Publish and consume SharePoint Service applications

Publish and consume SharePoint Service applications

SharePoint 2013 some service applications can be shared across the server farms. We can publish the following service applications in a SP 2013 farm,

·         Business Data Connectivity

·         Machine Translation

·         Managed Metadata

·         User Profile

·         Search

·         Secure Store

The farm that contains the service application and publishes the service application so that other farms can consume the service application is known as the Publishing farm. The farm that connects to a remote location to use a service application that the remote location is hosting is known as the Consuming farm.
Following steps are required and must be performed in the order listed to publish and consume the service applications,

1.     Exchange trust certificates between the farms.

2.     Publish the service application on the publishing farm.

3.     Set the permission to the appropriate service applications.

4.     Connect to the remote service application on the consuming farm.

5.     Add the shared service application to a web application group on the consuming farm.

6.     Configure server-to-server authentication between the publishing and consuming farm.

Exchange trust certificates between farms

Administrator of the Consuming farm must provide two trust certificates to the administrator of the Publishing farm,

1.     Root certificate (Consuming farm à Publishing farm)

2.     Security token service certificate(STS) (Consuming farm à Publishing farm)

Administrator of the Publishing farm must provide a root certificate to the administrator of the consuming farm.

3.     Root certificate (Publishing farm à Consuming farm)

By exchanging certificates, each farm acknowledges that other farm can be trusted.

1.1 To export the root certificate from the consuming farm

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

$rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert") | Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte

<C:\ConsumingFarmRoot.cer> is the path of the root certificate.

1.2 To export the STS certificate from the consuming farm

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate   $stsCert.Export("Cert") | Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte

<C:\ConsumingFarmSTS.cer> is the path of the STS certificate

1.3 To export the root certificate from the publishing farm

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

$rootCert = (Get-SPCertificateAuthority).RootCertificate   $rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte

<C:\PublishingFarmRoot.cer> is the path of the root certificate.

1.4 Copy the certificates

• Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.
• Copy the root certificate from the server in the publishing farm to a server in the consuming farm.

1.5 Establishing trust on the consuming farm

To import the root certificate and create a trusted root authority on the consuming farm,

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

$trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer> $trustCert = Get-PfxCertificate .\HOT_Q_F06_PublishingFarmRoot.cer   New-SPTrustedRootAuthority Publishing Farm_HOT_Q_F06 -Certificate $trustCert

• <C:\PublishingFarmRoot.cer> is the path of the root certificate that you copied to the consuming farm from the publishing farm.
• <PublishingFarm> is a unique name that identifies the publishing farm. Each trusted root authority must have a unique name. Ex: WFEFarm1

1.5 Establishing trust on the publishing farm

To import the root certificate and create a trusted root authority on the publishing farm,

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

$trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer> $trustCert = Get-PfxCertificate .\HOT_Q_F08_ConsumingFarmRoot.cer New-SPTrustedRootAuthority ConsumingFarm_HOT_Q_F08 -Certificate $trustCert

• <C:\ConsumingFarmRoot.cer> is the name and location of the root certificate that you copied to the publishing farm from the consuming farm.
• <ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name.

To import the STS certificate and create a trusted service token issuer on the publishing farm,

$stsCert = Get-PfxCertificate <c:\ConsumingFarmSTS.cer> $stsCert = Get-PfxCertificate .\HOT_Q_F08_ConsumingFarmSTS.cer New-SPTrustedServiceTokenIssuer ConsumingFarm_HOT_Q_F08 -Certificate $stsCert

• <C:\ConsumingFarmSTS.cer> is the path of the STS certificate that you copied to the publishing farm from the consuming farm.
• <ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted service token issuer must have a unique name.

1.6 Managing trust certificates by using Central Administration (Optional)

We can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm. Following steps must be performed on Publishing and consuming farm,

• Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
• Central Administration à Security à General Security à Manage trust à New
• On the Establish Trust Relationship page,

a.     Supply a name that describes the purpose of the trust relationship.

b.    Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using PowerShell.

c.     Only on Publishing Farm: Select the check box for ‘Provide Trust Relationship’. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm. Click Ok.

Publish service application

On the farm on which the service application is located, an administrator must explicitly publish the service application. Service applications that are not explicitly published are available to the local farm only.

