Home » Windows OSRSS

Unable to connect to a shared service application (Remote/Published SA)

Hello,

We installed 2 SPS2010 farms annd are trying to connect a published service application to the other farm but we aren't able to make it work.

- We published the Managed Metadata, Secure Store and User Profile Service Applications.
- We exchanged the certificates correctly. (Both farms have the root and sts certificates just to be sure).
- Windows Firewalls have been deactivated.
- We gave all users full control permissions on the shared SA.

Each time we try to connect a remote service, we get this basic error message : "Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details. "

The ULS logs says : "

An exception occurred when calling SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications on service https://SERVERNAME:32844/Topology/topology.svc : System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

"
See detailed error below.

We tried analyzing with Process Monitor but there's no access denied on any folder or file. Network sniffing didn't gave us any clue neither.

Here's the architecture :
- Windows Server 2008 R2 Enterprise (all servers)
- An SQL 2008 server (the 2 instances are on the same box)
- SPS2010 RTM

ULS ERROR :
An exception occurred when calling SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications on service https://SERVERNAME:32844/Topology/topology.svc : System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied. Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown
at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.SharePoint.ITopologyWebServiceApplication.EnumerateSharedServiceApplications()
at Microsoft.SharePoint.SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications(Uri endpointAddress, SPServiceLoadBalancerContext
loadBalancerContext)

 

6 Answers Found

 

Answer 1

the consuming farm  does not have rights to speak to the publishing farm's topology service.

 

On the consumer farm, run the following command to get the id of the consumer farm:

(Get-SPFarm).Id

Copy the Id output from this command, and run the following command on the publisher farm:

$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity

$claimProvider = (Get-SPClaimProvider System).ClaimProvider

$principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue <farmid from previous command>

Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"

Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security 

 

Answer 2

Hi Spence !

Really appreciate your answer.

This isn't the fisrt time  we post about shared  services issues but nobody never answered. Yours is welcomed ! Seems like nobody uses shared services between farms.

Actually, we find the answer the same day this post was posted later in the evening. And I can see the same mistake has been made.
http://blogs.msdn.com/mcsnoiwb/archive/2010/02/05/how-to-publish-a-managed-metadata-service-for-cross-farm-consumption.aspx

We made some tests with the beta version and didn't encounter this issue so we were a little confused but the erro message  clearly gave  us a hint. Following the Powershell commands in the upper link gave us the answer : Shared service  can't be trusted only by exchanging certificates, the farms  must be "declared".

For the mistake, I'm sure it's a typo error :
« $claimProvider = (Get-SPClaimProvider System).ClaimProvider », you should read (get-SPClaimProvider –Id System).ClaimProvider

By the way, really like your blog, keep up your awesome work  !!!!
Wesley

 

Answer 3

Fantastic. Very helpful. Hope a reference to http://technet.microsoft.com/en-us/library/ff621100(office.14).aspx / Shared service  applications across farms  (SharePoint Server 2010) will be added soon. Thanks André
 
 

Answer 5

Hi folks,

This wasn't an issue with the pre-release builds, and it was only "discovered" recently. Hence the very little detail out there on the web. Please give the technet fellas a bit of breathing room whilst this sort of info perculates it's way there. There is an awful lot of stuff todo and updates are being made on a daily basis.

cheers

spence

 

 

Answer 6

Thank you! This post saved the day as I just finished writing my Federation script - all is working now! Spread the word about the change because I just printed the Technet article again and it was not mentioned there.

http://technet.microsoft.com/en-us/library/ff700211.aspx

RetiredScriptingGuy

 
 
 

<< Previous      Next >>


Microsoft   |   Windows   |   Visual Studio   |   Follow us on Twitter