About Me

• Principal Consultant, Slalom Consulting, Chicago

• Current focus area Office 365 and SharePoint 2013

Contact Info

• Email - patenik2@yahoo.com

• Blog - Nik Patel’s Logs from the Field - http://nikpatel.net/

• Twitter - @nikxpatel

• LinkedIn - linkedin.com/in/nikspatel

• Slideshare - slideshare.net/patenik2

Overview of SharePoint Add-ins

SharePoint Hosted-Add InsAllows you to host your add-ins in the SharePoint using client-side technologies and declarative workflows.

Provider Hosted-Add InsAllows you to host your add-ins in your own infrastructure, technology, and server side code.

Deploying SharePoint Artifacts

Allows you to deploy SharePoint artifacts rather than deploying through full trust or sandbox model.

Business Widgets

Allows you to build SharePoint web parts where code will run on the remote web application.

Stand-Alone Business Apps

Allows you to build standalone remote business applications like performance dashboard or timesheet.

High-Trust Add-ins

Enables on-premises add-ins hosting environment to host add-ins for the SharePoint 2013 on-premises using Certificate based authorization.

Low-Trust Add-ins

Enables on-premises add-ins hosting environment to host add-ins for the SharePoint Online using Azure ACS OAuth based authorization.

High Trust Low Trust

Trust Mechanism Digital Certs Azure ACS

Token Creator App itself Azure ACS

App Host On-Premises Azure PaaS

Usage On-Premises Only Both Office 365 and On-Premises

On-Premises Only Add-ins(High Trust)

Allows you to deploy provider hosted add-ins on-premises for SharePoint on-premises using High Trust model.

Cloud Add-ins for SharePoint Online(Low Trust)

Allows you to deploy provider hosted add-ins in Azure for SharePoint online using Low Trust model.

Cloud Add-ins for SharePoint On-Premises (Low Trust)

Allows you to deploy provider hosted add-ins in Azure for SharePoint on-premises using Low Trust model.

SharePoint 2013

Host Web

App Web

Add-in Hosting Servers

CSS

png

aspx

master

js

Web Services

Databases

•

•

•

Deep Dive in

High-Trust

Provider Hosted Add-ins

Configuration

Step 1 –Preparing Infrastructure for High-TrustProvider Hosted Add-ins

Infrastructure

• Configure Add-ins Domain (either isolated or subdomain)

• Wildcard DNS entries for SharePoint Add-ins (optional)

• Wildcard Certificates for SharePoint Add-ins SSL communication (optional)

SharePoint Servers

• SharePoint Environment Configured, optionally with SSL

• Routing SharePoint Web App configured for SharePoint Add-ins (optional)

• App Management and Subscription Settings Services & Service Applications

• Add-in Settings - App Prefix, App Hosting Domain, and App Catalog Site Collection

Provider Hosted Servers

• IIS and Application Server Role, .NET Framework 4.5 and later

• Install Web Deploy Tool for deployment

• Configure DNS Entries, SSL Certs, and IIS_IUSERS permissions to the cert.

Mirjam Van Olst’s classic article -http://sharepointchick.com/archive/2012/07/29/setting-up-your-app-domain-for-sharepoint-2013.aspx

#Specify parameters for your environment

$ServiceAppPoolName = “SharePoint Hosted Services” #See Shared Services App Pool Account in Service Accounts page in central admin

$AppManagementServiceDB = "NikSP_AppManagement" #Specify Prefix to App management database

$SubscriptionSettingsServiceDB = "NikSP_SubscriptionSettings" #Specify prefix to subscription settings database

$appHostDomain = "apps.niks.local" #Specify App hosts domain

# Load SharePoint PowerShell snapin

$snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.PowerShell'}

if ($snapin -eq $null) {

Add-PSSnapin "Microsoft.SharePoint.PowerShell"

