClaimType
“http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid”
-ClaimProvider $claimProvider
-ClaimValue <Type the ID from Step 21, don’t include the <>>
26 . To give that principal permissions in your publishing farm to the topology service applica- tion, type the following line and press Enter:
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full Control”
27 . To set the access just given, type the following line and press Enter:
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
service application administration ❘ 187
That does it. You now have completed the process of establishing a trust between the two farms so that the publishing server can serve up service applications to the consuming farm. If you want to look at the trusts or possibly remove one, you can do that through the GUI by navigating to Central Administration➤➪➤Security➤➪➤Manage trust.
Publishing a Service Application
For this part, you could dive back into PowerShell, or you could use the GUI in Central Administration.
Let’s be “efficient” (aka lazy) and use the GUI. For this example, we will publish a managed metadata service application:
1 . On the publishing server, open Central Administration.
2 . Navigate to Application Management➤➪➤Manage service applications.
3 . Click to the right of the service application you want to make available.
4 . In the Ribbon, click Publish.
5 . On the Publish Service Application page, check the box for Publish this Service Application to other farms.
6 . For the Publish URL, copy all of the string that begins with “urn:” and ends with “.svc.” For example, it will be similar to the following:
urn:schemas-microsoft-com:sharepoint:service:ac40e8f87daa43d9bec93f9fa99360c7 #authority=urn:uuid:de389296913c4f00b7970f50ea298fd4&authority
=https://server:32844/Topology/topology.svc
7 . Scroll down the page and click OK.
8 . Click to the right of the service application.
9 . From the Ribbon, click Permissions.
10 . Enter the Farm Id of the consuming farm. You found this using step 21 in the previous section,
“Setting Up theFarm Trust.”
11 . Click Add.
12 . Highlight the Remote Farm: <Your Farm Id>.
13 . For permissions, check the box to assign the permissions you wish to give to the remote farm.
The permissions available will vary based on the service application being published.
14 . Open Central Administration on the consuming farm.
15 . Navigate to Application Management➤➪ Manage service applications.
16 . From the Ribbon, click Connect.
17 . Enter the URL for the service application you want to access from step 6 in this section.
18 . Click OK.
19 . Click the service application name so that it is highlighted in yellow.
20 . You can choose whether or not to include this service application in the default service appli- cation group. When you are done, click OK.
21 . Now you can accept the default connection name or enter your own. When you are finished, click OK.
22 . At the success screen, click OK.
You can now work with the service application just as if it were part of your farm. The first time you work through this process, take your time; it is very easy to make a small mistake that causes yourself hours of troubleshooting.