Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
About Me
• Principal Consultant, Slalom Consulting, Chicago
• Current focus area Office 365 and SharePoint 2013
Contact In...









Overview of
SharePoint Add-ins
SharePoint
Hosted-Add Ins
Allows you to host your add-ins in
the SharePoint using client-side
technologies and declarative...
Deploying
SharePoint
Artifacts
Allows you to deploy SharePoint
artifacts rather than deploying
through full trust or sandb...
High-Trust Add-ins
Enables on-premises add-ins hosting environment to
host add-ins for the SharePoint 2013 on-premises
usi...
On-Premises
Only Add-ins
(High Trust)
Allows you to deploy provider
hosted add-ins on-premises for
SharePoint on-premises ...
SharePoint 2013
HostWeb
App Web
Add-in Hosting Servers
CSS
png
aspx
master
js
Web Services
Databases
•
•
•
Deep Dive in
High-Trust
Provider Hosted Add-ins
Configuration
Step 1 –
Preparing Infrastructure for
High-Trust
Provider Hosted Add-ins
Infrastructure
• Configure Add-ins Domain (either isolated or subdomain)
• Wildcard DNS entries for SharePoint Add-ins (op...













 Mirjam Van Olst’s classic article -
http://sharepointchick.com/archive/2012/07/29/setting-up-your-
app-domai...






























#Specify parameters for your environment
$ServiceAppPoolName = “SharePoint Hosted Services” #See Shared Services App Pool ...
#Get Application Pool for hosting service applications
$appPoolServiceApps = Get-SPServiceApplicationPool -Identity $Servi...






 http://www.iis.net/downloads/microsoft/web-deploy

http://go.microsoft.com/?linkid=9278654
 Add DNS entries to resolve provider hosted add-in URL
 Import a High Trust certificate on Add-ins Host Servers
 If you...
Step 2 –
Configuring High-Trust for
Provider Hosted Add-ins
Remove existing SPTrustedSecurityTokenIssuer if exists
Run PowerShell to configure High Trust
– Trust cert using New-SPTru...
 Remove existing SPTrustedSecurityTokenIssuer if exists
 On the SP Server, Log in as Setup account to run PowerShell scr...
 Configure the High Trust using
Certificates
 Run the PowerShell script from the SP Server to register
cert with SharePo...
https://msdn.microsoft.com/en-us/library/office/fp179901.aspx
 Configure valid settings for
AllowOAuthOverHTTP
 Configure AllowOAuthOverHTTP to FALSE for SSL
communication between Sh...
Step 3 –
High-Trust Provider Hosted
Add-ins Deployment
 On the DNS Servers
 Make sure DNS entry is available for Add-ins URL, PING to verify
 On Provider Hosted Server
 Crea...
 Remote web can be deployed on IIS, make sure asp.net is
included as features
 Web Site Name (e.g. ProviderHostedProdApp...
App Id: f5b99211-2f48-4747-8af0-bdfbbcf1b1b5
App Secret: ER8VtsjIfOU1Y2NrTMCfph+2LACCeOUpiaEMqr/zE2Y=
Title: Prod Provider...

 Update the Web.Config file of App Web
 VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This ...
 Update the Web.Config file of App Web
 VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This ...
 Provider Hosted Add-ins are consists of two projects in Visual
Studio
 Publishing App Web Package
 Publishing App web ...
 Deploying App Web Package
 Copy the Package to the Remote Add-ins server,
make sure webdeploy is installed on the
addit...



 https://msdn.microsoft.com/en-
us/library/office/fp179921.aspx








Q&A
• Blog - http://nikpatel.net/
• Twitter - @nikxpatel
• Slideshare - slideshare.net/patenik2
SharePoint Fest Chicago 2015  - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premis...
SharePoint Fest Chicago 2015  - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premis...
SharePoint Fest Chicago 2015  - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premis...
Upcoming SlideShare
Loading in …5
×

SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premises, real-world end-to-end configuration blueprint

16,513 views

Published on

SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premises, real-world end-to-end configuration blueprint

Published in: Technology
  • Be the first to comment

SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premises, real-world end-to-end configuration blueprint

