Recently I had to review and configure two SharePoint 2010 farms to use the same User Profile Service. The Publishing Farm was a large enterprise level farm that was used company wide. The other was a smaller, single server farm that ran the Team Foundation Server 2010 SharePoint sites. Rather than moving the SharePoint assets to the large enterprise farm, The Client wanted the TFS SharePoint farm to utilize the User Profile Services of the larger farm and to have the mysites and profiles features integrated within the smaller TFS sharepoint sites.
Now, before any farm can provide its services to another farm, we need to set up the Application Discovery and Load Balancer Service Application. This is also referred to as the Topology Service (and in fact when you use the published URL you can see it’s calling the topology.svc web service). In order to make this magic happen, the consuming and publishing farms must be set up so that they trust each other and that the consuming farm can find the proxies it needs to use on the publishing farm.
First thing you want to do is remote into the Central Admin servers of both farms. Technically it doesn’t have to be the CA, but I find that if I do all my admin work on these boxes and store the artifacts of my work in a familiar directory structure it leads to less “where the heck did I put that file” moments. Now that you have both consoles up on each screen it’s time to begin (What, you don’t have dual monitors? Get a second monitor if at all possible, studies have actually shown it increases productivity).
Setting Up Claims Providers
Consuming Farm:
- From the consuming farm, open up our handy PowerShell (note, technically you can do a lot of this in the UI, but for me I just find it is much easier to cut and past my scripts into notepad, modify the bolded pieces that I need to and then copy the whole thing into the PS command line).
(Get-SPFarm).Id
- Copy the <CONSUMING FARM GUID> to notepad, you’ll need it later.
Publishing Farm:
$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType “http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid” -ClaimProvider $claimProvider –ClaimValue <CONSUMING FARM GUID>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full Control”
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
Creating the Certificates
Consuming Farm:
Now we need to get two certs from our consuming farm, the root certificate and the STS certificate. Obviously these files can go anywhere, but I prefer somewhere other than the root of the HDD for these kinds of artifacts as it makes it easier to organize and clean up if I need to.
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content D:\INSTALL\RootCert\ConsumingFarmRoot.cer -Encoding byte
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export(“Cert”) | Set-Content D:\INSTALL\RootCert\ConsumingFarmSTS.cer -Encoding byte
Copy the resulting certs to the publishing farm, I generally like to use the same D:\INSTALL\RootCert location on both servers.
Publishing Farm:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content D:\INSTALL\RootCert\PublishingFarmRoot.cer -Encoding byte
Again, copy the resulting certs to the consuming farm.
Importing the Certificates
Consuming Farm:
$trustCert = Get-PfxCertificate D:\INSTALL\RootCert\PublishingFarmRoot.cer
New-SPTrustedRootAuthority PUBLISHING_SERVER_NAME -Certificate $trustCert
Publishing Farm:
$trustCert = Get-PfxCertificate D:\Install\RootCert\ConsumingFarmRoot.cer
New-SPTrustedRootAuthority CONSUMING_SERVER_NAME -Certificate $trustCert$stsCert = Get-PfxCertificate D:\Install\RootCert\ConsumingFarmSTS.cer
New-SPTrustedServiceTokenIssuer CONSUMING_SERVER_NAME -Certificate $stsCert
Publishing the User Profile Service
Publishing Farm:
- Open Central Administration.
- Click on Manage service applications
- Highlight the User Profile Service (you don’t want to manage it, just highlight it so you can use the ribbon bar buttons)
- Click on the Publish icon on the ribbon bar.
- Make sure the Publish this Service Application to other farms is checked.
- Copy the Published URL, you’ll need it for step 4 on the consuming farm below. It will look similar to this:
- urn:schemas-microsoft-com:sharepoint:service:REALLY_LONG_STRING_OF_NUMBERS#authority=urn:uuid:REALLY_LONG_STRING_OF_NUMBERS&authority=https://SERVER:PORT/Topology/topology.svc
- Click OK.
Consuming Farm:
- Open Central Administration.
- Click on Manage service applications
- Click on the Connect icon on the top ribbon and choose User Profile Service Application Proxy
- In the Connect to a Remote Service Application dialog paste the Published Url from the consuming farm referenced in 6.1 above.
- Click OK.
- Highlight User Profile Service, make sure the check box is checked and click OK.
- You should get a confirmation screen and click OK again.
Congratulations! You have now connected to the Publishing Farm and are consuming the User Profile Service. In this way we are able to maintain one “Golden Record” of User Profile information, and when a user updates (or for that mater when Active Directory syncs with it) their profile data it will be the same on both farms. It will also be able to use the trusted My Site locations, the audiences, etc. from the publishing farm. Remember that since the Publishing Farm is now the source of data/service for the consuming farm, anything for the consumer farm related to User Profiles needs to be done on the central administration of the publishing farm.
