Publishing and Consuming SharePoint Service Application with PowerShell
December 2, 2011 5 Comments
Below are my PowerShell scripts for publishing and consuming service applications between SharePoint farms (Service Application Federation). Before I introduce the scripts let be briefly explain the process involved.
The are several reasons why you might want to share service applications between farms and I’m not planning on going into those details here but the overall process of setting up service application federation is illustrated below:
The SharePoint farm on the left is the consuming farm. It will use the service applications from the SharePoint farm on the right – the publishing farm. Practically this means that the publishing farm contains your service instances, service applications and service application proxies and your consuming farm contains just service application proxies that ‘point’ to the publishing farm. Loads more details on service application federation is available on technet including which service applications can be federated: http://technet.microsoft.com/en-us/library/ff621100.aspx
The scripts I have follow the pattern shown in the diagram above. First on the consuming farm, I export the farm root certificate, the security token service certificate and I write the farm ID to a text file:
Contents of 1_Consumer_ExportCerts.ps1 – run this on the CONSUMING farm
Add-PSSnapIn "Microsoft.SharePoint.PowerShell" -EA 0
# export consumer root certificate
Write-Host "Exporting Consumer Root Certificate…" -nonewline
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content ConsumingFarmRoot.cer -Encoding byte
Write-Host "Done" -Foreground Green# export consumer sts certificate
Write-Host "Exporting Consumer STS Certificate…" -nonewline
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert") | Set-Content ConsumingFarmSTS.cer -Encoding byte
Write-Host "Done" -Foreground Green# export consumer farm id
Write-Host "Exporting Consumer Farm Id…" -nonewline
$farmID = Get-SPFarm | select Id
set-content -path ConsumerFarmID.txt $farmID
Write-Host "Done" -Foreground GreenWrite-Host "Now copy ConsumingFarmRoot.cer, ConsumingFarmSTS.cer & ConsumerFarmID.txt to the publishing farm." -Foreground Yellow
You’ll notice this script ends with a prompt to guide you to the next step – copy the consuming farm certificate, consuming sts certificate and the consuming farm id txt file we’ve just created to the publishing farm. Next, switch over to the publishing farm.
Contents of 2_Publisher_ExportCerts.ps1 – run this on the PUBLISHING farm
Add-PSSnapIn "Microsoft.SharePoint.PowerShell" -EA 0
# export publisher root certificate
Write-Host "Exporting Publisher Root Certificate…" -nonewline
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content PublishingFarmRoot.cer -Encoding byte
Write-Host "Done" -Foreground GreenWrite-Host "Exporting Publisher Topology Url…" -nonewline
$topologyUrl = Get-SPTopologyServiceApplication | Select LoadBalancerUrl
$url = $topologyUrl.LoadBalancerUrl.OriginalString
Set-Content -path PublishingFarm.Url.txt -Value $url
Write-Host "Done" -Foreground Greenwrite-host
Write-Host "Now copy PublishingFarmRoot.cer & PublishingFarm.Url.txt to the consuming farm." -Foreground Yellow
write-host
Now copy the publishing farm certificate and publishing farm url txt file that have just been generated to the consuming farm. Now switch back to the consuming farm.
Contents of 3_Consumer_ImportCerts.ps1 – run this on the CONSUMING farm
Add-PSSnapIn "Microsoft.SharePoint.PowerShell" -EA 0
# import publisher root certificate
Write-Host "Importing Publisher Root Certificate…" -nonewline
$trustCert = Get-PfxCertificate PublishingFarmRoot.cer
New-SPTrustedRootAuthority PublishingFarm -Certificate $trustCert
Write-Host "Done" -Foreground GreenWrite-Host "Now import certificates on the publishing farm." -Foreground Yellow
You’ve now imported the publishing farm root certificate into the consuming farm, Next switch back to the publishing farm and import the consuming farm certificate and consuming sts certificate into the publishing farm with the following PowerShell:
Contents of 4_Publisher_ImportCerts.ps1 – run this on the PUBLISHING farm
Add-PSSnapIn "Microsoft.SharePoint.PowerShell" -EA 0
# import consumer root certificate
Write-Host "Importing Consumer Root Certificate…" -nonewline
$trustCert = Get-PfxCertificate ConsumingFarmRoot.cer
New-SPTrustedRootAuthority ConsumingFarm -Certificate $trustCert
Write-Host "Done" -Foreground Green# import consumer sts certificate
Write-Host "Importing Consumer STS Certificate…" -nonewline
$stsCert = Get-PfxCertificate ConsumingFarmSTS.cer
New-SPTrustedServiceTokenIssuer ConsumingFarm -Certificate $stsCert
Write-Host "Done" -Foreground GreenWrite-Host "Now set permissions for application discovery on the publishing farm." -Foreground Yellow
Note: At this point I would recommend you access Central Admin on both the CONSUMING and PUBLISHING farms and verify that the trusts are in place as expected. To do this, from central admin select Security > Manage Trust.