  1. 1. About Me • Principal Consultant, Slalom Consulting, Chicago • Current focus area Office 365 and SharePoint 2013 Contact Info • Email - patenik2@yahoo.com • Blog - Nik Patel’s Logs from the Field - http://nikpatel.net/ • Twitter - @nikxpatel • LinkedIn - linkedin.com/in/nikspatel • Slideshare - slideshare.net/patenik2
  2. 2.         
  3. 3. Overview of SharePoint Add-ins
  4. 4. SharePoint Hosted-Add Ins Allows you to host your add-ins in the SharePoint using client-side technologies and declarative workflows. Provider Hosted-Add Ins Allows you to host your add-ins in your own infrastructure, technology, and server side code.
  5. 5. Deploying SharePoint Artifacts Allows you to deploy SharePoint artifacts rather than deploying through full trust or sandbox model. Business Widgets Allows you to build SharePoint web parts where code will run on the remote web application. Stand-Alone Business Apps Allows you to build standalone remote business applications like performance dashboard or timesheet.
  6. 6. High-Trust Add-ins Enables on-premises add-ins hosting environment to host add-ins for the SharePoint 2013 on-premises using Certificate based authorization. Low-Trust Add-ins Enables on-premises add-ins hosting environment to host add-ins for the SharePoint Online using Azure ACS OAuth based authorization. High Trust Low Trust Trust Mechanism Digital Certs Azure ACS Token Creator App itself Azure ACS App Host On-Premises Azure PaaS Usage On-Premises Only Both Office 365 and On-Premises
  7. 7. On-Premises Only Add-ins (High Trust) Allows you to deploy provider hosted add-ins on-premises for SharePoint on-premises using High Trust model. Cloud Add-ins for SharePoint Online (Low Trust) Allows you to deploy provider hosted add-ins in Azure for SharePoint online using Low Trust model. Cloud Add-ins for SharePoint On-Premises (Low Trust) Allows you to deploy provider hosted add-ins in Azure for SharePoint on-premises using Low Trust model.
  8. 8. SharePoint 2013 HostWeb App Web Add-in Hosting Servers CSS png aspx master js Web Services Databases • • •
  9. 9. Deep Dive in High-Trust Provider Hosted Add-ins Configuration
  10. 10. Step 1 – Preparing Infrastructure for High-Trust Provider Hosted Add-ins
  11. 11. Infrastructure • Configure Add-ins Domain (either isolated or subdomain) • Wildcard DNS entries for SharePoint Add-ins (optional) • Wildcard Certificates for SharePoint Add-ins SSL communication (optional) SharePoint Servers • SharePoint Environment Configured, optionally with SSL • Routing SharePoint Web App configured for SharePoint Add-ins (optional) • App Management and Subscription Settings Services & Service Applications • Add-in Settings - App Prefix, App Hosting Domain, and App Catalog Site Collection Provider Hosted Servers • IIS and Application Server Role, .NET Framework 4.5 and later • Install Web Deploy Tool for deployment • Configure DNS Entries, SSL Certs, and IIS_IUSERS permissions to the cert.
  12. 12.       
  13. 13.        Mirjam Van Olst’s classic article - http://sharepointchick.com/archive/2012/07/29/setting-up-your- app-domain-for-sharepoint-2013.aspx
  14. 14.       
  15. 15.          
  16. 16.        
  17. 17.     
  18. 18. #Specify parameters for your environment $ServiceAppPoolName = “SharePoint Hosted Services” #See Shared Services App Pool Account in Service Accounts page in central admin $AppManagementServiceDB = "NikSP_AppManagement" #Specify Prefix to App management database $SubscriptionSettingsServiceDB = "NikSP_SubscriptionSettings" #Specify prefix to subscription settings database $appHostDomain = "apps.niks.local" #Specify App hosts domain # Load SharePoint PowerShell snapin $snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.PowerShell'} if ($snapin -eq $null) { Add-PSSnapin "Microsoft.SharePoint.PowerShell" } #Set the SharePoint 2013 App Domain Set-SPAppDomain $appHostDomain #Start if the SharePoint App Management Service isn’t running $appMgmtSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "AppManagementServiceInstance" } if ($appMgmtSvcInstance.Status -ne "Online") { $silence = Start-SPServiceInstance -Identity $appMgmtSvcInstance } #Start if the SharePoint Subscription Settings Service isn’t running $appSubSettingSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "SPSubscriptionSettingsServiceInstance"} if ($appSubSettingSvcInstance.Status -ne "Online") { $serviceInstance = Start-SPServiceInstance -Identity $appSubSettingSvcInstance }