To publish a service application by using Central Administration,

• Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
• Central Administration à Application Management à Manage service applications.
• Choose the service application want to publish. On the Ribbon, Click Publish.
• In the Publish Service Application dialog box:

a.      Select the Connection Type that we want from the drop-down list.

http

b.    If we want the service application to be available to remote farms, select the check box for Publish this Service Application to other farms.

checked

c.     We have already established trust between the farms. So we can check and see trust establishment by clicking the link Click here to add a trust relationship with another farm.

d.    Copy the Published URL into Notepad or another text editor. We must provide this URL to remote farms to connect the remote farms to the published service application. The URL will be similar to the following:

urn:schemas-microsoft-com:sharepoint:service:0d755965a89a43bfa93ad5d4b2e3f616#authority=urn:uuid:fa85d318d294438a83116e8c0b24ade6&authority=https://defnsvxxx:32844/Topology/topology.svc 

To publish a service application by using PowerShell(optional),

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

Publish-SPServiceApplication -Identity <ServiceApplicationGUID>

• <ServiceApplicationGUID> GUID of the service application

To get the GUID of the service application Run the following command,

Get-SPServiceApplication

To view the published service application load balancer URL, type the following command and record the output. Any connecting remote farms will need the information that is generated by this command.

Get-SPTopologyServiceApplication

Set Permission to Published service application

We must give the consuming farm permission to the Application Discovery and Load Balancing Service Application on the publishing farm. After doing this, give the consuming farm permission to the published service applications that it will be consuming.

We must establish a relationship between the publishing farm and the consuming farm by giving the consuming farm permission to the Application Discovery and Load Balancing Service Application first and other published service applications on the publishing farm.

1. Set the permission to the Application Discovery and Load Balancing Service Application
2. Set the permission to other published service applications.

On a server in the consuming farm to get the Consuming farm ID,

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

Get-SPFarm | Select Id 9da7ccab-2c24-4d50-abd4-9ce95784ce91

• Returns GUID value of the consuming farm

To set permission to the Application Discovery and Load Balancing Service Application on the publishing farm by using PowerShell,
Run on the following commands on server in the publishing farm for giving the consuming farm permission to the Application Discovery and Load Balancing Service Application,

$security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity $claimprovider=(Get-SPClaimProvider System).ClaimProvider $principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue 9da7ccab-2c24-4d50-abd4-9ce95784ce91 Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security

• Consumingfarmid is the GUID value of the consuming farm

To set permission to other published Service Applications on the publishing farm by using PowerShell,
Run on the following commands on server in the publishing farm for giving the consuming farm permission to the Application Discovery and Load Balancing Service Application,

Get-SPServiceApplication –id fa85d318-d294-438a-8311-6e8c0b24ade6 $security=Get-SPServiceApplication fa85d318-d294-438a-8311-6e8c0b24ade6 | Get-SPServiceApplicationSecurity $claimprovider=(Get-SPClaimProvider System).ClaimProvider $principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue 9da7ccab-2c24-4d50-abd4-9ce95784ce91 Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" Set-SPServiceApplicationSecurity fa85d318-d294-438a-8311-6e8c0b24ade6 -ObjectSecurity $security

• <ServiceApplicationName> is the name of the service application for which you want to find the ID. If the service application name contains spaces, enclose the value in double-quotation marks.
• <Consumingfarmid> is the GUID value of the consuming farm
• <GUID> is the ID of the published service application.

To set permission to the Application Discovery and Load Balancing Service Application and any other published service application for a consuming farm by using Central Administration (optional)

1.     On publishing farmà SharePoint Central Administration website à verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

2.     Navigate Application Management à Manage service applications à Application Discovery and Load Balancing Service Application.

3.     On the ribbon, click Permissions

On a server in the consuming farm to get the Consuming farm ID,

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

Get-SPFarm | Select Id

Returns GUID value of the consuming farm

4.     In the Connection Permissions dialog box,

a.     Manually paste the ID of the consuming farm from the PowerShell section à Click Add

b.    Select the consuming farm ID, and then select the Full Control check box. à Click OK

5.     Repeat steps 2 through 4 for any published service applications for which you want to enable access from the consuming farm and assign the necessary permission.

Connect to service applications on Remote farms

After the publishing farm has published the service application, an administrator of the consuming farm can connect to that service application from the consuming farm if the address of the specific service application is known.
To connect to a service application on a remote farm by using Central Administration

1.     Verify that you are a member of the Farm Administrators SharePoint group

2.     On a server in the Consuming farm, SharePoint Central Administration à Application Management à Manage service applications.