}

#Set the SharePoint 2013 App Domain

Set-SPAppDomain $appHostDomain

#Start if the SharePoint App Management Service isn’t running

$appMgmtSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "AppManagementServiceInstance" }

if ($appMgmtSvcInstance.Status -ne "Online") {

$silence = Start-SPServiceInstance -Identity $appMgmtSvcInstance

}

#Start if the SharePoint Subscription Settings Service isn’t running

$appSubSettingSvcInstance = Get-SPServiceInstance | Where-Object { $_.GetType().Name -eq "SPSubscriptionSettingsServiceInstance"}

if ($appSubSettingSvcInstance.Status -ne "Online") {

$serviceInstance = Start-SPServiceInstance -Identity $appSubSettingSvcInstance

}

#Get Application Pool for hosting service applications

$appPoolServiceApps = Get-SPServiceApplicationPool -Identity $ServiceAppPoolName

#Provision Subscription Settings Service Application

$appSubSvc = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $appPoolServiceApps –Name "Settings Service Application" –

DatabaseName $SubscriptionSettingsServiceDB

$proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $appSubSvc

#Create App Management Service Application

$appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $appPoolServiceApps -Name "App Management Service Application" -

DatabaseName $AppManagementServiceDB

$proxyAppSvc = New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc

#Recycle IIS

IISRESET

#Set Default On-Premises Tenant Add-in Prefix for Add-ins

Set-SPAppSiteSubscriptionName -Name "app" -Confirm:$false

#Complete configuring SharePoint 2013 to host add-ins

http://www.iis.net/downloads/microsoft/web-deploy

http://go.microsoft.com/?linkid=9278654

Add DNS entries to resolve provider hosted add-in URL

Import a High Trust certificate on Add-ins Host Servers

If you don't have PFX and CER files from the external/internal CA, one way to obtain is exporting with private key (e.g. NiksHighTrustCert.pfx) and with public key (e.g. NiksHighTrustCert.cer) for all the certs including root CAs and other parent certs in chain (RootCAHighTrustCert.cer) from the SharePoint servers.

CER format requires to register cert with SharePoint, PFX format requires for Add-ins

Usually, high trust certificate would be same as wildcard cert used for the SharePoint web applications if high trust Add-ins and SharePoint shares same domain.

Configure BUILTIN\IIS_IUSRS access to the High Trust cert

For the separate IIS server hosting Add-ins, configure BUILTIN\IIS_IUSRS users to the full control permission to cert

On Windows Server 2012 R2, Use command line tool - Windows HTTP Services Certificate Configuration Tool - WinHttpCertCfg.exe

On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS

If IIS_IUSERs don’t have permission, it will throw Keyset doesn't exists eroor -http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html

Step 2 –Configuring High-Trust forProvider Hosted Add-ins

Remove existing SPTrustedSecurityTokenIssuer if exists

Run PowerShell to configure High Trust

– Trust cert using New-SPTrustedSecurityTokenIssuer

Configure valid AllowOAuthOverHTTP settings for SSL or Non-SSL

communication between SharePoint and Provider Hosted Add-ins

Remove existing SPTrustedSecurityTokenIssuer if exists

On the SP Server, Log in as Setup account to run PowerShell script and check if any previously registered SPTrustedSecurityTokenIssuer exists.

If there is a mal-functioned one and if the –IsTrustBroker switch was used then the bad tokenissuermight be getting called.

If this is the first time you are configuring the high trust add-in then you can skip this step.

Run Get-SPTrustedSecurityTokenIssuer.

If no Azure workflow is configured then this command should return empty.

If you get any issuer other than the workflow then run the Remove-SPTrustedSecurityTokenIssuer(pass the Id value from the above output) to delete it.

Configure the High Trust using Certificates

Run the PowerShell script from the SP Server to register cert with SharePoint by using public (cer) key to configure trust for your add-in

Each certificate in the chain is added to SharePoint's list of trusted root authorities with a call of the New-SPTrustedRootAuthority cmdlet.

