SharePoint Fest Chicago Triggering Cultural Metamorphisis - December 2014
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for...
-
Upload
nik-patel -
Category
Technology
-
view
11.506 -
download
0
Transcript of SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for...
About Me
• Principal Consultant, Slalom Consulting, Chicago
• Current focus area Office 365 and SharePoint 2013
Contact Info
• Email - [email protected]
• Blog - Nik Patel’s Logs from the Field - http://nikpatel.net/
• Twitter - @nikxpatel
• LinkedIn - linkedin.com/in/nikspatel
• Slideshare - slideshare.net/patenik2
SharePoint Hosted-Add InsAllows you to host your add-ins in the SharePoint using client-side technologies and declarative workflows.
Provider Hosted-Add InsAllows you to host your add-ins in your own infrastructure, technology, and server side code.
Deploying SharePoint Artifacts
Allows you to deploy SharePoint artifacts rather than deploying through full trust or sandbox model.
Business Widgets
Allows you to build SharePoint web parts where code will run on the remote web application.
Stand-Alone Business Apps
Allows you to build standalone remote business applications like performance dashboard or timesheet.
High-Trust Add-ins
Enables on-premises add-ins hosting environment to host add-ins for the SharePoint 2013 on-premises using Certificate based authorization.
Low-Trust Add-ins
Enables on-premises add-ins hosting environment to host add-ins for the SharePoint Online using Azure ACS OAuth based authorization.
High Trust Low Trust
Trust Mechanism Digital Certs Azure ACS
Token Creator App itself Azure ACS
App Host On-Premises Azure PaaS
Usage On-Premises Only Both Office 365 and On-Premises
On-Premises Only Add-ins(High Trust)
Allows you to deploy provider hosted add-ins on-premises for SharePoint on-premises using High Trust model.
Cloud Add-ins for SharePoint Online(Low Trust)
Allows you to deploy provider hosted add-ins in Azure for SharePoint online using Low Trust model.
Cloud Add-ins for SharePoint On-Premises (Low Trust)
Allows you to deploy provider hosted add-ins in Azure for SharePoint on-premises using Low Trust model.
SharePoint 2013
Host Web
App Web
Add-in Hosting Servers
CSS
png
aspx
master
js
Web Services
Databases
•
•
•
Infrastructure
• Configure Add-ins Domain (either isolated or subdomain)
• Wildcard DNS entries for SharePoint Add-ins (optional)
• Wildcard Certificates for SharePoint Add-ins SSL communication (optional)
SharePoint Servers
• SharePoint Environment Configured, optionally with SSL
• Routing SharePoint Web App configured for SharePoint Add-ins (optional)
• App Management and Subscription Settings Services & Service Applications
• Add-in Settings - App Prefix, App Hosting Domain, and App Catalog Site Collection
Provider Hosted Servers
• IIS and Application Server Role, .NET Framework 4.5 and later
• Install Web Deploy Tool for deployment
• Configure DNS Entries, SSL Certs, and IIS_IUSERS permissions to the cert.
