To be able to subscribe to another farm's content,
there has to be a trust relationship set up between the two farms. This
gives the two server farms, the ability to communicate. This is
accomplished through certificates that uniquely identify the farms.
In this recipe you will see how to set this up.
Getting ready
Because we are showing this with PowerShell, you must be a member of the SharePoint_Shell_Access database role on the configuration database of both the publishing farm and consuming farm. You also must be a member of the WSS_ADMIN_WPG local group on the chosen servers.
Finally, the two servers you will be using (one on
the Publishing Farm and one on the Consuming Farm) must be selected
ahead of time and the same two servers must be used throughout the
process. The suggested servers to use are the ones hosting Central
Administration.
How to do it...
Export the certificates: Publishing Farm
On the chosen publishing farm server, select Start | All Programs | Microsoft SharePoint 2010 Products | SharePoint 2010 Management Shell.
In the PowerShell command prompt, type in the following two commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert")|Set-Content C:\pubfarm.cer -Encoding byte
Export the certificates: Consuming Farm
On the consuming farm server, select Start | All Programs | Microsoft SharePoint 2010 Products | SharePoint 2010 Management Shell.
In the PowerShell command prompt, type in the following four commands:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert")|Set-Content C:\consumingfarm.cer -Encoding byte
$stsCert=(Get-SPSecurityTokenServiceConfig) LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert")|Set-Content c:\consumingfarmsts.cer -Encoding byte
Import the certificates: Publishing Farm
Copy the consumingfar.cer and the consumingfarmsts.cer file from the consuming farm and put them in the C:\temp folder on the chosen server in the publishing farm.
In the PowerShell command prompt, type in the following four commands:
$trustCert=GetPfxCertificate c:\temp\consumingfarm.cer
New-SPTrustedRootAuthority ConsumingFarm -Certificate $trustCert
$stsCert=GetPFXCertificate c:\temp\consumingfarmsts.cer
New-SPTrustedServiceTokenIssuer ConsumingFarm -Certificate $stsCert
Import the certificates: Consuming Farm
Copy the pubfarm.cer file from the publishing farm and put it in the C:\temp folder on the consuming farm.
In the PowerShell command prompt, type in the following two commands:
$trustCert=GetPfxCertificate c:\temp\pubfarm.cer
New-SPTrustedRootAuthority PublishingFarm -Certificate $trustCert
How it works...
Step 2 under How to do it... section comprises of two parts — setting the $rooCert variable to RootCertificate and then exporting that certificate to a physical file, pubfarm.cer.
Step 4 does the same thing except the fact that this is an extra step to provide the publishing farm with a Security Token Service (STS) certificate&;.
In steps 6 and 8, there are two italicized parameters — ConsumingFarm and PublishingFarm.
These are unique names created by us as administrators. The names
represent the purpose of the farm. It is recommended to give them more
meaningful names so that their purpose is clear.
Both the publishing and consuming farms must exchange
certificates. In addition, the consuming farm must export a security
token service certificate, which the publishing farm imports.
Most of the service applications utilize web services
to access the SharePoint databases. Web services do this on behalf of
an authenticated client. In SharePoint 2010, it is the STS that
authenticate clients.
There's more...
While exporting must be done with PowerShell, there is a user interface in Central Administration for importing certificates.
Navigate to Central Administration and click Security.
Under the General Security section, click Manage trust.
The ribbon will light up after clicking on the name of the farm. Now you can click New to establish a trust relationship, or you can click Edit to modify the Token issuer description or the certificates that are used.
Finally, there is a Delete option to allow you to remove a trust relationship.
