Implementing the Search Service Application in a SharePoint 2010 Cross-Farm Environment

Implementing the Search Service Application in a SharePoint 2010 Cross-Farm Environment

A cross-farm implementation consists of a Publishing farm (Farm A) (host of the service application) and a Consuming farm (Farm B) (remote farm consuming the service application). When deploying cross-farm services there are some requirements:

  1. Configure trusted farms – Ensure that farms have exchanged certificates to trust one another. Export the certificate to a file and back up the file before you connect to cross-farm services.

  2. Publish the service applications – To share a service application across farms, you first publish the service.

  3. Connect to cross-farm service applications – To consume a service that is published by a remote farm, create a connection to the service. This process prompts you to enter the URL of a published service, which is displayed during the publish process. A connection on the local farm is created to connect to the service application on the remote farm.

Setting up the trust between farms

First we need to establish trust between the two farms by creating and exchanging SharePoint trust certificates within each farm.

On the Consuming Farm, open the SharePoint 2010 Management Shell and run the following commands in order (the highlighted path and file name is configurable).

1. On a server in both farms make a directory called certificates on C: – this is just to keep the certificates in one place.

2. Export root certificate from CONSUMER

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content c:\certificates\consumer-root.cer -encoding byte

3. Export STS Certificate from CONSUMER

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export(“Cert”) | Set-Content c:\certificates\consumer-sts.cer -encoding byte

4. Export root certificate from PROVIDER

$rootCert = (Get-SPCertificateAuthority).RootCertificate

$rootCert.Export(“Cert”) | Set-Content c:\certificates\provider-root.cer -encoding byte

Copy certificates between farms

Copy the contents of the c: certificates directory to the other farms.

6   Import root certificate from PROVIDER to CONSUMER

$trustedRootCert = Get-PFXCertificate c:\certificates\provider-root.cer

New-SPTrustedRootAuthority “PROVIDER <FARM NAME>” -Certificate $trustedRootCert

Eg: New-SPTrustedRootAuthority “PROVIDER Sandbox4” -Certificate $trustedRootCert

7 Import root certificate from CONSUMER to PROVIDER

$trustedRootCert = Get-PFXCertificate c:\certificates\consumer-root.cer

New-SPTrustedRootAuthority “CONSUMER <FARM NAME>” -Certificate $trustedRootCert

Ex: New-SPTrustedRootAuthority “CONSUMER SANDBOX2” -Certificate $trustedRootCert

8. Import STS certificate from CONSUMER to PROVIDER

$stsCert = Get-PFXCertificate c:\certificates\consumer-sts.cer
New-SPTrustedServiceTokenIssuer “CONSUMER <FARM NAME>” -Certificate $stsCert

Eg:New-SPTrustedServiceTokenIssuer “CONSUMER SANDBOX2” -Certificate $stsCer

9 Validating on CONSUMER Within Central Administration on the PUBLISHING farm, establish the trust relationship by going to Security – General Security – Manage trust

10 Validating on  PROVIDER Within Central Administration on the PUBLISHING farm, establish the trust relationship by going to Security – General Security – Manage trust

11 Setting up the Publishing Farm

The easiest way to do this is through Central Administration, as it will allow you to select HTTP or HTTPS, as well as and paste the appropriate URI to connect to the topology application. This URI is a really long one; make sure you copy the whole thing!

Browse to Service Applications, select the Search Service application you wish to publish and click “Publish” on the ribbon

Then select the connection type, check the checkbox “Publish this service application to other farms” and copy out your Published URL

12 Retrieve Farm ID from Consumer Farm


This will retrieve the GUID of the Consuming Farm. Keep this for the next step.

13 Grant Consumer Farm permissions

Copy the output (a GUID of course!). On the publishing farm run the following PowerShell – replacing <farmid> with the guid from above:

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType -ClaimProvider $claimProvider -ClaimValue <farmid>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full Control”
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security

14 Check Permissions

You can check to ensure the permissions have been granted successfully by loading up Central Administration on your provider farm, going to? Search Service Applications?

Click on?  Search Service Application? And click? Permissions? from the ribbon.

Your farm GUID should be listed in here with full permissions if not add full permission

15 Connect to a Service Application

On your CONSUMER farm:

Open Central Administration and browse to “Search Service Applications”

Click on “Connect” from the ribbon and select the appropriate Service Application Proxy Type and paste the Public PROVIDER URL



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s