How to publish a Managed Metadata Service for cross-farm consumption
Update: Modified the internal links in this post that didn’t work previously.
[Please keep in mind that this applies to a pre-release version of SharePoint Server 2010, and may change before the product is released]
Some of the service applications in SharePoint Server 2010 support sharing across SharePoint farms, as described in this article from TechNet . This post describes how to do it with a Managed Metadata Service.
To be able to subscribe to content types and terms from a Managed Metadata Service in another farm, there are a few things you need to do. Although this could seem like a somewhat cumbersome procedure for accomplishing something rather simple, it’s necessary for having control of your systems, and keeping them protected from intruders. Besides, you only have to do it once, and it really shouldn’t take you more than 10 minutes when you know what to do, which is exactly what I’m about to explain to you.
Most of the operations can be performed using SharePoint 2010 Central Administration, but I encourage you to use PowerShell instead, as this is a lot faster once you get used to it. There are six steps you need to follow, and I recommend doing them in the following order:
- Set up a trust relationship between the farms
- Set up Application Discovery and Load Balancer Service Application permissions
- Publish Managed Metadata Service
- Connect proxy to Managed Metadata Service
- Add proxy to service connection group
- Set up Managed Metadata Service permissions
In this post, the publisher farm is the farm in which the Managed Metadata Service is running, while the consumer farm is the farm which will consume data from the publishing farm.
Before we begin, let me first briefly describe the environment we’ll be working with:
- The publisher farm is called “Enterprise Services Farm”, and has a Managed Metadata Service application called “Enterprise Metadata Service”. This service application consists of a term store, and a content type syndication hub.
- The consumer farm is simply called “Collaboration Farm”.
Although documentation for most of the necessary operations can be found on TechNet, I’m including the actual PowerShell commands to give you an example of how it’s done. Please note that commands with brackets like this <content> requires you to replace the brackets and content with what the content describes.
Ok, let’s get started!
Set up a trust relationship between the farms
For the server farms to be able to communicate, you need to set up a trust relationship between them. This enables the farms to know that a service request is actually coming from the farm it claims to be coming from, and also enables federated authentication of users potentially not present in both farms. Farm root certificates must be exchanged between the servers, and a STS certificate must be exported from the consumer and imported to the publisher. How to set up the trust relationship is described in detail on TechNet.
On the publisher farm, run the following commands to export the farm root certificate to c:\temp on the server:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content C:\temp\EnterpriseServicesRootCert.cer -Encoding byte
Run the following to export the necessary certificates on the consumer farm to c:\temp on the server:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content "C:\temp\CollaborationRootCert.cer" -Encoding byte$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert") | Set-Content "C:\temp\CollaborationSTSCert.cer" -Encoding byte
Copy the files from the c:\temp folder on the publisher farm to the c:\temp folder on the consumer farm and vice versa.
Run the following commands on the publisher farm to set up the trust relationship with the consumer farm:
$trustCert = Get-PfxCertificate "C:\temp\CollaborationRootCert.cer"
New-SPTrustedRootAuthority Collaboration -Certificate $trustCert$stsCert = Get-PfxCertificate "c:\temp\CollaborationSTSCert.cer"
New-SPTrustedServiceTokenIssuer Collaboration -Certificate $stsCert
Finally, run these commands on the consumer farm to set up the trust relationship with the publisher farm:
$trustCert = Get-PfxCertificate "C:\temp\EnterpriseServicesRootCert.cer"
New-SPTrustedRootAuthority EnterpriseServices -Certificate $trustCert
Set up Application Discovery and Load Balancer Service Application permissions
The Application Discovery and Load Balancer Service Application, aka Topology Service, handles discovery of the farm’s service applications, providing other farms with the information necessary for them to be able to consume any of the farm’s published service applications (it also serves purposes inside the farm, but that’s not the subject of this post). The only supported rights for this service application is “Full Control”, which is what we’ll grant.
