As a SharePoint administrator managing your on-premises environment, building and managing environments to support 2013 apps is far from trivial. In this IT-Pro centric topic, we’ll bypass all of the developer ballyhoo and hone in on what matters most to you. Topics will include provisioning service applications and an app catalog; understanding and configuring OAuth and Server-to-Server (S2S) scenarios; understanding the app model’s security strengths and weaknesses; and developing governance policies to ensure you can properly manage and control these next-generation solutions.

1. An IT Pro Guide for Deploying and
Managing SharePoint 2013 Apps
Randy Williams
randy.williams@avepoint.com
@tweetraw

2. Randy Williams
Director of ACSAuthor

3. Our Agenda
Understanding
2013 Apps
Provisioning
Support for
2013 Apps
Managing
2013 Apps
Deploying
Provider-
hosted Apps

4. UNDERSTANDING 2013 APPS

5. #espc14@tweetraw
So - what exactly is an app?
• Can contain some declarative SharePoint artifacts
• External app can provide UI through SharePoint IFrame or full
screen
• External app uses CSOM or REST (OData) to call back
• No custom server-side code running on SharePoint servers
An application whose interface is
launched from or surfaced through
SharePoint but code is executed
elsewhere

6. How an app runs

7. #espc14@tweetraw
Host web & app web
• The host web is where app is added, removed, upgraded
• If app contains SharePoint artifacts, a sub-web is
created underneath the host web
• This sub-web is called the app web
• App web is only accessible using isolated domain name
– https://{AppPrefix}-{ID}.{AppDomain}/path/{AppName}
https://teams.contoso.com
https://app-af48d482118ab1.appscontoso.com/myapp

8. #espc14@tweetraw
Understanding the app web url
• The app prefix is defined when you configure support for SharePoint
apps
• The app id is an app-unique hex string automatically generated
• The app domain is the DNS name you configure
• The host web relative url is the portion of the url that is relative to the
web application
• The app name is set by the developer
https://<app prefix>–<app id>.<app domain>/<host web relative url>/<app name>
https://app-af48d482118ab1.appscontoso.com/sites/projects/foo/myapp

9. #espc14@tweetraw
App principal
• A 2013 app uses a new security principal called, app
principal
• The developer sets the
permissions the app will need
• Permissions are delegated to
app principal when app is
provisioned
If user does not have the permissions the
app needs, it cannot be provisioned

10. #espc14@tweetraw
App policies
The developer sets the app permission policy in the
app manifest
<AppPermissionRequests AllowAppOnlyPolicy="true|false">
Policy type Attribute value What it means
User & app
policy
false (default) Both the user and the app must have
permissions to perform an action.
App only
policy
true Only the app needs permissions to
perform an action. You must be a site
collection admin to provision apps of
this type. (Think of this as an elevation
of privileges)

11. #espc14@tweetraw
App permission scope
• Permissions are not inherited like user principals
• Permissions are granted to one of four scopes
– Tenancy (meaning all web apps if not using multi-tenancy)
– Site collection
– Web (meaning host web)
– List (by default, all lists in host web)
• App receives the requested permission to all objects
contained in this scope

12. DEMO
Reviewing app web url

13. PROVISIONING SUPPORT FOR
2013 APPS

14. #espc14@tweetraw
Four steps to host apps
on premises
1. Create an app tenancy
2. Configure app url settings
3. Configure redirection web app
4. Configure DNS

15. #espc14@tweetraw
Creating an app tenancy
• Create App Management Service app
– Tracks app instances, licenses, app principals
• Create Subscription Settings Service app
– Provides app isolation
• Do not use the farm account for the app pools
• The account does not need to be a local admin
• Start these services on the designated server(s)
1

16. Scripting the app tenancy
$dbserver="sql1"
$wfe="wfe1"
$acct = "contosoSP.AppPool“
$subPool = New-SPServiceApplicationPool -name "SubscriptionSettingsAppPool" –account $acct
$appPool = New-SPServiceApplicationPool -name "AppManagementAppPool" -account $acct
$name = "App Management Service"
$svc = New-SPAppManagementServiceApplication -ApplicationPool $appPool -Name $name - `
DatabaseName "AppManagement" -DatabaseServer $dbserver
New-SPAppManagementServiceApplicationProxy -ServiceApplication $svc -Name "$name Proxy"
$name = "Subscription Settings Service"
$svc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $subPool -Name $name `
-DatabaseName "SubscriptionSettings" -DatabaseServer $dbserver
New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $svc
Get-SPServiceInstance | where {$_.typename -in ("App Management Service", `
"Microsoft SharePoint Foundation Subscription Settings Service") -and $_.Parent -like `
"*$wfe"} | Start-SPServiceInstance

17. #espc14@tweetraw
Configure app url settings
• There are two settings you need to specify
– App Prefix and App Domain
• Security wise, it is best to have app domain be a top-level
domain (e.g. appscontoso.com)
• Set in Central Administration or PowerShell
Set-SPAppDomain "appscontoso.com"
Set-SPAppSiteSubscriptionName `
-Name "apps" -Confirm:$false
2

18. #espc14@tweetraw
Configure redirection web app
• Create a dedicated SP web application
– Make sure host header is blank
– No content database needed
– It is only used for “app redirection”
• Bind IIS web site to a dedicated IP address
• SSL strongly recommended
– Use a wildcard certificate (e.g. *.appscontoso.com)
– Bind certificate to this IIS web site
3

