harbar.net component based software & platform hygiene

Service Application Federation with SharePoint 2010

Print | posted on Monday, May 03, 2010 7:09 PM

Yalls may be playing around with Service Application Federation with SharePoint 2010 with the shiny new SharePoint Server 2010 bits. This federation is also called publishing and consuming service applications, but as I’m spending a lot of my time of late in PowerPoint, I’m using the buzzword for the time being.

However, with the RTM bits there is a fundamental missing piece that is not currently documented on Tech Net.

Of course you need to exchange and install the necessary certificates as detailed here. However in order to make it work the consuming farm must have permissions to the publishing farm’s Topology service app, otherwise it will fail with the following error:

"Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details.”

In your ULS logs you will see the following slightly more helpful detail:

An exception occurred when calling SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications on service https://SERVERNAME:32844/Topology/topology.svc : System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

To grant the permissions necessary, on the consumer farm, run the following PowerShell:

(Get-SPFarm).Id

 

Copy the output (a GUID of course!). On the publishing farm run the following PowerShell – replacing <farmid> with the guid from above:

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity 

$claimProvider = (Get-SPClaimProvider System).ClaimProvider 

$principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue <farmid> 

Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" 

Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security 

Now you're cooking with gas, you will be able to see the consuming farm's claim in the permissions dialog for the Topology service app. And now you can connect to the published service from the consuming farm. hopefully TechNet will be updated soon.

Feedback

Gravatar

# re: Service Application Federation with SharePoint 2010

is it "Get-SPClaimProvider -id System" with -id missing there?

5/4/2010 8:46 PM | Yang
Gravatar

# re: Service Application Federation with SharePoint 2010

You are a damn rockstar, you know that?

5/18/2010 6:50 AM | Bryan Porter
Gravatar

# re: Service Application Federation with SharePoint 2010

Hey Spence,

I'm getting the same error (generic) but notice in the trace its coming up as "The security token could not be authenticated or authorized."

Any thoughts?
Mark

5/21/2010 12:39 AM | Mark Rhodes
Gravatar

# re: Service Application Federation with SharePoint 2010

Thank you! I spent hours moving certs around and re-moving not figuring out where the issue was. This worked like a charm and I am not sure why I haven't found another word about it anywhere! Thanks again!

10/5/2010 3:59 PM | Shelly Pasierb
Gravatar

# re: Service Application Federation with SharePoint 2010

Well isn't this just a sweet little nugget of a blog post!

Not sure how MS expects anyone to be able to get this stuff working without documenting key steps. Looked all throughout TechNet and couldn't find this info.

Your post was the missing link!

Worked like a champ.

Russ

10/5/2010 9:42 PM | Russ Houberg
Gravatar

# re: Service Application Federation with SharePoint 2010

Hi great post.
Thanks.

6/10/2011 7:16 AM | Rucha P
Gravatar

# re: Service Application Federation with SharePoint 2010

It's Nov 2012 and it's still not updated in TechNet. Ah well... Thanks Harbar

11/8/2012 5:01 AM | Merill Fernando

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 8 and 5 and type the answer here: