INTRODUCTION
My client runs two different Intranets. Each Intranet is dedicated to a particular department and runs off a separate farm. The farms however live within the same Active Directory (eg. company.local). There is a requirement to display Intranet 1 search results in Intranet 2.
For the purpose of the clarity of this article please see the topology below:
Intranet 1 – SP 2013, the farm consists of the following servers:
– DEPARTMENT1CA01 (Central Admin server, part of company.local)
– DEPARTMENT1SHP01 (WFE server, part of company.local)
– DEPARTMENT1SHP02 (WFE server #2, part of company.local)
– DEPARTMENT1SQL01 (SQL server, part of company.local)
URL: http://intranet1.company.local
Intranet 2 – SP 2013, the farm consists of the following servers:
– DEPARTMENT2CA01 (Central Admin server, part of company.local)
– DEPARTMENT2SHP01 (WFE server, part of company.local)
– DEPARTMENT2SQL01 (SQL server, part of company.local)
URL: http://intranet2.company.local
Department 2 is a subset of Department 1. Therefore, in Department 2’s Intranet, the search results need to display Department 1’s Intranet content and not vice versa. SharePoint can be configured in multiple ways to achieve the requirement; and in this article I will present the options together with the advantages and disadvantages of each.
NOTE: Intranet2 is the CONSUMING FARM and Intranet1 is the SOURCE FARM.
NOTE: The options presented in this article work for both SP 2010 and SP 2013.
OPTION 1 – SHOWING INTRANET 1 RESULTS IN INTRANET 2 DIRECTLY
With this option, Intranet 2 will display exactly the same results as if a user is searching within Intranet 1. Basically you use Intranet 1’s Search Service Application (SSA) and not the 2’s.
ADVANTAGES
– The ability to display Intranet 1 search results as if user directly searches Intranet 1 including the ranking, etc
– Proper security trimming for Intranet 1 results
DISADVANTAGES
– Complicated to setup (see next section)
– Intranet 2’s Search Service Application is “ditched”, meaning that you cannot display Intranet 2’s search results. Intranet 2 only becomes a “facade”. Since you are using Intranet 1’s SSA, your Intranet 2 portal is not part of Intranet 1 hence when you search, none of the results will display content of Intranet 2’s.
– It only works if you want to display SP 2010 results in SP 2013 farm or SP2013 in SP 2013. This will NOT work if you want to display SP 2013 results in SP 2010 farm.
HOW TO SETUP
1. This option will be using the “Publish” and “Connect” feature of SSA. The first step is to use a common certificate that will be exchanged between the 2 farms. Go to Central Admin of CONSUMING FARM, open SharePoint 2013 Powershell and run as Administrator. Then type in the following:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content C:\Temp\ConsumingFarmRoot.cer -Encoding byte
This will export the root certificate of the consuming farm.
2. Then still at the CONSUMING FARM Powershell, type in:
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export("Cert") | Set-Content C:\Temp\ConsumingFarmSTS.cer -Encoding byte
This will export the STS certificate of the consuming farm.
3. Then go to SOURCE FARM, open SP 2013 Powershell (don’t forget to run as Administrator) then type in the following:
$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content C:\Temp\PublishingFarmRoot.cer -Encoding byte
This will export the root certificate of the source farm.
