Home   |    About   |    Contact               Twitter   |    Facebook   |    Flickr    MCMSfaq.com: Content Management Server Resources
   MCA | SharePoint 2010
 
   MCM | SharePoint 2010 & 2007
 
MVP - Office SharePoint Server
 
 

 
 
Content Management Server Resources

The posts on this weblog are provided “AS IS” with no warranties, and confer no rights.
The opinions expressed herein are personal and do not represent those of my employer.
 
 
harbar.net component based software & platform hygiene

Service Application Federation with SharePoint 2010

Yalls may be playing around with Service Application Federation with SharePoint 2010 with the shiny new SharePoint Server 2010 bits. This federation is also called publishing and consuming service applications, but as I’m spending a lot of my time of late in PowerPoint, I’m using the buzzword for the time being.

However, with the RTM bits there is a fundamental missing piece that is not currently documented on Tech Net.

Of course you need to exchange and install the necessary certificates as detailed here. However in order to make it work the consuming farm must have permissions to the publishing farm’s Topology service app, otherwise it will fail with the following error:

"Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details.”

In your ULS logs you will see the following slightly more helpful detail:

An exception occurred when calling SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications on service https://SERVERNAME:32844/Topology/topology.svc : System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

To grant the permissions necessary, on the consumer farm, run the following PowerShell:

(Get-SPFarm).Id

 

Copy the output (a GUID of course!). On the publishing farm run the following PowerShell – replacing <farmid> with the guid from above:

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity 

$claimProvider = (Get-SPClaimProvider System).ClaimProvider 

$principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue <farmid> 

Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" 

Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security

Now you're cooking with gas, you will be able to see the consuming farm's claim in the permissions dialog for the Topology service app. And now you can connect to the published service from the consuming farm. hopefully TechNet will be updated soon.

Print | posted on Monday, May 03, 2010 7:09 PM

Feedback

Gravatar

# re: Service Application Federation with SharePoint 2010

Thank you! I spent hours moving certs around and re-moving not figuring out where the issue was. This worked like a charm and I am not sure why I haven't found another word about it anywhere! Thanks again!

10/5/2010 3:59 PM | Shelly Pasierb
Gravatar

# re: Service Application Federation with SharePoint 2010

Well isn't this just a sweet little nugget of a blog post!

Not sure how MS expects anyone to be able to get this stuff working without documenting key steps. Looked all throughout TechNet and couldn't find this info.

Your post was the missing link!

Worked like a champ.

Russ

10/5/2010 9:42 PM | Russ Houberg

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 2 and 5 and type the answer here:
 
 
Creative Commons License   Powered By Subtext

© 1997 - 2011 Triumph Media Limited.
This work is licensed under a Creative Commons License.