GD Bloggers

This is the blog site for Microsoft Global Delivery Communities focused in sharing the technical knowledge about devices, apps and cloud.
Follow Us On Twitter! Subscribe To Our Blog! Contact Us

Cross farm Service Applications Integration between two separate SharePoint farms

Cross farm Service Applications Integration between two separate SharePoint farms

  • Comments 14
  • Likes



A very powerful integration capability is available between SharePoint 2013 and SharePoint 2010/2013, where SharePoint 2010 can still consume service applications from SharePoint 2013 , in this post I will walk you through a step by step guide on how to consume managed meta data service applications resides in SharePoint 2013 from a site resides in SharePoint 2010 farm ,

you can still use the same steps to consume any other service application to achieve cross farm service application, and this post is also applicable if you want to perform the integration between two SP2013 farms.

  • In this sample I assume both farms resides on the same domain.
  • The steps below can still work between two SP2013 farms as well.




1 -Exchange Trust Certificates between farms

An administrator of the consuming farm (SP2010) must provide two trust certificates to the administrator of the publishing farm

  • Root Certificate
  • Security token service (STS) Certificate

Administrator of publishing farm (SP2013) must provide one trust certificate to the consuming farm (SP2010)

  • Root Certificate


To export Certificates from Consuming Farm

a-To export the root certificate from the consuming farm

in PowerShell run the following commands:

$rootCert = (Get-SPCertificateAuthority).RootCertificate

$rootCert.Export("Cert") | Set-Content "C:\ConsumingFarmRoot.cer" -Encoding byte


b-To export the STS certificate from the consuming farm

$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate

$stsCert.Export("Cert") | Set-Content "C:\ConsumingFarmSTS.cer" -Encoding byte

under C: drive:




To export the root certificate from the publishing farm

$rootCert = (Get-SPCertificateAuthority).RootCertificate

$rootCert.Export("Cert") | Set-Content "C:\PublishingFarmRoot.cer" -Encoding byte

  • Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.
  • Copy the root certificate from the server in the publishing farm to a server in the consuming farm



2-Managing trust certificates by using Central Administration

Certificates must be imported on both consuming farm and publishing farm as the following:


a-Establish trust on Publishing farm (SP2013)

  • open CA -- Security -- manage trusts -- from ribbon click new ,


  • Since this is a publishing farm we need to import the root certificate and STS certificate extracted from the consuming farm SP2010


a new trust will appear




b-Establish trust on Consuming farm SP2010

  • CA - under security -- manage trusts - from ribbon select New


  • since this is a consuming farm you will import only the root certificate of the publishing farm SP2013.


  • a new trust will appear :




3-On the publishing farm, publish the service application

On the publishing farm (SP2013) on which the service application is located, an administrator must explicitly publish the service application. Service applications that are not explicitly published are available to the local farm only

  • From CA -- Manage Service Application -- select the service you wish to publish (Managed metadata service application) then select publish from the ribbon


  • make sure to check publish this service application to other farms




Information URL : this is an optional info where you can for instance create a page within SharePoint 2013 and place its link here, so admins will read more info about this service application

Important: Copy the Published URL , we are going to use it in the consuming farm later on




4-Set the permission to the appropriate service applications

You must give the consuming farm permission to the Application Discovery and Load Balancing Service Application on the publishing farm

After doing this, give the consuming farm permission to the published service applications that it will be consuming

  • on the consuming farm , you need to get the Farm ID by running the following command:

Get-SPFarm | Select Id


copy the Consuming farm ID : 1ccfc7f5-b62a-4404-962c-359371d2cd60

  • On a server in the publishing farm, open CA - manage service applications - select Application discovery service application then from ribbon select permissions

paste the consuming farm ID you extracted previously, then click check names


add the consuming farm ID and grant it full control then press OK


Tip : Or you can optionally use the PowerShell command to achieve the same to above:

$security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity

$claimprovider=(Get-SPClaimProvider System).ClaimProvider

$principal=New-SPClaimsPrincipal -ClaimType "" -ClaimProvider $claimprovider -ClaimValue 1ccfc7f5-b62a-4404-962c-359371d2cd60

where 1ccfc7f5-b62a-4404-962c-359371d2cd60 is the <consumingfarmid> i extracted from the previous step.

Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"

Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security



5-Do the same steps with the service application you wish to publish (managed meta data)


add the consuming farm ID and grant it full the required permissions in my case full access to term store is granted





On the consuming farm, connect to the remote service application

After the publishing farm has published the service application, an administrator of the consuming farm can connect to that service application from the consuming farm if the address of the specific service application is known

now from consuming farm (SP2010) you can connect to a service application that has been shared by the publishing farm (SP2013) by providing the address of the farm's discovery service or the address of the service application.

to do so from the consuming farm open CA - manage service application - from ribbon select connect


Place the connection info for the service application extracted from the publishing farm (managed meta data service application)



then click Ok


Important: the server time (clock) should be synchronized to be the time on both consuming and publishing farm or else a consuming farm wont be able to reach the publishing farm service due to The security timestamp is invalid between servers.

select the service application , make sure to be added to default proxy group ,then click ok






now it will appear in the list of service application of the consuming farm (SP2010)





6-Add the shared service application to a Web application proxy group on the consuming farm

An administrator must associate the new service application connection with a local Web application on the consuming farm

in the consuming farm (SP2010) open CA - under service Applications click configure service applications association make sure the new proxy is added to the default group and assigned to the desired web application





7-Validate your work

Open a site within SharePoint 2010 , create a custom list , from ribbon create column


make sure managed Metadata is selected:


scroll down , you should see now the term sets from SP2013 :)




Additional Scenarios

Note: in some scenarios you might need to allow server to server authentication , if your case is one of the below you need then to configure server to server authentication otherwise you are done, no need to perform any additional steps

  • Follow a document on a Team Sites web application when a user’s personal site is located on a My Sites web application. The Team Sites web application makes a request of the My Sites web application on behalf of the user.
  • Create or reply to a site feed post for a site that is located on a Team Sites web application but performed through the user’s My Site Newsfeed on the My Sites web application. The My Sites web application will make a request of the Team Sites web application on behalf of the user to write the post or the reply.
  • A User Profile Service application task to repopulate the feed cache has to read from the personal site or team site. If the User Profile Service application is running in a different farm, the User Profile Service application sends a request to the My Sites web application or Team Sites web application to read the user or site feed data into the cache

if you need to extend to achieve one of the above scenarios follow the steps in this post then you will be done :)

  • Great write up, Thanks Issa for sharing this!

  • Great write up, Thanks Issa for sharing this!

  • Simple and descriptive article.

    Thanks Issa.

  • Hi Issa,

    This works only with Managed Metadata service Apps. Is there any way to configure this for Search Serice apps? Though multiple search service proxies are assoicated with a single web app, search results can be defaulted to only to a single proxy. Any idea on how to consume multiple web app proxies on single web app?

  • Thank you for the posting Issa. Very helpful

  • Dear Issa Ayyash,

    I have applied all the step for User profile service and it is successfully added in consuming farm but newly added proxy not in enabled state and previously created proxy is the default. That's why sync is not happening.. can u help here. How to make new proxy as default (checkbox I had already selected).


  • Hi Issa Ayaash,

    The steps mentioned here are really awsesome , it helped me alot to understand the topic.

    Thanks alot !!

  • hi Issa,

    Thanks, I had a heap of trouble trying to figure out how to get the User Profile to work between the farms. This post helped to point me in the right direction. Thanks so much.

  • Thanks Issa for this post! I was doubtful if this is supported.

    Can content type hub be consumed as well? Like the content types and site columns created in 2013, will they be accessible from SP 2010 site as well?

  • Can i consume MMS from share point 2010 to 2013. I tried doing it's not working. Please suggest.

  • Wonderful post however I was wondering if you could write a little more on this topic? I’d be very thankful if you could elaborate a little bit further. Thank you!">SharePoint Online Training

  • I absolutely love your blog and find nearly all of your post’s to be precisely what I’m looking for.">SharePoint Consulting

  • Great article ...Thanks for your great information, the contents are quiet interesting. I will be waiting for your next post.">SharePoint 2013 Developer training Online

  • Does this work for a SP 2013 server consuming a SP 2010 service?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment