Best Practices to SharePoint Architecture Fundamentals NZ & AUS
Similar to SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premises, real-world end-to-end configuration blueprint
Similar to SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premises, real-world end-to-end configuration blueprint (20)
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premises, real-world end-to-end configuration blueprint
1.
2. About Me
• Principal Consultant, Slalom Consulting, Chicago
• Current focus area Office 365 and SharePoint 2013
Contact Info
• Email - patenik2@yahoo.com
• Blog - Nik Patel’s Logs from the Field - http://nikpatel.net/
• Twitter - @nikxpatel
• LinkedIn - linkedin.com/in/nikspatel
• Slideshare - slideshare.net/patenik2
5. SharePoint
Hosted-Add Ins
Allows you to host your add-ins in
the SharePoint using client-side
technologies and declarative
workflows.
Provider
Hosted-Add Ins
Allows you to host your add-ins in
your own infrastructure,
technology, and server side code.
6. Deploying
SharePoint
Artifacts
Allows you to deploy SharePoint
artifacts rather than deploying
through full trust or sandbox
model.
Business
Widgets
Allows you to build SharePoint
web parts where code will run on
the remote web application.
Stand-Alone
Business Apps
Allows you to build standalone
remote business applications like
performance dashboard or
timesheet.
7. High-Trust Add-ins
Enables on-premises add-ins hosting environment to
host add-ins for the SharePoint 2013 on-premises
using Certificate based authorization.
Low-Trust Add-ins
Enables on-premises add-ins hosting
environment to host add-ins for the SharePoint
Online using Azure ACS OAuth based
authorization.
High Trust Low Trust
Trust Mechanism Digital Certs Azure ACS
Token Creator App itself Azure ACS
App Host On-Premises Azure PaaS
Usage On-Premises Only Both Office 365 and On-Premises
8. On-Premises
Only Add-ins
(High Trust)
Allows you to deploy provider
hosted add-ins on-premises for
SharePoint on-premises using
High Trust model.
Cloud Add-ins
for SharePoint
Online
(Low Trust)
Allows you to deploy provider
hosted add-ins in Azure for
SharePoint online using Low Trust
model.
Cloud Add-ins
for SharePoint
On-Premises
(Low Trust)
Allows you to deploy provider
hosted add-ins in Azure for
SharePoint on-premises using Low
Trust model.
12. Infrastructure
• Configure Add-ins Domain (either isolated or subdomain)
• Wildcard DNS entries for SharePoint Add-ins (optional)
• Wildcard Certificates for SharePoint Add-ins SSL communication (optional)
SharePoint Servers
• SharePoint Environment Configured, optionally with SSL
• Routing SharePoint Web App configured for SharePoint Add-ins (optional)
• App Management and Subscription Settings Services & Service Applications
• Add-in Settings - App Prefix, App Hosting Domain, and App Catalog Site Collection
Provider Hosted Servers
• IIS and Application Server Role, .NET Framework 4.5 and later
• Install Web Deploy Tool for deployment
• Configure DNS Entries, SSL Certs, and IIS_IUSERS permissions to the cert.
22. Add DNS entries to resolve provider hosted add-in URL
Import a High Trust certificate on Add-ins Host Servers
If you don't have PFX and CER files from the external/internal CA, one way to obtain is
exporting with private key (e.g. NiksHighTrustCert.pfx) and with public key (e.g.
NiksHighTrustCert.cer) for all the certs including root CAs and other parent certs in chain
(RootCAHighTrustCert.cer) from the SharePoint servers.
CER format requires to register cert with SharePoint, PFX format requires for Add-ins
Usually, high trust certificate would be same as wildcard cert used for the SharePoint web
applications if high trust Add-ins and SharePoint shares same domain.
Configure BUILTINIIS_IUSRS access to the High Trust cert
For the separate IIS server hosting Add-ins, configure BUILTINIIS_IUSRS users to the full
control permission to cert
On Windows Server 2012 R2, Use command line tool - Windows HTTP Services Certificate
Configuration Tool - WinHttpCertCfg.exe
On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard
cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS
If IIS_IUSERs don’t have permission, it will throw Keyset doesn't exists eroor -
http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html
24. Remove existing SPTrustedSecurityTokenIssuer if exists
Run PowerShell to configure High Trust
– Trust cert using New-SPTrustedSecurityTokenIssuer
Configure valid AllowOAuthOverHTTP settings for SSL or Non-SSL
communication between SharePoint and Provider Hosted Add-ins
25. Remove existing SPTrustedSecurityTokenIssuer if exists
On the SP Server, Log in as Setup account to run PowerShell script and check if any
previously registered SPTrustedSecurityTokenIssuer exists.
If there is a mal-functioned one and if the –IsTrustBroker switch was used then the bad tokenissuer
might be getting called.
If this is the first time you are configuring the high trust add-in then you can skip this step.
Run Get-SPTrustedSecurityTokenIssuer.
