0
SharePoint Apps for the IT Pro
Thomas Vochten
About Me
Thomas Vochten
SharePoint MVP. Platform architect. Speaker.
Trainer. Involuntary DBA. Consultant at
Xylos. V-TSP ...
Agenda
• Introduction to Apps
• Preparing the infrastructure
• Apps Security
• Apps Management
INTRODUCTION TO APPS
The problem with Full Trust Code
• Performance
• Maintenance
• Security
• Upgrades
• Supportability
• …
Previous attempt to fix the problem
Custom code in Sandboxed Solutions is deprecated with
SharePoint 2013
More Frustrations
SharePoint developers felt,
well… a bit left behind
Welcome to the Cloud App Model
• Apps don’t run on the SharePoint server
• Can still interact with SharePoint
• On-Premise...
The new Microsoft?
http://officespdev.uservoice.com/
https://officeams.codeplex.com/
Everything is an App
TYPES OF APPS
SharePoint Hosted Apps
• Run in the browser
• Use client side technologies only
• Relatively easy
• Can interact with the ...
Provider Hosted Apps
• Bring your own hosting
• Use any language or platform
• Greater flexibility
• Greater responsibilit...
Provider Hosted Apps
Auto Hosted Apps
• Web & Azure components are provisioned
automatically
• Can interact with the host web
• Automagically p...
Apps Positioning
APPS USER EXPERIENCE
SharePoint Store
Who do you trust?
App Provisioning
• Timer job kicks in
• App web is provisioned
• Permissions are configured
Full Page
• Mimics SharePoint look and feel
UI Components
Ribbon extensions App Parts
PREPARE THE INFRASTRUCTURE
Demo Environment
• Single farm
• Single content application pool
• Single services application pool
• Single content web a...
“Host-named site collections are the
preferred method to deploy sites in
SharePoint 2013”
From: TechNet
DEMO | EXPLORE
DNS Prerequisites
• Choose your app domain
• Request a wildcard or SAN certificate
• Configure DNS with a wildcard record
...
Choose an App Domain
• Unique domain
• No subdomains please
• You need one…per farm!
Certificates
Wildcard Certificate
*.contoso.com
Wildcard Certificate
*.contosoapps.com
SAN Certificate
*.contoso.com
*.con...
Routing Web Application
https://app-bdf2016ea7dacb.contosoapps.com/...
Routing Web App
No host header
No Routing Web Application
https://app-bdf2016ea7dacb.contosoapps.com/...
Routing Web Application
• When you need to use IIS host headers
• Web application without a host header
• Contains no site...
SharePoint Prerequisites
• Claims based authentication only
• Subscription Settings Service Application
Generates & manage...
SharePoint Configuration
• Provision service applications
• Configure App domain
• Configure App prefix
• Configure App Ca...
Considerations
• You can use multiple zones for your app domain
(needs March 2013 PU)
$contentService = [Microsoft.SharePo...
DEMO | CONFIGURE
Simple, Right?
• Your environment is now ready to host
SharePoint Hosted Apps
• Office365 can use Provider Hosted Apps
wit...
APPS SECURITY
Security Basics
• User principals vs App principals
• Authentication vs Authorization
SharePoint 2013 can authenticate App...
App Identity using OAuth
• Client Id of the app
• Display name of the app
• App domain where the remote app is
hosted
App Authentication
• Internal Authentication
It just works
• External Authentication using S2S Trusts
• External Authentic...
Authentication Flowstart
authentication
does request target a
CSOM/REST endpoint?
does request carry
a claims token?
does ...
App Permissions
• Granted by user approval
• All or nothing
• Default permissions (like app web control)
Low Trust vs High Trust
• Low trust apps need ACS as trust broker
(via Office365)
• High trust apps need Server To Server ...
Low Trust vs High Trust
SharePoint Remote App Trust broker
On premises In cloud ACS, certificate
On premises On premises A...
Kerberos?
SAML Authentication
• Identity provider should support:
Wildcard return URL
Wreply parameter
• Supported by latest ADFS ve...
APPS MANAGEMENT
The G-Word
App Management
• Timer Job:
App Installation Service
• Cmdlets:
Import-SPAppPackage
Install-SPApp
Uninstall-SPAppInstance
Licensing
• Timer Job:
License renewal
• Powershell for DR:
$appProxy = Get-SPServiceApplicationProxy
“AppManagementProxyI...
Upgrade Apps
• Site collection admin needs to upgrade apps
• SharePoint manages notification state
• Timer Jobs:
App State...
Backup/Restore
• Site exports do not include app assets:
Export-SPWeb and Import-SPWeb
• Site backup and restore:
Backup-S...
DEMO | MANAGE
SUMMARY
• Apps are good for you
• Don’t underestimate infrastructure impact
• Understand the security model of apps
• Stro...
QUESTIONS ?
@thomasvochten #itproceed
And take home the
Lumia 1320
Present your feedback form when you exit
the last session & go for the drink
Give Me Feedback
Follow Technet Belgium
@technetbelux
Subscribe to the TechNet newsletter
aka.ms/benews
Be the first to know
Belgiums’ biggest IT PRO Conference
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Upcoming SlideShare
Loading in...5
×