  19. 19. #Get Application Pool for hosting service applications $appPoolServiceApps = Get-SPServiceApplicationPool -Identity $ServiceAppPoolName #Provision Subscription Settings Service Application $appSubSvc = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $appPoolServiceApps –Name "Settings Service Application" – DatabaseName $SubscriptionSettingsServiceDB $proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $appSubSvc #Create App Management Service Application $appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $appPoolServiceApps -Name "App Management Service Application" - DatabaseName $AppManagementServiceDB $proxyAppSvc = New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc #Recycle IIS IISRESET #Set Default On-Premises Tenant Add-in Prefix for Add-ins Set-SPAppSiteSubscriptionName -Name "app" -Confirm:$false #Complete configuring SharePoint 2013 to host add-ins
  20. 20.        http://www.iis.net/downloads/microsoft/web-deploy  http://go.microsoft.com/?linkid=9278654
  21. 21.  Add DNS entries to resolve provider hosted add-in URL  Import a High Trust certificate on Add-ins Host Servers  If you don't have PFX and CER files from the external/internal CA, one way to obtain is exporting with private key (e.g. NiksHighTrustCert.pfx) and with public key (e.g. NiksHighTrustCert.cer) for all the certs including root CAs and other parent certs in chain (RootCAHighTrustCert.cer) from the SharePoint servers.  CER format requires to register cert with SharePoint, PFX format requires for Add-ins  Usually, high trust certificate would be same as wildcard cert used for the SharePoint web applications if high trust Add-ins and SharePoint shares same domain.  Configure BUILTINIIS_IUSRS access to the High Trust cert  For the separate IIS server hosting Add-ins, configure BUILTINIIS_IUSRS users to the full control permission to cert  On Windows Server 2012 R2, Use command line tool - Windows HTTP Services Certificate Configuration Tool - WinHttpCertCfg.exe  On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS  If IIS_IUSERs don’t have permission, it will throw Keyset doesn't exists eroor - http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html
  22. 22. Step 2 – Configuring High-Trust for Provider Hosted Add-ins
  23. 23. Remove existing SPTrustedSecurityTokenIssuer if exists Run PowerShell to configure High Trust – Trust cert using New-SPTrustedSecurityTokenIssuer Configure valid AllowOAuthOverHTTP settings for SSL or Non-SSL communication between SharePoint and Provider Hosted Add-ins
  24. 24.  Remove existing SPTrustedSecurityTokenIssuer if exists  On the SP Server, Log in as Setup account to run PowerShell script and check if any previously registered SPTrustedSecurityTokenIssuer exists.  If there is a mal-functioned one and if the –IsTrustBroker switch was used then the bad tokenissuer might be getting called.  If this is the first time you are configuring the high trust add-in then you can skip this step.  Run Get-SPTrustedSecurityTokenIssuer.  If no Azure workflow is configured then this command should return empty.  If you get any issuer other than the workflow then run the Remove-SPTrustedSecurityTokenIssuer (pass the Id value from the above output) to delete it.
  25. 25.  Configure the High Trust using Certificates  Run the PowerShell script from the SP Server to register cert with SharePoint by using public (cer) key to configure trust for your add-in  Each certificate in the chain is added to SharePoint's list of trusted root authorities with a call of the New- SPTrustedRootAuthority cmdlet.  It is important that IssuerID is needed each time you create add-ins in Visual Studio so put it somewhere safe (e.g. 9F0FF6C4-0DA6-429B-959A-07847DF6BF37)  Get the Serial Number from the App Cert - 6114c562000000000005 (here are the steps - https://msdn.microsoft.com/EN- US/library/office/jj860570.aspx#ConfigureRemote)
  26. 26. https://msdn.microsoft.com/en-us/library/office/fp179901.aspx
  27. 27.  Configure valid settings for AllowOAuthOverHTTP  Configure AllowOAuthOverHTTP to FALSE for SSL communication between SharePoint and Provider Hosted Add-ins.  If any of your IIS web (either SharePoint or Provider hosted web add-in) has HTTP bindings then you must have AllowOAuthOverHTTP to TRUE otherwise you will get 403 error $serviceConfig = Get-SPSecurityTokenServiceConfig $serviceConfig.AllowOAuthOverHttp = $false $serviceConfig.Update()
  28. 28. Step 3 – High-Trust Provider Hosted Add-ins Deployment
  29. 29.  On the DNS Servers  Make sure DNS entry is available for Add-ins URL, PING to verify  On Provider Hosted Server  Create IIS Web Site and Virtual Directories to host Add-ins         