If no Azure workflow is configured then this command should return empty.
If you get any issuer other than the workflow then run the Remove-SPTrustedSecurityTokenIssuer
(pass the Id value from the above output) to delete it.
26. Configure the High Trust using
Certificates
Run the PowerShell script from the SP Server to register
cert with SharePoint by using public (cer) key to configure
trust for your add-in
Each certificate in the chain is added to SharePoint's list of
trusted root authorities with a call of the New-
SPTrustedRootAuthority cmdlet.
It is important that IssuerID is needed each time you
create add-ins in Visual Studio so put it somewhere safe
(e.g. 9F0FF6C4-0DA6-429B-959A-07847DF6BF37)
Get the Serial Number from the App Cert -
6114c562000000000005 (here are the steps -
https://msdn.microsoft.com/EN-
US/library/office/jj860570.aspx#ConfigureRemote)
29. Configure valid settings for
AllowOAuthOverHTTP
Configure AllowOAuthOverHTTP to FALSE for SSL
communication between SharePoint and Provider
Hosted Add-ins.
If any of your IIS web (either SharePoint or Provider
hosted web add-in) has HTTP bindings then you must
have AllowOAuthOverHTTP to TRUE otherwise you
will get 403 error
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false
$serviceConfig.Update()
31. On the DNS Servers
Make sure DNS entry is available for Add-ins URL, PING to verify
On Provider Hosted Server
Create IIS Web Site and Virtual Directories to host Add-ins
32. Remote web can be deployed on IIS, make sure asp.net is
included as features
Web Site Name (e.g. ProviderHostedProdApp) and local folder
(e.g. C:inetpubwwwrootphprodapp)
Add New DNS entry for remote web add-in (e.g.
phprodapp.niks.local to server or load-balancer IP) and see if you
can ping it
Bind this cert with SSL (e.g. *.niks.local), Host Header (e.g.
phprodapp.niks.local), and IP (e.g. 192.168.1.51)
Ensure .NET 4.0 framework is selected as target framework - Make
sure Application Pool is using v4.0 otherwise you will get error
while deploying code
Configure Authentication of the Remote Web on IIS
Disable Anonymous Authentication for the IIS site hosting Remote
Web
Enable Windows Authentication for the IIS site hosting remote
web and plan to have Provider NTLM is selected above Negotiate
Add Virtual Directories to host Add-ins
Alias (e.g. prodphapp), Path – (e.g.
C:inetpubwwwrootphprodappprodphapp)
35. Update the Web.Config file of App Web
VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This requires certificate
downloaded and stored on the local file system.
<appSettings>
<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />
<add key="ClientSigningCertificatePath" value="C:CertsNiksHighTrustCert.pfx" />
<add key="ClientSigningCertificatePassword" value="pass@word1" />
<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />
</appSettings>
No changes in the Token Issuer file in VS project
Visual studio template for Provider hosted add-in contains code to create access token based on
certificate location.
36. Update the Web.Config file of App Web
VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This shouldn’t be used for
production add-ins. Instead use ClientSigningCertificateSerialNumber.
Find the ClientSigningCertificateSerialNumber from the cert binded to the provider hosted add-in
(e.g. *.niks.local)
<appSettings>
<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />
<add key="ClientSigningCertificateSerialNumber" value="6114c562000000000005" />
<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />
</appSettings>
Update Token Issuer file in VS project
Since you are using on Serial Number instead of cert path and password for authorization, you need
to update code to retrieve cert based on serial number - See Token Issuer section here -
https://msdn.microsoft.com/en-us/library/office/jj860570.aspx
37. Provider Hosted Add-ins are consists of two projects in Visual
Studio
Publishing App Web Package
Publishing App web copies files are remote web server and deployed on
IIS
Create AppWeb package from the Visual Studio using publish approach
Create Profile (e.g. NiksRemote)
Connection - Publish Method - Web deploy package, Package Location (e.g.
C:DeployProdProviderHostedAppWebProdProviderHostedAppWeb.zip) and
Remote IIS Web Site Name (e.g. ProviderHostedProdApp/prodphapp)
Click Next - Release and Publish Package
Publishing Add-ins Package
Publishing App produces App file (.app extension) and that needs to be
uploaded on App Catalog site to make it available for SharePoint sites
Create App package from the Visual Studio using publish approach
Remote Add-ins URL where web site is hosted (e.g.
https://phprodapp.niks.local/prodphapp)
Remote Add-ins Client ID (e.g. f5b99211-2f48-4747-8af0-bdfbbcf1b1b5)
38. Deploying App Web Package
Copy the Package to the Remote Add-ins server,
make sure webdeploy is installed on the
additional server
Open cmd file and run Appweb deployment
command (e.g.
C:DeployProdProviderHostedAppWeb>ProdPr
oviderHostedAppWeb.deploy.cmd /y)
Verify all the contents are getting published on
the IIS virtual directory
Deploy App Package to App Catalog