An IT Pro Guide to Deploying and Managing SharePoint 2013 Apps
Upcoming SlideShare
Loading in...5
×
 

An IT Pro Guide to Deploying and Managing SharePoint 2013 Apps

on

  • 531 views

As a SharePoint administrator managing your on-premises environment, building and managing environments to support 2013 apps is far from trivial. In this IT-Pro centric topic, we’ll bypass all of ...

As a SharePoint administrator managing your on-premises environment, building and managing environments to support 2013 apps is far from trivial. In this IT-Pro centric topic, we’ll bypass all of the developer ballyhoo and hone in on what matters most to you. Topics will include provisioning service applications and an app catalog; understanding and configuring OAuth and Server-to-Server (S2S) scenarios; understanding the app model’s security strengths and weaknesses; and developing governance policies to ensure you can properly manage and control these next-generation solutions.

Statistics

Views

Total Views
531
Views on SlideShare
483
Embed Views
48

Actions

Likes
1
Downloads
13
Comments
0

2 Embeds 48

https://twitter.com 46
http://www.slideee.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

An IT Pro Guide to Deploying and Managing SharePoint 2013 Apps An IT Pro Guide to Deploying and Managing SharePoint 2013 Apps Presentation Transcript

  • An IT Pro Guide for Deploying and Managing SharePoint 2013 Apps Randy Williams randy.williams@avepoint.com @tweetraw
  • Randy Williams Director of ACSAuthor
  • Our Agenda Understanding 2013 Apps Provisioning Support for 2013 Apps Managing 2013 Apps Deploying Provider- hosted Apps
  • UNDERSTANDING 2013 APPS
  • #espc14@tweetraw So - what exactly is an app? • Can contain some declarative SharePoint artifacts • External app can provide UI through SharePoint IFrame or full screen • External app uses CSOM or REST (OData) to call back • No custom server-side code running on SharePoint servers An application whose interface is launched from or surfaced through SharePoint but code is executed elsewhere
  • How an app runs
  • #espc14@tweetraw Host web & app web • The host web is where app is added, removed, upgraded • If app contains SharePoint artifacts, a sub-web is created underneath the host web • This sub-web is called the app web • App web is only accessible using isolated domain name – https://{AppPrefix}-{ID}.{AppDomain}/path/{AppName} https://teams.contoso.com https://app-af48d482118ab1.appscontoso.com/myapp
  • #espc14@tweetraw Understanding the app web url • The app prefix is defined when you configure support for SharePoint apps • The app id is an app-unique hex string automatically generated • The app domain is the DNS name you configure • The host web relative url is the portion of the url that is relative to the web application • The app name is set by the developer https://<app prefix>–<app id>.<app domain>/<host web relative url>/<app name> https://app-af48d482118ab1.appscontoso.com/sites/projects/foo/myapp
  • #espc14@tweetraw App principal • A 2013 app uses a new security principal called, app principal • The developer sets the permissions the app will need • Permissions are delegated to app principal when app is provisioned If user does not have the permissions the app needs, it cannot be provisioned
  • #espc14@tweetraw App policies The developer sets the app permission policy in the app manifest <AppPermissionRequests AllowAppOnlyPolicy="true|false"> Policy type Attribute value What it means User & app policy false (default) Both the user and the app must have permissions to perform an action. App only policy true Only the app needs permissions to perform an action. You must be a site collection admin to provision apps of this type. (Think of this as an elevation of privileges)
  • #espc14@tweetraw App permission scope • Permissions are not inherited like user principals • Permissions are granted to one of four scopes – Tenancy (meaning all web apps if not using multi-tenancy) – Site collection – Web (meaning host web) – List (by default, all lists in host web) • App receives the requested permission to all objects contained in this scope
  • DEMO Reviewing app web url
  • PROVISIONING SUPPORT FOR 2013 APPS
  • #espc14@tweetraw Four steps to host apps on premises 1. Create an app tenancy 2. Configure app url settings 3. Configure redirection web app 4. Configure DNS
  • #espc14@tweetraw Creating an app tenancy • Create App Management Service app – Tracks app instances, licenses, app principals • Create Subscription Settings Service app – Provides app isolation • Do not use the farm account for the app pools • The account does not need to be a local admin • Start these services on the designated server(s) 1
  • Scripting the app tenancy $dbserver="sql1" $wfe="wfe1" $acct = "contosoSP.AppPool“ $subPool = New-SPServiceApplicationPool -name "SubscriptionSettingsAppPool" –account $acct $appPool = New-SPServiceApplicationPool -name "AppManagementAppPool" -account $acct $name = "App Management Service" $svc = New-SPAppManagementServiceApplication -ApplicationPool $appPool -Name $name - ` DatabaseName "AppManagement" -DatabaseServer $dbserver New-SPAppManagementServiceApplicationProxy -ServiceApplication $svc -Name "$name Proxy" $name = "Subscription Settings Service" $svc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $subPool -Name $name ` -DatabaseName "SubscriptionSettings" -DatabaseServer $dbserver New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $svc Get-SPServiceInstance | where {$_.typename -in ("App Management Service", ` "Microsoft SharePoint Foundation Subscription Settings Service") -and $_.Parent -like ` "*$wfe"} | Start-SPServiceInstance