  30. 30.  Remote web can be deployed on IIS, make sure asp.net is included as features  Web Site Name (e.g. ProviderHostedProdApp) and local folder (e.g. C:inetpubwwwrootphprodapp)  Add New DNS entry for remote web add-in (e.g. phprodapp.niks.local to server or load-balancer IP) and see if you can ping it  Bind this cert with SSL (e.g. *.niks.local), Host Header (e.g. phprodapp.niks.local), and IP (e.g. 192.168.1.51)  Ensure .NET 4.0 framework is selected as target framework - Make sure Application Pool is using v4.0 otherwise you will get error while deploying code  Configure Authentication of the Remote Web on IIS  Disable Anonymous Authentication for the IIS site hosting Remote Web  Enable Windows Authentication for the IIS site hosting remote web and plan to have Provider NTLM is selected above Negotiate  Add Virtual Directories to host Add-ins  Alias (e.g. prodphapp), Path – (e.g. C:inetpubwwwrootphprodappprodphapp)
  31. 31. App Id: f5b99211-2f48-4747-8af0-bdfbbcf1b1b5 App Secret: ER8VtsjIfOU1Y2NrTMCfph+2LACCeOUpiaEMqr/zE2Y= Title: Prod Provider Hosted App App Domain: phprodapp.niks.local Redirect URI: https://phprodapp.niks.local/prodphapp/pages/default.aspx • App Registration – ~siteURL/_layouts/15/appregnew.aspx • App Lookup - ~siteURL/_layouts/15/appinv.aspx  Appid - generate  App secret - generate  App domain - phprodapp.niks.local  Redirect URL - https://phprodapp.niks.local/prodphapp/pages/default.aspx
  32. 32.
  33. 33.  Update the Web.Config file of App Web  VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This requires certificate downloaded and stored on the local file system. <appSettings> <add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" /> <add key="ClientSigningCertificatePath" value="C:CertsNiksHighTrustCert.pfx" /> <add key="ClientSigningCertificatePassword" value="pass@word1" /> <add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" /> </appSettings>  No changes in the Token Issuer file in VS project  Visual studio template for Provider hosted add-in contains code to create access token based on certificate location.
  34. 34.  Update the Web.Config file of App Web  VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This shouldn’t be used for production add-ins. Instead use ClientSigningCertificateSerialNumber.  Find the ClientSigningCertificateSerialNumber from the cert binded to the provider hosted add-in (e.g. *.niks.local) <appSettings> <add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" /> <add key="ClientSigningCertificateSerialNumber" value="6114c562000000000005" /> <add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" /> </appSettings>  Update Token Issuer file in VS project  Since you are using on Serial Number instead of cert path and password for authorization, you need to update code to retrieve cert based on serial number - See Token Issuer section here - https://msdn.microsoft.com/en-us/library/office/jj860570.aspx
  35. 35.  Provider Hosted Add-ins are consists of two projects in Visual Studio  Publishing App Web Package  Publishing App web copies files are remote web server and deployed on IIS  Create AppWeb package from the Visual Studio using publish approach  Create Profile (e.g. NiksRemote)  Connection - Publish Method - Web deploy package, Package Location (e.g. C:DeployProdProviderHostedAppWebProdProviderHostedAppWeb.zip) and Remote IIS Web Site Name (e.g. ProviderHostedProdApp/prodphapp)  Click Next - Release and Publish Package  Publishing Add-ins Package  Publishing App produces App file (.app extension) and that needs to be uploaded on App Catalog site to make it available for SharePoint sites  Create App package from the Visual Studio using publish approach  Remote Add-ins URL where web site is hosted (e.g. https://phprodapp.niks.local/prodphapp)  Remote Add-ins Client ID (e.g. f5b99211-2f48-4747-8af0-bdfbbcf1b1b5)
  36. 36.  Deploying App Web Package  Copy the Package to the Remote Add-ins server, make sure webdeploy is installed on the additional server  Open cmd file and run Appweb deployment command (e.g. C:DeployProdProviderHostedAppWeb>ProdPr oviderHostedAppWeb.deploy.cmd /y)  Verify all the contents are getting published on the IIS virtual directory  Deploy App Package to App Catalog  
  37. 37.     https://msdn.microsoft.com/en- us/library/office/fp179921.aspx   
  38. 38.     
  39. 39. Q&A • Blog - http://nikpatel.net/ • Twitter - @nikxpatel • Slideshare - slideshare.net/patenik2

×