Once you have verified your trusts are in place you’re ready to start sharing the service applications between farms. Now switch to the publishing farm.
Contents of 5_Publisher_SetPermissions.ps1– run this on the PUBLISHING farm
Add-PSSnapIn "Microsoft.SharePoint.PowerShell" -EA 0
# get consumer farm id
Write-Host "Reading Consumer Farm ID…" -nonewline
$consumerId = Get-Content -path ConsumerFarmID.txt
$consumerId = $consumerId.Replace("@{Id=","").Replace("}","")
Write-Host "Done" -Foreground Green# set application discovery permissions
Write-Host "Set Application Discovery Permissions…" -nonewline
$security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimprovider=(Get-SPClaimProvider System).ClaimProvider
$principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue $consumerId
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
Write-Host "Done" -Foreground Green# list the available service applications and prompt for one to be selected
$serviceAppList = @{"0"="DummyServiceApp"}
$serviceApps = Get-SPServiceApplication
$count = 1
$serviceWarning = ""
Write-Host
Write-Host "The following service applications are available for publishing:"
foreach ($serviceApp in $serviceApps)
{
# ensure only service applications that can be shared are listed
$type = $serviceApp.TypeName
$serviceSharable = 0Switch ($type)
{
("Business Data Connectivity Service Application") {$serviceSharable = 1}
("Managed Metadata Service") {$serviceSharable = 1}
("User Profile Service Application") {$serviceSharable = 1}
("Search Service Application") {$serviceSharable = 1}
("Secure Store Service Application") {$serviceSharable = 1}
("Web Analytics Service Application") {$serviceSharable = 1}
("Microsoft SharePoint Foundation Subscription Settings Service Application") {$serviceSharable = 1}
}
if ($serviceSharable -gt 0)
{
$serviceAppList.Add("$count",$serviceApp.Id)
Write-host "$count. " -nonewline -foregroundcolor White
Write-host $serviceApp.DisplayName -foregroundcolor gray
$count++
}}
Write-Host
$serviceAppNum = Read-Host -Prompt " – Please enter the id of the service application to be shared"
Write-Host
Write-Host "Getting Service Application…" -nonewline
$serviceAppId = $serviceAppList.Get_Item($serviceAppNum)
$serviceApp = Get-SPServiceApplication $serviceAppId
Write-Host "Done" -Foreground Green# warn about domain trusts
$serviceWarning = ""
$type = $serviceApp.TypeName
Switch ($type)
{
("Business Data Connectivity Service Application") {Write-Host; Write-Host "Note: Publishing domain must trust Consuming domain." -Foreground Yellow; Write-Host;}
("User Profile Service Application") {Write-Host; Write-Host "Note: A two-way trust must exist between the Publishing and Consuming domains." -Foreground Yellow; Write-Host;}
("Secure Store Service Application") {Write-Host; Write-Host "Note: Publishing domain must trust Consuming domain." -Foreground Yellow; Write-Host;}
}# list the service rights for the specified service application
write-host
$rightsList = @{"0"="DummyServiceApp"}
$count = 1
$serviceAppSecurity = Get-SPServiceApplicationSecurity $serviceApp
foreach ($right in $serviceAppSecurity.NamedAccessRights)
{
$rightsList.Add("$count",$right.Name)
Write-host "$count. " -nonewline -foregroundcolor White
Write-host $right.Name -foregroundcolor gray
$count++
}
write-host
$serviceAppRight = Read-Host -Prompt " – Please enter the right to be granted"
$serviceAppRight = $rightsList.Get_Item($serviceAppRight)Write-Host "Granting ‘$serviceAppright’ to service application…" -nonewline
$security=Get-SPServiceApplication $serviceApp| Get-SPServiceApplicationSecurity
$claimprovider=(Get-SPClaimProvider System).ClaimProviderif ($type -eq "User Profile Service Application")
{
$consumFarmAcc= Read-Host -Prompt " – Please enter the consuming farm account e.g. DOMAIN\account"
$principal=New-SPClaimsPrincipal -Identity $consumFarmAcc -IdentityType WindowsSamAccountName
}
else
{
$principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue $consumerId
}
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights $serviceAppRight
Set-SPServiceApplicationSecurity $serviceApp -ObjectSecurity $security
Write-Host "Done" -Foreground GreenWrite-Host "Publishing service application…" -nonewline
Publish-SPServiceApplication -Identity $serviceApp
Write-Host "Done" -Foreground Green$lbUrl = Get-SPserviceApplication $serviceApp | Select Uri
Set-Content -path $serviceAppId -Value $lbUrl
$cleanUrl = Get-Content -path $serviceAppId
del $serviceAppId
$cleanUrl = $cleanUrl.Replace("@{Uri=","").Replace("}","")write-Host
Write-Host "Now connect to the service application from the consumer farm with the following url:" -Foreground Yellow
write-Host
Write-Host $cleanUrl -Foreground Yellow
It’s a whopper but basically this script lists all the available service applications on the PUBLISHING farm and allows you to publish these to the CONSUMING farm whilst choosing the service application specific permissions to grant to the consuming farm:
Simply enter the the number for the service application you wish to publish and then the number associated with the permissions you wish to grant to the consuming farm.
