SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in infrastructure for sharepoint 2013 on-premises, real-world end-to-end configuration blueprint

2. About Me
• Principal Consultant, Slalom Consulting, Chicago
• Current focus area Office 365 and SharePoint 2013
Contact Info
• Email - patenik2@yahoo.com
• Blog - Nik Patel’s Logs from the Field - http://nikpatel.net/
• Twitter - @nikxpatel
• LinkedIn - linkedin.com/in/nikspatel
• Slideshare - slideshare.net/patenik2

3. 









4. Overview of
SharePoint Add-ins

5. SharePoint
Hosted-Add Ins
Allows you to host your add-ins in
the SharePoint using client-side
technologies and declarative
workflows.
Provider
Hosted-Add Ins
Allows you to host your add-ins in
your own infrastructure,
technology, and server side code.

6. Deploying
SharePoint
Artifacts
Allows you to deploy SharePoint
artifacts rather than deploying
through full trust or sandbox
model.
Business
Widgets
Allows you to build SharePoint
web parts where code will run on
the remote web application.
Stand-Alone
Business Apps
Allows you to build standalone
remote business applications like
performance dashboard or
timesheet.

7. High-Trust Add-ins
Enables on-premises add-ins hosting environment to
host add-ins for the SharePoint 2013 on-premises
using Certificate based authorization.
Low-Trust Add-ins
Enables on-premises add-ins hosting
environment to host add-ins for the SharePoint
Online using Azure ACS OAuth based
authorization.
High Trust Low Trust
Trust Mechanism Digital Certs Azure ACS
Token Creator App itself Azure ACS
App Host On-Premises Azure PaaS
Usage On-Premises Only Both Office 365 and On-Premises

8. On-Premises
Only Add-ins
(High Trust)
Allows you to deploy provider
hosted add-ins on-premises for
SharePoint on-premises using
High Trust model.
Cloud Add-ins
for SharePoint
Online
(Low Trust)
Allows you to deploy provider
hosted add-ins in Azure for
SharePoint online using Low Trust
model.
Cloud Add-ins
for SharePoint
On-Premises
(Low Trust)
Allows you to deploy provider
hosted add-ins in Azure for
SharePoint on-premises using Low
Trust model.

9. SharePoint 2013
HostWeb
App Web
Add-in Hosting Servers
CSS
png
aspx
master
js
Web Services
Databases
•
•
•

10. Deep Dive in
High-Trust
Provider Hosted Add-ins
Configuration

11. Step 1 –
Preparing Infrastructure for
High-Trust
Provider Hosted Add-ins

12. Infrastructure
• Configure Add-ins Domain (either isolated or subdomain)
• Wildcard DNS entries for SharePoint Add-ins (optional)
• Wildcard Certificates for SharePoint Add-ins SSL communication (optional)
SharePoint Servers
• SharePoint Environment Configured, optionally with SSL
• Routing SharePoint Web App configured for SharePoint Add-ins (optional)
• App Management and Subscription Settings Services & Service Applications
• Add-in Settings - App Prefix, App Hosting Domain, and App Catalog Site Collection
Provider Hosted Servers
• IIS and Application Server Role, .NET Framework 4.5 and later
• Install Web Deploy Tool for deployment
• Configure DNS Entries, SSL Certs, and IIS_IUSERS permissions to the cert.

13. 







14. 





 Mirjam Van Olst’s classic article -
http://sharepointchick.com/archive/2012/07/29/setting-up-your-
app-domain-for-sharepoint-2013.aspx

15. 







16. 










17. 








18. 





19. #Specify parameters for your environment
$ServiceAppPoolName = “SharePoint Hosted Services” #See Shared Services App Pool Account in Service Accounts page in central admin
$AppManagementServiceDB = "NikSP_AppManagement" #Specify Prefix to App management database
$SubscriptionSettingsServiceDB = "NikSP_SubscriptionSettings" #Specify prefix to subscription settings database
$appHostDomain = "apps.niks.local" #Specify App hosts domain
# Load SharePoint PowerShell snapin
$snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.PowerShell'}
if ($snapin -eq $null) {
Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}
#Set the SharePoint 2013 App Domain
Set-SPAppDomain $appHostDomain
#Start if the SharePoint App Management Service isn’t running
$appMgmtSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "AppManagementServiceInstance" }
if ($appMgmtSvcInstance.Status -ne "Online") {
$silence = Start-SPServiceInstance -Identity $appMgmtSvcInstance
}
#Start if the SharePoint Subscription Settings Service isn’t running
$appSubSettingSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "SPSubscriptionSettingsServiceInstance"}
if ($appSubSettingSvcInstance.Status -ne "Online") {
$serviceInstance = Start-SPServiceInstance -Identity $appSubSettingSvcInstance
}