19. #espc14@tweetraw
Sample IIS bindings
Type Host name Port IP Address SSL certificate Description
https teams.contoso.com 443 10.0.0.10 teams.contoso.com Regular SP web
application
https portal.contoso.com 443 10.0.0.11 portal.contoso.com Regular SP web
application
https <blank> 443 10.0.0.12 *.appscontoso.com
SharePoint web
application used for
app redirection

20. #espc14@tweetraw
Configure DNS
• Create an authoritative zone for the app domain
• Dynamic hostname resolution is needed, so you’ll
need a wildcard “A” record
– For example: *.appscontoso.com
• Host (“A” record) points to the IP address for the
“redirection” web app
– 10.0.0.12 from previous slide
4

21. DEMO
Provisioning support for SharePoint 2013 apps

22. Book giveaway question

23. MANAGING 2013 APPS

24. #espc14@tweetraw
Creating an app catalog
• Two primary purposes
– Manages internally-developed apps
– Manage app requests
• Web app can only have one app catalog
– App catalog is associated with just one web app
New-SPSite -Url http://teams.contoso.com/sites/AppCatalog -OwnerAlias `
"contosoadmin" -Name "Contoso App Catalog" -Template "APPCATALOG#0"
Update-SPAppCatalogConfiguration -site `
http://teams.contoso.com/sites/AppCatalog

25. #espc14@tweetraw
Managing app requests
• If users cannot directly install apps, they must request
• Requests are stored in the app catalog
• Add an alert to the App Requests list to be notified of
new requests
• Grant site collection admin on app catalog to delegate
to others

26. #espc14@tweetraw
Managing licenses
• By default, only farm admin can manage licenses
• Management can be delegated out on a license-by-
license basis

27. #espc14@tweetraw
Common questions
• Who can provision apps?
– Site owners (Create Sites + Manage permissions)
– Provisioning user must have permissions requested by app
• Can I disable the SharePoint Store?
– Not completely. You can restrict whether users must request
apps or not
– Editing AddAnApp.aspx page is a workaround to remove the
link

28. DEMO
Managing SharePoint 2013 apps

29. DEPLOYING CUSTOM PROVIDER-
HOSTED APPS

30. #espc14@tweetraw
Provider-hosted apps
• Server-side code runs remotely, outside SharePoint
• Each app has an app principal
• For on-premises farm, you can use a S2S trust or
Azure ACS (O365 tenancy)
• SSL is strongly recommended for remote web
• Integrated Windows auth on remote web is required
if using Visual Studio helper class

31. #espc14@tweetraw
Configuring OAuth in SharePoint
• Scenario: SPOL and on-premises app
• Use AppRegNew.aspx to register app principal
– Generate App Id and App Secret
– For app domain, use host header of remote web
– Redirect URI is optional
• Configure remote web using values from AppRegNew
<add key="ClientId" value="…" /> Use App Id value
<add key="ClientSecret" value="…" /> use App Secret value
• Add the .app package into the app catalog

32. #espc14@tweetraw
Configuring S2S in SharePoint
• Scenario: On-premises farm and app
• Create a X.509 cert
– Export to .cer (without private key)
– Export to .pfx (with private key) and store on remote
server
• Run New-SPTrustedSecurityTokenIssuer
• Run Register-SPAppPrincipal
• Add the .app package into the app catalog

33. S2S – configuring SharePoint
$certPath = "c:tempapp.cer"
$spUrl = "https://teams.contoso.com"
$appName = "My app name"
$stsName = $appName + " STS"
$issuerId = [System.Guid]::NewGuid().ToString().ToLower()
$spweb = Get-SPWeb $spUrl
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$cert = Get-PfxCertificate $certPath
New-SPTrustedRootAuthority -Name "STS cert" -Certificate $cert `
$fullAppIdentifier = $issuerId + '@' + $realm
New-SPTrustedSecurityTokenIssuer -name $stsName -Certificate $cert `
-RegisteredIssuerName $fullAppIdentifier -IsTrustBroker
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier `
-Site $spweb -DisplayName $appName

34. #espc14@tweetraw
S2S - configuring remote web
• Store .pfx export of cert in a local folder
• Reference cert in configuration (e.g. web.config)
• For ClientId, use $issuerId value from previous script
(from SharePoint)
• ClientId and IssuerId can be the same
<add key="ClientId" value="a63e90ea-289d-469b-8b35-c5748779c1b4" />
<add key="ClientSigningCertificatePath" value="{path}app.pfx" />
<add key="ClientSigningCertificatePassword" value="pass@word1" />
<add key="IssuerId" value=" a63e90ea-289d-469b-8b35-c5748779c1b4" />

35. Quick recap
Understanding
2013 Apps
Provisioning
Support for
2013 Apps
Managing
2013 Apps
Deploying
Provider-
hosted Apps

36. For more
information,
see chapter 15
Q&A

37. #espc14@tweetraw
Additional reading
Topic Url
App permissions bit.ly/1g3w5wB
Deploying apps with PowerShell bit.ly/1ijTGsW
OAuth authorization flow bit.ly/1g3wjEa
App principal registration bit.ly/1j49DZ9
Package and publish high trust apps bit.ly/RmaNEh

38. Thank
You
Thank You
randy.williams@avepoint.com
@tweetraw