Now, switch to the consuming farm.
Contents of 6_Consumer_ConnectService.ps1 – run this on the CONSUMING farm
Add-PSSnapIn "Microsoft.SharePoint.PowerShell" -EA 0
# get url from user
Write-Host
Write-Host "Reading topology service url…" -nonewline
$topologyUrlShort = get-content -path PublishingFarm.Url.txt
Write-Host "Done" -Foreground Green
Write-Host#get available published services:
Write-Host "Connecting to topology service $topologyUrlShort…" -nonewline
$publishedServices = Receive-SPServiceApplicationConnectionInfo -FarmUrl $topologyUrlShort
Write-Host "Done" -Foreground Green
Write-Host# list the published services
Write-Host "The following service applications are available for consumption:"
$serviceAppList = @{"0"="DummyServiceApp"}
$count = 1
foreach ($publishedService in $publishedServices)
{
Write-host "$count. " -nonewline -foregroundcolor White
Write-host $publishedService.DisplayName -foregroundcolor gray
$serviceAppList.Add("$count",$publishedService.Uri)
$count++}
Write-Host
$serviceAppNum = Read-Host -Prompt " – Please enter the id of the service application to be consumed"Write-Host
$serviceAppProxyName= Read-Host -Prompt " – Please enter the service application proxy name"
Write-Host#get the selected published service app
$count = 1
foreach ($publishedService in $publishedServices)
{
if ($count.ToString() -eq $serviceAppNum )
{#we’ve found our service application – let go create it based on the type
$type = $publishedService.SupportingProxy
$serviceUrl = $serviceAppList.Get_Item($serviceAppNum)
Switch ($type)
{
("BdcServiceApplicationProxy"){
Write-Host "Creating new Business Data Connectivity Service Application Proxy…" -nonewline
New-SPBusinessDataCatalogServiceApplicationProxy -Uri "$serviceUrl" -Name "$serviceAppProxyName"
}
("MetadataWebServiceApplicationProxy"){
Write-Host "Creating new Managed Metadata Service Proxy…" -nonewline
New-SPMetadataServiceApplicationProxy -Uri "$serviceUrl" -Name "$serviceAppProxyName"
}
("UserProfileApplicationProxy"){
Write-Host "User Profile Service Application Proxy…" -nonewline
New-SPProfileServiceApplicationProxy -Uri "$serviceUrl" -Name "$serviceAppProxyName"
}
("SearchServiceApplicationProxy"){
Write-Host "Search Service Application Proxy…" -nonewline
New-SPEnterpriseSearchServiceApplicationProxy -Uri "$serviceUrl" -Name "$serviceAppProxyName"
}
("SecureStoreServiceApplicationProxy"){
Write-Host "Secure Store Service Application Proxy…" -nonewline
New-SPSecureStoreServiceApplicationProxy -Uri "$serviceUrl" -Name "$serviceAppProxyName"
}
("WebAnalyticsServiceApplicationProxy"){
Write-Host "Web Analytics Service Application Proxy…" -nonewline
New-SPWebAnalyticsServiceApplicationProxy -Uri "$serviceUrl" -Name "$serviceAppProxyName"
}
}
Write-Host "Complete." -Foreground Yellow}
$count++}
This final script connects to the topology service of the publishing farm and lists all the published services applications. Simply select the number of the service application you wish to consume
This has saved me loads of time in the past and has proved to be very reliable. However, please note the following points:
- The script assumes the files copied between the farms are copied to the same location as the PowerShell scripts.
- If you want to consume partitioned service applications you’ll need to update the final script to include the –PartitionMode switch (or the –Partitioned switch in the case of the New-SPEnterpriseSearchServiceApplicationProxy cmdlet)
I hope this helps…