3.     On ribbon, click Connect

4.     On the Connect drop-down menu, click the kind of service application to which you want to connect.

5.     On the Connect to a Remote Service Application page, type the appropriate URL in the Farm or Service Application address text box, and then click OK

urn:schemas-microsoft-com:sharepoint:service:0d755965a89a43bfa93ad5d4b2e3f616#authority=urn:uuid:fa85d318d294438a83116e8c0b24ade6&authority=https://defnsvxxxx:32844/Topology/topology.svc 

6.     On the Connect to a Remote Service Application page, type the appropriate URL in the Farm or Service Application address text box, and then click OK

7.     The new Connect to a Remote Service Application dialog box displays the service applications that match the URL that you typed in Step 5. Click the row that contains the name of the service application, and then select the check box to add the service application connection to the farm’s default list of service application connections (that is, the default proxy group). Click OK.

8.     We are prompted to change the connection name. Type a new name into the Connection Name text box or leave the default name, and then click OK

9.     After the new connection is created, we must click OK to complete the procedure.

10.  Associate the new service application connection with a local Web application.

To connect to a service application on a remote farm by using PowerShell(optional)

Start à All Programs à Microsoft SharePoint 2013 Products à SharePoint 2013 Management Shell

To get the PublishingFarmTopologyURL,

Receive-SPServiceApplicationConnectionInfo -FarmUrl <PublishingFarmTopologyURL>

<PublishingFarmTopologyURL> is the information that is retrieved by running the Get-SPTopologyServiceApplication cmdlet on the publishing farm below,

New-SP*ServiceApplicationProxy -Name " <ServiceApplicationProxyName>" -Url "<PublishingFarmTopologyURL>"

• <ServiceApplicationProxyName> is a unique name for a service application connection on the consuming farm.
• <PublishingFarmTopologyURL> is the service application topology URL that was also used in the previous command.

Example: Following command creates a new Managed Metadata service application proxy named "MetadataServiceProxy1" that connects to the service application located at the stated URL.

Example: New-SPMetadataServiceApplicationProxy -Name "MetadataServiceProxy1" -Uri " urn:schemas-microsoft-com:sharepoint:service:9c1870b7ee97445888d9e846519cfa27#authority=urn:uuid:02a493b92a5547828e21386e28056cba&authority=https://ua_powershell:32844/Topology/topology.svc  "

Add or remove service application connections from a web application

An administrator must associate the new service application connection with a local Web application on the consuming farm. Only Web applications that are configured to use this association can use the remote service application.

To edit a service connection group by using Central Administration,

1. Central Administration à Application Management à Service Applications à Configure service application associations
2. On the Service Application Associations page, select Web Applications from the View drop-down menu.
3. In the list of Web applications, in the Application Proxy Group column, click the name of the service application connection group that we want to change
4. To add a service connection to the group, select the check box that is next to the service application that you want to add to the connection group.
5. click OK

To add a service application connection to a service application connection group by using PowerShell (optional)

$serviceAppProxy = Get-SPServiceApplicationProxy | where { $_.Name -eq "Name of the service" } $proxygroup = Get-SPServiceApplicationProxyGroup | where { $_.FriendlyName -eq "[default]" } Add-SPServiceApplicationProxyGroupMember -Identity $proxygroup -Member $serviceAppProxy

Configure permissions for Default Content Access Account

Configure server-to-server authentication between publishing and consuming farms

To enable the webapplication or application service to request the resource from another farm on behalf of the user we must configure server–to– server authentication between Publishing and consuming farms.

To configure server-to-server authentication between publishing and consuming farms,