20. #Get Application Pool for hosting service applications
$appPoolServiceApps = Get-SPServiceApplicationPool -Identity $ServiceAppPoolName
#Provision Subscription Settings Service Application
$appSubSvc = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $appPoolServiceApps –Name "Settings Service Application" –
DatabaseName $SubscriptionSettingsServiceDB
$proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $appSubSvc
#Create App Management Service Application
$appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $appPoolServiceApps -Name "App Management Service Application" -
DatabaseName $AppManagementServiceDB
$proxyAppSvc = New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc
#Recycle IIS
IISRESET
#Set Default On-Premises Tenant Add-in Prefix for Add-ins
Set-SPAppSiteSubscriptionName -Name "app" -Confirm:$false
#Complete configuring SharePoint 2013 to host add-ins

21. 





 http://www.iis.net/downloads/microsoft/web-deploy

http://go.microsoft.com/?linkid=9278654

22.  Add DNS entries to resolve provider hosted add-in URL
 Import a High Trust certificate on Add-ins Host Servers
 If you don't have PFX and CER files from the external/internal CA, one way to obtain is
exporting with private key (e.g. NiksHighTrustCert.pfx) and with public key (e.g.
NiksHighTrustCert.cer) for all the certs including root CAs and other parent certs in chain
(RootCAHighTrustCert.cer) from the SharePoint servers.
 CER format requires to register cert with SharePoint, PFX format requires for Add-ins
 Usually, high trust certificate would be same as wildcard cert used for the SharePoint web
applications if high trust Add-ins and SharePoint shares same domain.
 Configure BUILTINIIS_IUSRS access to the High Trust cert
 For the separate IIS server hosting Add-ins, configure BUILTINIIS_IUSRS users to the full
control permission to cert
 On Windows Server 2012 R2, Use command line tool - Windows HTTP Services Certificate
Configuration Tool - WinHttpCertCfg.exe
 On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard
cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS
 If IIS_IUSERs don’t have permission, it will throw Keyset doesn't exists eroor -
http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html

23. Step 2 –
Configuring High-Trust for
Provider Hosted Add-ins

24. Remove existing SPTrustedSecurityTokenIssuer if exists
Run PowerShell to configure High Trust
– Trust cert using New-SPTrustedSecurityTokenIssuer
Configure valid AllowOAuthOverHTTP settings for SSL or Non-SSL
communication between SharePoint and Provider Hosted Add-ins

25.  Remove existing SPTrustedSecurityTokenIssuer if exists
 On the SP Server, Log in as Setup account to run PowerShell script and check if any
previously registered SPTrustedSecurityTokenIssuer exists.
 If there is a mal-functioned one and if the –IsTrustBroker switch was used then the bad tokenissuer
might be getting called.
 If this is the first time you are configuring the high trust add-in then you can skip this step.
 Run Get-SPTrustedSecurityTokenIssuer.
 If no Azure workflow is configured then this command should return empty.
 If you get any issuer other than the workflow then run the Remove-SPTrustedSecurityTokenIssuer
(pass the Id value from the above output) to delete it.

26.  Configure the High Trust using
Certificates
 Run the PowerShell script from the SP Server to register
cert with SharePoint by using public (cer) key to configure
trust for your add-in
 Each certificate in the chain is added to SharePoint's list of
trusted root authorities with a call of the New-
SPTrustedRootAuthority cmdlet.
 It is important that IssuerID is needed each time you
create add-ins in Visual Studio so put it somewhere safe
(e.g. 9F0FF6C4-0DA6-429B-959A-07847DF6BF37)
 Get the Serial Number from the App Cert -
6114c562000000000005 (here are the steps -
https://msdn.microsoft.com/EN-
US/library/office/jj860570.aspx#ConfigureRemote)

27. https://msdn.microsoft.com/en-us/library/office/fp179901.aspx

29.  Configure valid settings for
AllowOAuthOverHTTP
 Configure AllowOAuthOverHTTP to FALSE for SSL
communication between SharePoint and Provider
Hosted Add-ins.
 If any of your IIS web (either SharePoint or Provider
hosted web add-in) has HTTP bindings then you must
have AllowOAuthOverHTTP to TRUE otherwise you
will get 403 error
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false
$serviceConfig.Update()

30. Step 3 –
High-Trust Provider Hosted
Add-ins Deployment

31.  On the DNS Servers
 Make sure DNS entry is available for Add-ins URL, PING to verify
 On Provider Hosted Server
 Create IIS Web Site and Virtual Directories to host Add-ins