  • #espc14@tweetraw Configure app url settings • There are two settings you need to specify – App Prefix and App Domain • Security wise, it is best to have app domain be a top-level domain (e.g. appscontoso.com) • Set in Central Administration or PowerShell Set-SPAppDomain "appscontoso.com" Set-SPAppSiteSubscriptionName ` -Name "apps" -Confirm:$false 2
  • #espc14@tweetraw Configure redirection web app • Create a dedicated SP web application – Make sure host header is blank – No content database needed – It is only used for “app redirection” • Bind IIS web site to a dedicated IP address • SSL strongly recommended – Use a wildcard certificate (e.g. *.appscontoso.com) – Bind certificate to this IIS web site 3
  • #espc14@tweetraw Sample IIS bindings Type Host name Port IP Address SSL certificate Description https teams.contoso.com 443 10.0.0.10 teams.contoso.com Regular SP web application https portal.contoso.com 443 10.0.0.11 portal.contoso.com Regular SP web application https <blank> 443 10.0.0.12 *.appscontoso.com SharePoint web application used for app redirection
  • #espc14@tweetraw Configure DNS • Create an authoritative zone for the app domain • Dynamic hostname resolution is needed, so you’ll need a wildcard “A” record – For example: *.appscontoso.com • Host (“A” record) points to the IP address for the “redirection” web app – 10.0.0.12 from previous slide 4
  • DEMO Provisioning support for SharePoint 2013 apps
  • Book giveaway question
  • MANAGING 2013 APPS
  • #espc14@tweetraw Creating an app catalog • Two primary purposes – Manages internally-developed apps – Manage app requests • Web app can only have one app catalog – App catalog is associated with just one web app New-SPSite -Url http://teams.contoso.com/sites/AppCatalog -OwnerAlias ` "contosoadmin" -Name "Contoso App Catalog" -Template "APPCATALOG#0" Update-SPAppCatalogConfiguration -site ` http://teams.contoso.com/sites/AppCatalog
  • #espc14@tweetraw Managing app requests • If users cannot directly install apps, they must request • Requests are stored in the app catalog • Add an alert to the App Requests list to be notified of new requests • Grant site collection admin on app catalog to delegate to others
  • #espc14@tweetraw Managing licenses • By default, only farm admin can manage licenses • Management can be delegated out on a license-by- license basis
  • #espc14@tweetraw Common questions • Who can provision apps? – Site owners (Create Sites + Manage permissions) – Provisioning user must have permissions requested by app • Can I disable the SharePoint Store? – Not completely. You can restrict whether users must request apps or not – Editing AddAnApp.aspx page is a workaround to remove the link
  • DEMO Managing SharePoint 2013 apps
  • DEPLOYING CUSTOM PROVIDER- HOSTED APPS
  • #espc14@tweetraw Provider-hosted apps • Server-side code runs remotely, outside SharePoint • Each app has an app principal • For on-premises farm, you can use a S2S trust or Azure ACS (O365 tenancy) • SSL is strongly recommended for remote web • Integrated Windows auth on remote web is required if using Visual Studio helper class
  • #espc14@tweetraw Configuring OAuth in SharePoint • Scenario: SPOL and on-premises app • Use AppRegNew.aspx to register app principal – Generate App Id and App Secret – For app domain, use host header of remote web – Redirect URI is optional • Configure remote web using values from AppRegNew <add key="ClientId" value="…" /> Use App Id value <add key="ClientSecret" value="…" /> use App Secret value • Add the .app package into the app catalog
  • #espc14@tweetraw Configuring S2S in SharePoint • Scenario: On-premises farm and app • Create a X.509 cert – Export to .cer (without private key) – Export to .pfx (with private key) and store on remote server • Run New-SPTrustedSecurityTokenIssuer • Run Register-SPAppPrincipal • Add the .app package into the app catalog
  • S2S – configuring SharePoint $certPath = "c:tempapp.cer" $spUrl = "https://teams.contoso.com" $appName = "My app name" $stsName = $appName + " STS" $issuerId = [System.Guid]::NewGuid().ToString().ToLower() $spweb = Get-SPWeb $spUrl $realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site $cert = Get-PfxCertificate $certPath New-SPTrustedRootAuthority -Name "STS cert" -Certificate $cert ` $fullAppIdentifier = $issuerId + '@' + $realm New-SPTrustedSecurityTokenIssuer -name $stsName -Certificate $cert ` -RegisteredIssuerName $fullAppIdentifier -IsTrustBroker $appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier ` -Site $spweb -DisplayName $appName
  • #espc14@tweetraw S2S - configuring remote web • Store .pfx export of cert in a local folder • Reference cert in configuration (e.g. web.config) • For ClientId, use $issuerId value from previous script (from SharePoint) • ClientId and IssuerId can be the same <add key="ClientId" value="a63e90ea-289d-469b-8b35-c5748779c1b4" /> <add key="ClientSigningCertificatePath" value="{path}app.pfx" /> <add key="ClientSigningCertificatePassword" value="pass@word1" /> <add key="IssuerId" value=" a63e90ea-289d-469b-8b35-c5748779c1b4" />
  • Quick recap Understanding 2013 Apps Provisioning Support for 2013 Apps Managing 2013 Apps Deploying Provider- hosted Apps
  • For more information, see chapter 15 Q&A
  • #espc14@tweetraw Additional reading Topic Url App permissions bit.ly/1g3w5wB Deploying apps with PowerShell bit.ly/1ijTGsW OAuth authorization flow bit.ly/1g3wjEa App principal registration bit.ly/1j49DZ9 Package and publish high trust apps bit.ly/RmaNEh
  • Thank You Thank You randy.williams@avepoint.com @tweetraw