Publishing cross farm Managed Metadata in cross forest environment with one way trust

April 28 2011 No comments yet

Recently we ended up in a situation where there was a need to publish services from one farm to another. Basically there’s nothing special, but we needed to do that between SharePoint farms located in different forests. Only a one way trust was established.

The main idea is that Farm 2 will produce Managed Metadata Service (MMS) to be consumed in Farm 1. The setup can be seen in the figure.

Publishing services between two farms can be done through Central Admin or by using PowerShell. There is an excellent guide for publishing cross farm services written by Mark Rhodes. http://mrhodes.net/2010/05/19/publishing-service-applications-between-sharepoint-2010-farms-part-1-8/

We did everything as written in Rhodes’ guide. The outcome was that we were able to share the service, but it couldn’t be accessed through the consuming farm (Farm 1).  When trying to access the Term Store following Error message appeared.

The Managed Metadata Service or Connection is currently not available. The Application Pool or Managed Metadata Web Service may not have been started. Please Contact your Administrator.

The problem was that although we had granted permission for the service application we hadn’t granted permissions to the Term Store.

Granting permissions to the Term Store can be done with the following PowerShell (PS)script.

In the consuming farm (Farm 1) run the following command:
 

(Get-SPFarm).Id

Run the following PowerShell commands on the publishing farm:

$ap = Get-SPServiceApplication –Identity “Managed Metadata Service Application”
$security = Get-SPMetadataServiceApplication $ap | Get-SPServiceApplicationSecurity
$principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue "farm id from previous"
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Access to Term Store"
Get-SPMetadataServiceApplication $ap | Set-SPServiceApplicationSecurity -ObjectSecurity $security

After running the script we could access the MMS through farm 1, but all groups were grayed out and we were not able to make any changes.

 
The solution is to grant the user permissions to the term sets. One can grant the permissions in farm A. OOTB the people picker doesn’t recognize users in Forest B, but this problem can be solved by using the following stsadm script. The script should be run on the server where CA is running for all web applications including CA.

STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:domaina.com,DOMAINA\sp_admina,password; forest:domainb.com,DOMAINB\sp_adminb,password" -url http://webapplication

After that we were able to grant permissions for term sets for users in both forests in farm 1. Unfortunately because the Farm 2 can’t see users in Forest 1 the MMS management site won’t open if you have granted permissions for users in both forests. In our case this was acceptable because the idea is that Managed Metadata is fully administered in Farm 2. So we granted Farm 1 write permissions, run our code that generated the Metadata structures and then changed the write permission back to Farm 2.

Conclusion

It is possible to publish Managed Metadata between two farms when there is only one way trust between the forests present. In any case this causes problems if you want to add or edit terms in both farms.

Popularity: 6% [?]

Leave a Reply