harbar.net component based software & platform hygiene

Service Application Federation with SharePoint 2010

Print | posted on Monday, May 03, 2010 7:09 PM

Yalls may be playing around with Service Application Federation with SharePoint 2010 with the shiny new SharePoint Server 2010 bits. This federation is also called publishing and consuming service applications, but as I’m spending a lot of my time of late in PowerPoint, I’m using the buzzword for the time being.

However, with the RTM bits there is a fundamental missing piece that is not currently documented on Tech Net.

Of course you need to exchange and install the necessary certificates as detailed here. However in order to make it work the consuming farm must have permissions to the publishing farm’s Topology service app, otherwise it will fail with the following error:

"Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details.”

In your ULS logs you will see the following slightly more helpful detail:

An exception occurred when calling SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications on service https://SERVERNAME:32844/Topology/topology.svc : System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

To grant the permissions necessary, on the consumer farm, run the following PowerShell:



Copy the output (a GUID of course!). On the publishing farm run the following PowerShell – replacing <farmid> with the guid from above:

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity 

$claimProvider = (Get-SPClaimProvider System).ClaimProvider 

$principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue <farmid> 

Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" 

Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security 

Now you're cooking with gas, you will be able to see the consuming farm's claim in the permissions dialog for the Topology service app. And now you can connect to the published service from the consuming farm. hopefully TechNet will be updated soon.