Step 1. Set up the Application Discovery and Load Balancer Service Application
Before any farm can provide services to another
farm, the consuming farm must be able to use the Application Discovery
and Load Balancer Service. This is also known as the Topology Service.
The part we are concerned with here is the Application Discovery piece.
The consumer needs rights to use the service so that it can find the
proxies on the publishing farm. To do this you need to follow these
steps.
1. On the Consumer farm.
a. Open up SharePoint 2010 Management Shell
b. Type in (Get-SPFarm).Id
c. Copy the output to notepad (or just keep it open so you can type it in)
2. On the Publishing farm.
a. Open up SharePoint 2010 Management Shell
b. Type in $security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
c. Then type $claimProvider = (Get-SPClaimProvider System).ClaimProvider
d. Then type $principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue paste the farm id from step 1 here just as it appeared
e. Then type Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
f. Then type Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
Step 2. Create your certificates. You need to
exchange certificates between servers. The consumer will need the Root
certificate of the publishing farm, but the publishing farm will need
the Root certificate of the consumer and the STS (Security Token
Service) certificate. You can go to the TechNet article here http://technet.microsoft.com/en-us/library/ee704552.aspx or follow these steps.
1. On the consumer farm
a. Open up SharePoint 2010 Management Shell
b. Type $rootCert = (Get-SPCertificateAuthority).RootCertificate
c. Then Type $rootCert.Export("Cert") | Set-Content C:\ConsumingFarmRoot.cer -Encoding byte
d. You
now have the root certificate for the consuming server on the C drive
of the consuming server. Next we get the STS certificate.
e. Type $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
f. Then Type $stsCert.Export("Cert") | Set-Content C:\ConsumingFarmSTS.cer -Encoding byte
g. You now have the STS Token for the consuming farm.
h. Make the two files you created available to the publishing farm (i.e. copy them to the publishing farm)
2. On the publishing farm.
a. Open up SharePoint 2010 Management Shell
b. Type $rootCert = (Get-SPCertificateAuthority).RootCertificate
c. Then Type $rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte
d. Make the file available on the consuming farm.
Step 3. Import the certificates.
1. Import the consumer root certificates on the publishing server.
a. Open up SharePoint 2010 Management Shell on the publishing server
b. Type $trustCert = Get-PfxCertificate C:\ConsumingFarmRoot.cer (replace c:\publishingfarmroot.cer with the location of the consuming server root cert)
c. Then Type New-SPTrustedRootAuthority type the name of the consuming server here -Certificate $trustCert
d. The certificate should print to the screen if it was successful
2. Import the consumer STS certificate on the publishing server
a. Open up SharePoint 2010 Management Shell on the publishing server
b. Type $stsCert = Get-PfxCertificate c:\ConsumingFarmSTS.cer (replace c:\consumingfarmsts.cer with location of consuming server STS cert)
c. Then type New-SPTrustedServiceTokenIssuer type the name of consuming server -Certificate $stsCert
d. The certificate should print to the screen if it was successful
3. Import the publishing root certificate on the consuming server
a. Open up SharePoint 2010 Management Shell on the consuming server
b. Type $trustCert = Get-PfxCertificate C:\PublishingFarmRoot.cer (replace c:\publishingfarmroot.cer with the location of the publishing farm root cert)
c. The certificate should print to the screen if it was successful
Step 3. Publish the service. You have to
publish the service from the publishing server before it can be
consumed. The easiest way to do this is from Central Administration
1. Navigate to the central administration of the publishing server.
2. Click on Manage service applications
3. Click on the User Profile Service (off to the right of it. You don’t want to manage it just highlight it)
4. Click on the Publish icon at the top of the page.
5. Make sure the Publish this Service Application to other farms is checked.
6. Copy the Published URL. It is a really long thing that looks similar to this urn:schemas-microsoft-com:sharepoint:service:6f63cdec5e784a02b2b79f9bf91346af#authority=urn:uuid:daf0ec20a27a44c7abe5104b5d516637&authority=https://orsps01:32844/Topology/topology.svc
7. Click OK. You are done with the publishing server now.
Step 4. Consume the service.
1. Open up the Central Administration of the consuming server.
2. Click on Manage service applications
3. Click on the Connect icon on the top ribbon and choose User Profile Service Application Proxy
4. In the Connect to a Remote Service Application dialog paste the Url from Step 3 (yours, not the example above)
5. Click OK. You should see a screen that shows the connection (or an error page if it didn’t)
6. Highlight User Profile Service and click OK.
7. You should get a confirmation screen and click OK again.
You have now consumed the User Profile
Service. That means when a user updates their profile data it will be
the same on both farms. It will use the trusted My Site locations, the
audiences, etc. from the publishing farm. Therefore if you want to
add/modify anything for the consumer farm it needs to be done on the central administration of the publishing farm.
Original Post: connecting to the user profile service proxy
Share service applications across farms in SharePoint Server