1. Choose a realm name that will be common to both farms. here realm name is “8db904b3-e2c7-4a9d-9541-0bc8cf08f4e1”

http://xxxx//_layouts/15/metadata/json/1

{"issuer":"00000003-0000-0ff1-ce00-000000000000@8db904b3-e2c7-4a9d-9541-0bc8cf08f4e1","keys":[{"keyValue":{"type":"x509certificate","value":"MIIERjCCAi6gAwIBAgIQIdHVI+cIIrxOnWodfIrxqzANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJVUzESMBAGA1UEChMJTWljcm9zb2Z0MRMwEQYDVQQLEwpTaGFyZVBvaW50MSIwIAYDVQQDExlTaGFyZVBvaW50IFJvb3QgQXV0aG9yaXR5MCAXDTEzMDcwODEyMDY1NFoYDzk5OTkwMTAxMDAwMDAwWjBiMQswCQYDVQQGEwJVUzESMBAGA1UEChMJTWljcm9zb2Z0MRMwEQYDVQQLEwpTaGFyZVBvaW50MSowKAYDVQQDEyFTaGFyZVBvaW50IFNlY3VyaXR5IFRva2VuIFNlcnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqiHE6hF5261XDqIPsWtDgSaU9lQOyRUH0TbYndF5Vn6dhhY1iv1U2wNEIMAA4IBDwAwggEKAoIBAQCqiHE6hF5261XDqIPsWtDgSaU9lQOyRUH0TbYndF5Vn6dhhY1iv1U2wNEIM4kE9bX1GuAC4EUEiIoMLFKt9VKgILcQFnyJId4dlGwhGqzUqj2865AAMfT06lixgyQPvZuHBTWOM3BI5FOdzWEXRvTC44N5Qpkpq3K1UusfMk1rSjCXFY1l15dp72Rm3fc1\/2dNJES+Nxo78TIXqr2r1op1I4jJtwbswjiQu7fCg66P3TPMSTFdCQs5Iac2bFan3LJcI6y0RQ7n92mR2tfo0Uj\/7EtSQDi92HaI+Ucf98Az2hOW85Fs1X8eU35Q38TRm3FcrCA5+NucQm7h5QXDF9hxAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAB\/zFC02H5xEXRPFinh7KtXXqJShFl836+COYnLFrDvcGnu22GC8w4kjeUpyfXzc4J4KZDolkGgNFklqFkj1vYMTForbClV\/XueBiCj2G5az9vtaSCfl3rlyjz\/XQ+sjFQcsu9tDJDMLc0hiebW+ZWxdjbt5PBaBgJEwgckp8hwVxxVy9xzK1QRZfGk8hvzLOPmBfeH0ENAaC1tdri2gojwn8ubcWZv\/QV9eld27sJJFRjQgINHotA0FrV2Ad1Hh8Qi3HDdvW3Da5xaD2MsqjjXFg\/mLT4iC+2GmX\/u1TLvkU1BuZVpSzMYxHMk7Xw6OFPmufgNh14SNIVLEj5S9HtWdQIGgWymO6heWaaZ\/SLyqA5sMO1NklUXfXKMyd2mzQpKgxbbrbAD80P7Hj6LArt+vr6T7WGFAd35Ku09efFo5vak6Ey6eRFU+RFbkWTot01W7vwWdvexlv7lxzMD0y8EYzHmkQWISh1a4xOYvlVuaD502jath2Y0Juj8vl7BxmuqpASczM6sE5cgG3zGogddNeN2Ts3WZYWrD4koXp4\/jSaeAyqz91NzgoE2f\/mFLGXcQB1CgQNowdpSOJ32t85UFJmSO6vgJ3\/xHS0Ug0hybh2CRYXeZ\/fm1955iBzFEb3wBMxF3NTFnxRBNk2tNyZ9TU4sWq29rKqBEXXU8H5pU"},"usage":"Signing"}],"name":"00000003-0000-0ff1-ce00-000000000000","serviceName":"00000003-0000-0ff1-ce00-000000000000"}

name identifier for the STS

Realm value

X509 Certificate Value

2. To configure the Name ID for the SharePoint Security Token Service (STS) on the publishing farm to include the common realm name, type the following commands at the PowerShell command prompt on a server in the publishing farm

$sts=Get-SPSecurityTokenServiceConfig $Realm=Get-SpAuthenticationRealm $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" Write-Host "Setting STS NameId to $nameId" $sts.NameIdentifier = $nameId $sts.Update()

3. To configure the Name ID for the SharePoint STS on the consuming farm to include the common realm name, type the following commands at the PowerShell command prompt on a server in the consuming farm:

$sts=Get-SPSecurityTokenServiceConfig $Realm=Get-SpAuthenticationRealm $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" Write-Host "Setting STS NameId to $nameId" $sts.NameIdentifier = $nameId $sts.Update()

4. To configure the publishing farm for server-to-server authentication with the consuming farm,

New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<ConsumeHostName>/_layouts/15/metadata/json/1" -Name "<ConsumeFriendlyName>"

• <ConsumeHostName> is the name and port of the web application of the consuming farm.
• <ConsumeFriendlyName> is a friendly name for the consuming farm.

5. To configure the consuming farm for server-to-server authentication with the publishing farm,

New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://<PublishHostName>/_layouts/15/metadata/json/1" -Name "<PublishFriendlyName>"

• <PublishHostName> is the name and port of any SSL-enabled web application of the publishing farm.
• <PublishFriendlyName> is a friendly name for the publishing farm.

This creates the server-to-server authentication trust with the publishing farm.

Ref:      https://technet.microsoft.com/en-us/library/ff621100.aspx