Mirjam Van Olst’s classic article -http://sharepointchick.com/archive/2012/07/29/setting-up-your-app-domain-for-sharepoint-2013.aspx
#Specify parameters for your environment
$ServiceAppPoolName = “SharePoint Hosted Services” #See Shared Services App Pool Account in Service Accounts page in central admin
$AppManagementServiceDB = "NikSP_AppManagement" #Specify Prefix to App management database
$SubscriptionSettingsServiceDB = "NikSP_SubscriptionSettings" #Specify prefix to subscription settings database
$appHostDomain = "apps.niks.local" #Specify App hosts domain
# Load SharePoint PowerShell snapin
$snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.PowerShell'}
if ($snapin -eq $null) {
Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}
#Set the SharePoint 2013 App Domain
Set-SPAppDomain $appHostDomain
#Start if the SharePoint App Management Service isn’t running
$appMgmtSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "AppManagementServiceInstance" }
if ($appMgmtSvcInstance.Status -ne "Online") {
$silence = Start-SPServiceInstance -Identity $appMgmtSvcInstance
}
#Start if the SharePoint Subscription Settings Service isn’t running
$appSubSettingSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "SPSubscriptionSettingsServiceInstance"}
if ($appSubSettingSvcInstance.Status -ne "Online") {
$serviceInstance = Start-SPServiceInstance -Identity $appSubSettingSvcInstance
}
#Get Application Pool for hosting service applications
$appPoolServiceApps = Get-SPServiceApplicationPool -Identity $ServiceAppPoolName
#Provision Subscription Settings Service Application
$appSubSvc = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $appPoolServiceApps –Name "Settings Service Application" –
DatabaseName $SubscriptionSettingsServiceDB
$proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $appSubSvc
#Create App Management Service Application
$appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $appPoolServiceApps -Name "App Management Service Application" -
DatabaseName $AppManagementServiceDB
$proxyAppSvc = New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc
#Recycle IIS
IISRESET
#Set Default On-Premises Tenant Add-in Prefix for Add-ins
Set-SPAppSiteSubscriptionName -Name "app" -Confirm:$false
#Complete configuring SharePoint 2013 to host add-ins
http://www.iis.net/downloads/microsoft/web-deploy
http://go.microsoft.com/?linkid=9278654
Add DNS entries to resolve provider hosted add-in URL
Import a High Trust certificate on Add-ins Host Servers
If you don't have PFX and CER files from the external/internal CA, one way to obtain is exporting with private key (e.g. NiksHighTrustCert.pfx) and with public key (e.g. NiksHighTrustCert.cer) for all the certs including root CAs and other parent certs in chain (RootCAHighTrustCert.cer) from the SharePoint servers.
CER format requires to register cert with SharePoint, PFX format requires for Add-ins
Usually, high trust certificate would be same as wildcard cert used for the SharePoint web applications if high trust Add-ins and SharePoint shares same domain.
Configure BUILTIN\IIS_IUSRS access to the High Trust cert
For the separate IIS server hosting Add-ins, configure BUILTIN\IIS_IUSRS users to the full control permission to cert
On Windows Server 2012 R2, Use command line tool - Windows HTTP Services Certificate Configuration Tool - WinHttpCertCfg.exe
On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS
If IIS_IUSERs don’t have permission, it will throw Keyset doesn't exists eroor -http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html
Remove existing SPTrustedSecurityTokenIssuer if exists
Run PowerShell to configure High Trust
– Trust cert using New-SPTrustedSecurityTokenIssuer
Configure valid AllowOAuthOverHTTP settings for SSL or Non-SSL
communication between SharePoint and Provider Hosted Add-ins
Remove existing SPTrustedSecurityTokenIssuer if exists
On the SP Server, Log in as Setup account to run PowerShell script and check if any previously registered SPTrustedSecurityTokenIssuer exists.
If there is a mal-functioned one and if the –IsTrustBroker switch was used then the bad tokenissuermight be getting called.
If this is the first time you are configuring the high trust add-in then you can skip this step.
Run Get-SPTrustedSecurityTokenIssuer.
If no Azure workflow is configured then this command should return empty.
If you get any issuer other than the workflow then run the Remove-SPTrustedSecurityTokenIssuer(pass the Id value from the above output) to delete it.
Configure the High Trust using Certificates
Run the PowerShell script from the SP Server to register cert with SharePoint by using public (cer) key to configure trust for your add-in
Each certificate in the chain is added to SharePoint's list of trusted root authorities with a call of the New-SPTrustedRootAuthority cmdlet.
It is important that IssuerID is needed each time you create add-ins in Visual Studio so put it somewhere safe (e.g. 9F0FF6C4-0DA6-429B-959A-07847DF6BF37)
Get the Serial Number from the App Cert -6114c562000000000005 (here are the steps -https://msdn.microsoft.com/EN-US/library/office/jj860570.aspx#ConfigureRemote)
https://msdn.microsoft.com/en-us/library/office/fp179901.aspx
Configure valid settings for AllowOAuthOverHTTP
Configure AllowOAuthOverHTTP to FALSE for SSL communication between SharePoint and Provider Hosted Add-ins.