Office Track: SharePoint Apps for the IT Pro - Thomas Vochten

183

Published on

SharePoint Apps for the IT Pro slides.
ITPROceed 2014 Session by Thomas Vochten

Published in: Software, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
183
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Office Track: SharePoint Apps for the IT Pro - Thomas Vochten"

  1. 1. SharePoint Apps for the IT Pro Thomas Vochten
  2. 2. About Me Thomas Vochten SharePoint MVP. Platform architect. Speaker. Trainer. Involuntary DBA. Consultant at Xylos. V-TSP at Microsoft. @thomasvochten http://thomasvochten.com mail@thomasvochten.com
  3. 3. Agenda • Introduction to Apps • Preparing the infrastructure • Apps Security • Apps Management
  4. 4. INTRODUCTION TO APPS
  5. 5. The problem with Full Trust Code • Performance • Maintenance • Security • Upgrades • Supportability • …
  6. 6. Previous attempt to fix the problem Custom code in Sandboxed Solutions is deprecated with SharePoint 2013
  7. 7. More Frustrations SharePoint developers felt, well… a bit left behind
  8. 8. Welcome to the Cloud App Model • Apps don’t run on the SharePoint server • Can still interact with SharePoint • On-Premises and in the cloud • Free choice of tools, languages & platforms
  9. 9. The new Microsoft? http://officespdev.uservoice.com/ https://officeams.codeplex.com/
  10. 10. Everything is an App
  11. 11. TYPES OF APPS
  12. 12. SharePoint Hosted Apps • Run in the browser • Use client side technologies only • Relatively easy • Can interact with the host web • Use an app web with a funky URL • On-Premises and in the cloud • AuthZ with user privileges
  13. 13. Provider Hosted Apps • Bring your own hosting • Use any language or platform • Greater flexibility • Greater responsibility • Can interact with the host web
  14. 14. Provider Hosted Apps
  15. 15. Auto Hosted Apps • Web & Azure components are provisioned automatically • Can interact with the host web • Automagically provisioned provider- hosted apps
  16. 16. Apps Positioning
  17. 17. APPS USER EXPERIENCE
  18. 18. SharePoint Store
  19. 19. Who do you trust?
  20. 20. App Provisioning • Timer job kicks in • App web is provisioned • Permissions are configured
  21. 21. Full Page • Mimics SharePoint look and feel
  22. 22. UI Components Ribbon extensions App Parts
  23. 23. PREPARE THE INFRASTRUCTURE
  24. 24. Demo Environment • Single farm • Single content application pool • Single services application pool • Single content web application • Host named site collections • No host headers • SSL Everywhere
  25. 25. “Host-named site collections are the preferred method to deploy sites in SharePoint 2013” From: TechNet
  26. 26. DEMO | EXPLORE
  27. 27. DNS Prerequisites • Choose your app domain • Request a wildcard or SAN certificate • Configure DNS with a wildcard record • Setup SharePoint & IIS to accommodate requests for your app domain
  28. 28. Choose an App Domain • Unique domain • No subdomains please • You need one…per farm!
  29. 29. Certificates Wildcard Certificate *.contoso.com Wildcard Certificate *.contosoapps.com SAN Certificate *.contoso.com *.contosoapps.com
  30. 30. Routing Web Application https://app-bdf2016ea7dacb.contosoapps.com/... Routing Web App No host header
  31. 31. No Routing Web Application https://app-bdf2016ea7dacb.contosoapps.com/...
  32. 32. Routing Web Application • When you need to use IIS host headers • Web application without a host header • Contains no site collections • Delete/disable the Default Website in IIS • Consider multiple IP addresses • Use the same application pool identity as your content application pool
  33. 33. SharePoint Prerequisites • Claims based authentication only • Subscription Settings Service Application Generates & manages App ID’s • App Management Service Application General settings App licensing