4. Now copy the two exported certificates (root and STS) from CONSUMING FARM to SOURCE FARM; then also the exported root from SOURCE FARM to CONSUMING FARM. For the purpose of this article I use C:\Temp as my directory. Therefore, in both SOURCE and CONSUMING FARM I will now have the following directory structure:
C:\Temp\ConsumingFarmRoot.cer
C:\Temp\ConsumingFarmSTS.cer
C:\Temp\PublishingFarmRoot.cer
5. Then we go to the next step of importing the certificates. Go to the CONSUMING FARM SP 2013 Powershell and type in the following:
$trustCert = Get-PfxCertificate C:\Temp\PublishingFarmRoot.cer
New-SPTrustedRootAuthority DEPARTMENT1CA01 -Certificate $trustCert
6. Now go to SOURCE FARM SP2013 Powershell and type in the following:
$trustCert = Get-PfxCertificate C:\Temp\ConsumingFarmRoot.cer
New-SPTrustedRootAuthority DEPARTMENT2CA01 -Certificate $trustCert
$stsCert = Get-PfxCertificate c:\Temp\ConsumingFarmSTS.cer
New-SPTrustedServiceTokenIssuer DEPARTMENT2CA01 -Certificate $stsCert
7. Now that the trust has been established between the 2 farms, we now want to publish the SSA of the SOURCE FARM. Go to SOURCE FARM > Central Admin > Application Management > Manage service applications. Then select the “Search Service Application” and click Publish. You will want to select https or else it will not work. Ensure you select “Publish this Service Application to other farms“. Then the most important thing is to copy the long Published URL and put it aside to Notepad. Example will be:
urn:schemas-microsoft-com:sharepoint:service:5647e8703ddf46cc956cd0cd54cb9df1#authority=urn:uuid:6af200f429a748e1bd01f0b6e82a45c6&authority=https://DEPARTMENT1CA01:32844/Topology/topology.svc
8. Then you need to allow the CONSUMING FARM to consume the published application. In CONSUMING FARM SP 2013 Powershell type in the following:
Get-SPFarm | Select Id
The ID of the CONSUMING FARM will be displayed. Copy that to Notepad.
Then in SOURCE FARM SP2013 Powershell:
$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity $claimProvider = (Get-SPClaimProvider System).ClaimProvider $principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue <PASTE FARM ID HERE> Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
Still in SOURCE FARM select the “Search Service Application” again and click Permissions on the ribbon. Paste in the Farm ID of the CONSUMING FARM will appear in there and give it Full Control. See below for example:
9. Next step is to connect to the published application. Go to CONSUMING FARM > Central Admin > Application Management > Manage service applications. Then click Connect > Search Service Proxy. Now paste that long “Published URL” from Notepad to the textbox and click OK. On the next screen you will be able to see the published service application from the SOURCE FARM like below:
Click on the blue link “Search Service Application” and click OK.
10. You are now officially connecting to SOURCE FARM’s Search Service Application. As you can see, the SOURCE FARM SSA is now available in the DESTINATION FARM SSA like below:
You now need to tell your CONSUMING FARM to use that connected Search Service Application. To do so go to CONSUMING FARM > Central Admin > Application Management > Configure Service Application Associations. Click on default then the modal pop-up will appear. Then click “set as default” on the connected Search Service Application.
In this window you can only associate 1 Search Service Application in a proxy group; and then you can only associate 1 site collection per proxy group. As I mentioned below, as soon as you use the connected Search Service Application, you will lose the capability of searching CONSUMING FARM.
11. Two final and last step: We need to establish server-to-server authentication between the CONSUMING FARM and SOURCE FARM. To do so:
Go to SOURCE FARM SP2013 Powershell and type:
Set-SPAuthenticationRealm -realm DEPARTMENT1CA01
$sts=Get-SPSecurityTokenServiceConfig $Realm=Get-SpAuthenticationRealm $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" Write-Host "Setting STS NameId to $nameId" $sts.NameIdentifier = $nameId $sts.Update()
Then go to DESTINATION FARM SP2013 Powershell and type:
Set-SPAuthenticationRealm -realm DEPARTMENT1CA01
$sts=Get-SPSecurityTokenServiceConfig $Realm=Get-SpAuthenticationRealm $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm" Write-Host "Setting STS NameId to $nameId" $sts.NameIdentifier = $nameId $sts.Update()
12. Very final and last step, run the command below to establish the trust:
On SOURCE FARM SP2013 Powershell:
$stsConfig = Get-SPSecurityTokenServiceConfig $stsConfig.AllowMetadataOverHttp = $true $stsConfig.AllowOAuthOverHttp= $true $stsConfig.Update() New-SPTrustedSecurityTokenIssuer –MetadataEndpoint "http://intranet2.company.local/_layouts/15/metadata/json/1" –Name DEPARTMENT2CA01
On CONSUMING FARM SP2013 Powershell:
$stsConfig = Get-SPSecurityTokenServiceConfig $stsConfig.AllowMetadataOverHttp = $true $stsConfig.AllowOAuthOverHttp= $true $stsConfig.Update() New-SPTrustedSecurityTokenIssuer –MetadataEndpoint "http://intranet1.company.local/_layouts/15/metadata/json/1" –Name DEPARTMENT1CA01
That’s it done! Now when you go to Intranet 2 and try to search, the results will be coming from Intranet 1.
OPTION 2 – CRAWL INTRANET 1 from INTRANET 2
With this option we will be using the crawl website capability in Search Scopes.
ADVANTAGES
– Easy to setup
– Displaying both Intranet 1 and 2 search results
– Still using Intranet 2 Search Service Application
– Works cross versions ie. 2010 in 2013, 2013 in 2013 or 2013 in 2010
DISADVANTAGES
– Security trimming only for Intranet 2 search results
– Intranet 1 results security trimming are dependant on the service account that is used to crawl by Intranet 2
HOW TO SETUP
1. Go to INTRANET 2 (Destination Farm) Central Admin > Manage Service Applications > Search Service Application > Content Source. Then click “New Content Source”.
2. Select Web Site. Type in Intranet 1’s URL http://intranet1.company.local.
3. Then on Crawl Settings select Custom. Specify the following:
– Limit Page Depth: Unlimited
– Tick Limit Server Hops: set to 0 (zero)
Otherwise it will try to crawl every link in the content including external links. You want to limit just crawling content which URL starts with Intranet 1’s URL.
4. Then go to Crawl Rules. Create a new rule with the following settings:
– Path: http://intranet1.company.local/*
– Include all items in the path. I would not select any of the checkboxes.
– Then select “Specify a different content access account“. In this section specify the Search Reader account of Intranet 1 farm.
– Select “Do not allow basic authentication”.
– Click OK
5. Run full crawl.
6. You can then see aggregated results of Intranet 1 and 2 all in the same search results page.
Hope this helps,
Tommy
We provides you the best Services in our themes.
Click on the link below to see a full list of clients which we have developed solutions and provided consultancy for.
We are solution-centered and not application-centered.
Being creative and having fun and yet still delivering a fantastic service is the center of our values.
TFS Consulting Services guarantees delivery that is within budget and deadline or you engage us for free.
Implementing IT solution does not have to be difficult. TFS Consulting Services has a lot of resources on planning and methodologies that will ensure successful delivery of your IT solution. TFS Consulting Services has been around in the web industry for more than 10 years and has experienced all the successes and failures of various type of IT deployment.
Do you need a technical resource? TFS Consulting Services can also provide you with technical resource for developing ASP.NET (C# and VB.NET), SharePoint (2003, 2007, 2010, 2013) and MS CRM applications. Our resource is an Microsoft Certified Personnel (MVP) and Microsoft Certified Technology Specialist (MCTS) in all ASP.NET, SharePoint and CRM.
Make sure your IT implementation is robust and scalable. TFS Consulting Services can provide consulting and advice on industry’s best practice on various web-related areas such as website security, design and usability, application-specific (such as SharePoint)’s best practice, Search Engine Optimisation (SEO), coding standards and many others.
Finally TFS Consulting Services provides you with solution development service. We mainly work with Microsoft technologies (ie. .NET and SQL Server), however we are also capable of developing with PHP and MySQL. If you ever need any business process automation, integration and solution development work, we are the trusted expert you should go to.
For more detailed service offerings please visit our Solutions page.
Tommy Segoro
tommy@tfsconsulting.com.au
+61 404 457 754
© TFS Consulting Services 2025. All rights reserved.