If any of your IIS web (either SharePoint or Provider hosted web add-in) has HTTP bindings then you must have AllowOAuthOverHTTP to TRUE otherwise you will get 403 error
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false
$serviceConfig.Update()
On the DNS Servers
Make sure DNS entry is available for Add-ins URL, PING to verify
On Provider Hosted Server
Create IIS Web Site and Virtual Directories to host Add-ins
Remote web can be deployed on IIS, make sure asp.net is included as features
Web Site Name (e.g. ProviderHostedProdApp) and local folder (e.g. C:\inetpub\wwwroot\phprodapp)
Add New DNS entry for remote web add-in (e.g. phprodapp.niks.local to server or load-balancer IP) and see if you can ping it
Bind this cert with SSL (e.g. *.niks.local), Host Header (e.g. phprodapp.niks.local), and IP (e.g. 192.168.1.51)
Ensure .NET 4.0 framework is selected as target framework - Make sure Application Pool is using v4.0 otherwise you will get error while deploying code
Configure Authentication of the Remote Web on IIS
Disable Anonymous Authentication for the IIS site hosting Remote Web
Enable Windows Authentication for the IIS site hosting remote web and plan to have Provider NTLM is selected above Negotiate
Add Virtual Directories to host Add-ins
Alias (e.g. prodphapp), Path – (e.g. C:\inetpub\wwwroot\phprodapp\prodphapp)
App Id: f5b99211-2f48-4747-8af0-bdfbbcf1b1b5
App Secret: ER8VtsjIfOU1Y2NrTMCfph+2LACCeOUpiaEMqr/zE2Y=
Title: Prod Provider Hosted App
App Domain: phprodapp.niks.local
Redirect URI: https://phprodapp.niks.local/prodphapp/pages/default.aspx
• App Registration – ~siteURL/_layouts/15/appregnew.aspx• App Lookup - ~siteURL/_layouts/15/appinv.aspx
Appid - generate
App secret - generate
App domain - phprodapp.niks.local
Redirect URL - https://phprodapp.niks.local/prodphapp/pages/default.aspx
Update the Web.Config file of App Web
VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This requires certificate downloaded and stored on the local file system.
<appSettings>
<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />
<add key="ClientSigningCertificatePath" value="C:\Certs\NiksHighTrustCert.pfx" />
<add key="ClientSigningCertificatePassword" value="pass@word1" />
<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />
</appSettings>
No changes in the Token Issuer file in VS project
Visual studio template for Provider hosted add-in contains code to create access token based on certificate location.
Update the Web.Config file of App Web
VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This shouldn’t be used for production add-ins. Instead use ClientSigningCertificateSerialNumber.
Find the ClientSigningCertificateSerialNumber from the cert binded to the provider hosted add-in (e.g. *.niks.local)
<appSettings>
<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />
<add key="ClientSigningCertificateSerialNumber" value="6114c562000000000005" />
<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />
</appSettings>
Update Token Issuer file in VS project
Since you are using on Serial Number instead of cert path and password for authorization, you need to update code to retrieve cert based on serial number - See Token Issuer section here -https://msdn.microsoft.com/en-us/library/office/jj860570.aspx
Provider Hosted Add-ins are consists of two projects in Visual Studio
Publishing App Web Package
Publishing App web copies files are remote web server and deployed on IIS
Create AppWeb package from the Visual Studio using publish approach Create Profile (e.g. NiksRemote) Connection - Publish Method - Web deploy package, Package Location (e.g.
C:\Deploy\ProdProviderHostedAppWeb\ProdProviderHostedAppWeb.zip) and Remote IIS Web Site Name (e.g. ProviderHostedProdApp/prodphapp)
Click Next - Release and Publish Package
Publishing Add-ins Package
Publishing App produces App file (.app extension) and that needs to be uploaded on App Catalog site to make it available for SharePoint sites
Create App package from the Visual Studio using publish approach Remote Add-ins URL where web site is hosted (e.g.
https://phprodapp.niks.local/prodphapp)
Remote Add-ins Client ID (e.g. f5b99211-2f48-4747-8af0-bdfbbcf1b1b5)
Deploying App Web Package Copy the Package to the Remote Add-ins server,
make sure webdeploy is installed on the additional server
Open cmd file and run Appweb deployment command (e.g. C:\Deploy\ProdProviderHostedAppWeb>ProdProviderHostedAppWeb.deploy.cmd /y)
Verify all the contents are getting published on the IIS virtual directory
Deploy App Package to App Catalog
https://msdn.microsoft.com/en-us/library/office/fp179921.aspx
Q&A
• Blog - http://nikpatel.net/
• Twitter - @nikxpatel
• Slideshare - slideshare.net/patenik2