32.  Remote web can be deployed on IIS, make sure asp.net is
included as features
 Web Site Name (e.g. ProviderHostedProdApp) and local folder
(e.g. C:inetpubwwwrootphprodapp)
 Add New DNS entry for remote web add-in (e.g.
phprodapp.niks.local to server or load-balancer IP) and see if you
can ping it
 Bind this cert with SSL (e.g. *.niks.local), Host Header (e.g.
phprodapp.niks.local), and IP (e.g. 192.168.1.51)
 Ensure .NET 4.0 framework is selected as target framework - Make
sure Application Pool is using v4.0 otherwise you will get error
while deploying code
 Configure Authentication of the Remote Web on IIS
 Disable Anonymous Authentication for the IIS site hosting Remote
Web
 Enable Windows Authentication for the IIS site hosting remote
web and plan to have Provider NTLM is selected above Negotiate
 Add Virtual Directories to host Add-ins
 Alias (e.g. prodphapp), Path – (e.g.
C:inetpubwwwrootphprodappprodphapp)

33. App Id: f5b99211-2f48-4747-8af0-bdfbbcf1b1b5
App Secret: ER8VtsjIfOU1Y2NrTMCfph+2LACCeOUpiaEMqr/zE2Y=
Title: Prod Provider Hosted App
App Domain: phprodapp.niks.local
Redirect URI: https://phprodapp.niks.local/prodphapp/pages/default.aspx
• App Registration – ~siteURL/_layouts/15/appregnew.aspx
• App Lookup - ~siteURL/_layouts/15/appinv.aspx
 Appid - generate
 App secret - generate
 App domain - phprodapp.niks.local
 Redirect URL - https://phprodapp.niks.local/prodphapp/pages/default.aspx

34. 

35.  Update the Web.Config file of App Web
 VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This requires certificate
downloaded and stored on the local file system.
<appSettings>
<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />
<add key="ClientSigningCertificatePath" value="C:CertsNiksHighTrustCert.pfx" />
<add key="ClientSigningCertificatePassword" value="pass@word1" />
<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />
</appSettings>
 No changes in the Token Issuer file in VS project
 Visual studio template for Provider hosted add-in contains code to create access token based on
certificate location.

36.  Update the Web.Config file of App Web
 VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This shouldn’t be used for
production add-ins. Instead use ClientSigningCertificateSerialNumber.
 Find the ClientSigningCertificateSerialNumber from the cert binded to the provider hosted add-in
(e.g. *.niks.local)
<appSettings>
<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />
<add key="ClientSigningCertificateSerialNumber" value="6114c562000000000005" />
<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />
</appSettings>
 Update Token Issuer file in VS project
 Since you are using on Serial Number instead of cert path and password for authorization, you need
to update code to retrieve cert based on serial number - See Token Issuer section here -
https://msdn.microsoft.com/en-us/library/office/jj860570.aspx

37.  Provider Hosted Add-ins are consists of two projects in Visual
Studio
 Publishing App Web Package
 Publishing App web copies files are remote web server and deployed on
IIS
 Create AppWeb package from the Visual Studio using publish approach
 Create Profile (e.g. NiksRemote)
 Connection - Publish Method - Web deploy package, Package Location (e.g.
C:DeployProdProviderHostedAppWebProdProviderHostedAppWeb.zip) and
Remote IIS Web Site Name (e.g. ProviderHostedProdApp/prodphapp)
 Click Next - Release and Publish Package
 Publishing Add-ins Package
 Publishing App produces App file (.app extension) and that needs to be
uploaded on App Catalog site to make it available for SharePoint sites
 Create App package from the Visual Studio using publish approach
 Remote Add-ins URL where web site is hosted (e.g.
https://phprodapp.niks.local/prodphapp)
 Remote Add-ins Client ID (e.g. f5b99211-2f48-4747-8af0-bdfbbcf1b1b5)

38.  Deploying App Web Package
 Copy the Package to the Remote Add-ins server,
make sure webdeploy is installed on the
additional server
 Open cmd file and run Appweb deployment
command (e.g.
C:DeployProdProviderHostedAppWeb>ProdPr
oviderHostedAppWeb.deploy.cmd /y)
 Verify all the contents are getting published on
the IIS virtual directory
 Deploy App Package to App Catalog



39. 


 https://msdn.microsoft.com/en-
us/library/office/fp179921.aspx




40. 





41. Q&A
• Blog - http://nikpatel.net/
• Twitter - @nikxpatel
• Slideshare - slideshare.net/patenik2