  34. 34. SharePoint Configuration • Provision service applications • Configure App domain • Configure App prefix • Configure App Catalog • Configure SharePoint Store settings
  35. 35. Considerations • You can use multiple zones for your app domain (needs March 2013 PU) $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService $contentService.SupportMultipleAppDomains = $true $contentService.Update() New-SPWebApplicationAppDomain -AppDomain <AppDomain> -WebApplication <WebApplicationID> - Zone <Zone> -Port <Port> -SecureSocketsLayer • Use SSL… everywhere!
  36. 36. DEMO | CONFIGURE
  37. 37. Simple, Right? • Your environment is now ready to host SharePoint Hosted Apps • Office365 can use Provider Hosted Apps without extra configuration • Connecting on-premises farms to Provider Hosted Apps requires additional configuration!
  38. 38. APPS SECURITY
  39. 39. Security Basics • User principals vs App principals • Authentication vs Authorization SharePoint 2013 can authenticate Apps!
  40. 40. App Identity using OAuth • Client Id of the app • Display name of the app • App domain where the remote app is hosted
  41. 41. App Authentication • Internal Authentication It just works • External Authentication using S2S Trusts • External Authentication using OAuth
  42. 42. Authentication Flowstart authentication does request target a CSOM/REST endpoint? does request carry a claims token? does request carry an access token? yes no end authentication No Authentication (anonymous access) no App Authentication (app and user identity) User Authentication does request target URL of an app web? does access token Carry user identity? App Only Authentication yes no yes yes yes no no
  43. 43. App Permissions • Granted by user approval • All or nothing • Default permissions (like app web control)
  44. 44. Low Trust vs High Trust • Low trust apps need ACS as trust broker (via Office365) • High trust apps need Server To Server trust (no need for Office365)
  45. 45. Low Trust vs High Trust SharePoint Remote App Trust broker On premises In cloud ACS, certificate On premises On premises ACS, certificate Office 365 In cloud ACS Office 365 On premises ACS You might need to open firewall ports towards ACS
  46. 46. Kerberos?
  47. 47. SAML Authentication • Identity provider should support: Wildcard return URL Wreply parameter • Supported by latest ADFS version
  48. 48. APPS MANAGEMENT
  49. 49. The G-Word
  50. 50. App Management • Timer Job: App Installation Service • Cmdlets: Import-SPAppPackage Install-SPApp Uninstall-SPAppInstance
  51. 51. Licensing • Timer Job: License renewal • Powershell for DR: $appProxy = Get-SPServiceApplicationProxy “AppManagementProxyId” $appProxy.GetDeploymentID() Set-SPAppManagementDeploymentID
  52. 52. Upgrade Apps • Site collection admin needs to upgrade apps • SharePoint manages notification state • Timer Jobs: App State Update Internal App State Update • Cmdlets: Get-SPAppStateUpdateInterval Get-SPAppStateSyncLastRunTime Set-SPAppStateUpdateInterval Update-SPAppInstance
  53. 53. Backup/Restore • Site exports do not include app assets: Export-SPWeb and Import-SPWeb • Site backup and restore: Backup-SPSite and Restore-SPSite • App exports: Export-SPAppPackage
  54. 54. DEMO | MANAGE
  55. 55. SUMMARY • Apps are good for you • Don’t underestimate infrastructure impact • Understand the security model of apps • Strongly consider using host named site collections • Use SSL - Everywhere!
  56. 56. QUESTIONS ? @thomasvochten #itproceed
  57. 57. And take home the Lumia 1320 Present your feedback form when you exit the last session & go for the drink Give Me Feedback
  58. 58. Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter aka.ms/benews Be the first to know
  59. 59. Belgiums’ biggest IT PRO Conference
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×