On the consumer farm, run the following command to get the id of the consumer farm:
(Get-SPFarm).Id
Copy the Id output from this command, and run the following command on the publisher farm:
$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType " https://schemas.microsoft.com/sharepoint/2009/08/claims/farmid " -ClaimProvider $claimProvider -ClaimValue <farmid from previous command>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
Publish Managed Metadata Service
To enable content types and terms to be accessible from outside the farm, the Managed Metadata Service must be published for outside consumption. How to publish the service application is described in detail in this article.
On the publisher farm, run the following command to publish the Managed Metadata Service called “Enterprise Metadata Service”:
Publish-SPServiceApplication (Get-SPMetadataServiceApplication “Enterprise Metadata Service”)
Connect proxy to Managed Metadata Service
Next, we need to create a proxy for the “Enterprise Metadata Service” in the consumer farm. On the publisher farm, run the following command to get the URI of the “Application Discovery and Load Balancer Service Application” (which will provide the consumer farm with information about the “Enterprise Metadata Service”):
Get-SPTopologyServiceApplication
Copy the LoadBalancerUrl from the output of the previous command to the consumer farm, and then run the following command to get the URI of the Enterprise Metadata Service application, and create a local proxy for it:
New-SPMetadataServiceApplicationProxy -Name “Enterprise Metadata Service Proxy” –URI (Receive-SPServiceApplicationConnectionInfo -FarmUrl <LoadBalancerUrl from the previous command> | Where {$_.Name -eq "Enterprise Metadata Service"}).Uri
Add proxy to service connection group
Run the following command on the consumer farm to add the new proxy to the default proxy group:
Add-SPServiceApplicationProxyGroupMember (Get-SPServiceApplicationProxyGroup -default) -Member (Get-SPMetadataServiceApplicationProxy "Enterprise Metadata Service Proxy")
The result of this is that all web applications using the default proxy group will use the “Enterprise Metadata Service Proxy” too.
Set up Managed Metadata Service permissions
Finally, to allow the consumer farm to connect to the Managed Metadata Service on the publisher farm, you have to grant the consumer farm permissions to the service application. The Managed Metadata Service supports three permissions: ”Read Access to Term Store”, “Read and Restricted Write Access to Term Store” and “Full Access to Term Store”. In this example, we’ll grant the consumer farm the least permissions, “Read Access to Term Store”:
On the consumer farm, run the following command to get the id of the farm:
(Get-SPFarm).Id
Copy the outcome to the publisher farm, and then run the following commands there:
$security = Get-SPMetadataServiceApplication "Enterprise Managed Metadata Service" | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType " https://schemas.microsoft.com/sharepoint/2009/08/claims/farmid " -ClaimProvider $claimProvider -ClaimValue <farmid from previous command>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Read Access to Term Store"
Get-SPMetadataServiceApplication "Enterprise Metadata Service" | Set-SPServiceApplicationSecurity -ObjectSecurity $security
That’s it, you’re up and running with a Managed Metadata Service that is shared between the two server farms!
The only thing left to do is to decide what you want to consume through the proxy, and configure it accordingly. You can learn more about this on TechNet.
Finally, I’d like to share some error messages I’ve received related to the tasks described here, and what was their resolution in my case, to ease your troubleshooting:
- If you try to manage your Managed Metadata Service Proxy on the consumer farm from the SharePoint 2010 Central Administration and get the error message “The Service Application being requested does not have a Connection associated with the Central Administration web application. To access the term management tool use Site Settings from a site configured with the appropriate Connection”, this could be because your proxy has not been added to a proxy group. See Add proxy service to connection group.
- Managed Metadata Service Proxy on the consumer farm from the SharePoint 2010 Central Administration and get the error message “The Managed Metadata Service or Connection is currently not available. The Application Pool or Managed Metadata Web Service may not have been started. Please Contact your Administrator”, this could be because your farm doesn’t have the right permissions to the Managed Metadata Service. See Set up Managed Metadata Service permissions.
Comments
Anonymous
February 19, 2010
I do not have permissions to view the link on setting up managed metadata service permissions. It appears that permission problems are prevalent.Anonymous
March 10, 2010
@BobWeiner: I've updated the links now, thanks for telling me that they didn't work :-)