It is important that IssuerID is needed each time you create add-ins in Visual Studio so put it somewhere safe (e.g. 9F0FF6C4-0DA6-429B-959A-07847DF6BF37)

Get the Serial Number from the App Cert -6114c562000000000005 (here are the steps -https://msdn.microsoft.com/EN-US/library/office/jj860570.aspx#ConfigureRemote)

https://msdn.microsoft.com/en-us/library/office/fp179901.aspx

Configure valid settings for AllowOAuthOverHTTP

Configure AllowOAuthOverHTTP to FALSE for SSL communication between SharePoint and Provider Hosted Add-ins.

If any of your IIS web (either SharePoint or Provider hosted web add-in) has HTTP bindings then you must have AllowOAuthOverHTTP to TRUE otherwise you will get 403 error

$serviceConfig = Get-SPSecurityTokenServiceConfig

$serviceConfig.AllowOAuthOverHttp = $false

$serviceConfig.Update()

Step 3 –High-Trust Provider Hosted Add-ins Deployment

On the DNS Servers

Make sure DNS entry is available for Add-ins URL, PING to verify

On Provider Hosted Server

Create IIS Web Site and Virtual Directories to host Add-ins

Remote web can be deployed on IIS, make sure asp.net is included as features

Web Site Name (e.g. ProviderHostedProdApp) and local folder (e.g. C:\inetpub\wwwroot\phprodapp)

Add New DNS entry for remote web add-in (e.g. phprodapp.niks.local to server or load-balancer IP) and see if you can ping it

Bind this cert with SSL (e.g. *.niks.local), Host Header (e.g. phprodapp.niks.local), and IP (e.g. 192.168.1.51)

Ensure .NET 4.0 framework is selected as target framework - Make sure Application Pool is using v4.0 otherwise you will get error while deploying code

Configure Authentication of the Remote Web on IIS

Disable Anonymous Authentication for the IIS site hosting Remote Web

Enable Windows Authentication for the IIS site hosting remote web and plan to have Provider NTLM is selected above Negotiate

Add Virtual Directories to host Add-ins

Alias (e.g. prodphapp), Path – (e.g. C:\inetpub\wwwroot\phprodapp\prodphapp)

App Id: f5b99211-2f48-4747-8af0-bdfbbcf1b1b5

App Secret: ER8VtsjIfOU1Y2NrTMCfph+2LACCeOUpiaEMqr/zE2Y=

Title: Prod Provider Hosted App

App Domain: phprodapp.niks.local

Redirect URI: https://phprodapp.niks.local/prodphapp/pages/default.aspx

• App Registration – ~siteURL/_layouts/15/appregnew.aspx• App Lookup - ~siteURL/_layouts/15/appinv.aspx

Appid - generate

App secret - generate

App domain - phprodapp.niks.local

Redirect URL - https://phprodapp.niks.local/prodphapp/pages/default.aspx

Update the Web.Config file of App Web

VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This requires certificate downloaded and stored on the local file system.

<appSettings>

<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />

<add key="ClientSigningCertificatePath" value="C:\Certs\NiksHighTrustCert.pfx" />

<add key="ClientSigningCertificatePassword" value="pass@word1" />

<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />

</appSettings>

No changes in the Token Issuer file in VS project

Visual studio template for Provider hosted add-in contains code to create access token based on certificate location.

Update the Web.Config file of App Web

VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This shouldn’t be used for production add-ins. Instead use ClientSigningCertificateSerialNumber.

Find the ClientSigningCertificateSerialNumber from the cert binded to the provider hosted add-in (e.g. *.niks.local)

<appSettings>

<add key="ClientId" value="f5b99211-2f48-4747-8af0-bdfbbcf1b1b5" />

<add key="ClientSigningCertificateSerialNumber" value="6114c562000000000005" />

<add key="IssuerId" value="9f0ff6c4-0da6-429b-959a-07847df6bf37" />

</appSettings>

Update Token Issuer file in VS project

Since you are using on Serial Number instead of cert path and password for authorization, you need to update code to retrieve cert based on serial number - See Token Issuer section here -https://msdn.microsoft.com/en-us/library/office/jj860570.aspx

Provider Hosted Add-ins are consists of two projects in Visual Studio

Publishing App Web Package

Publishing App web copies files are remote web server and deployed on IIS

Create AppWeb package from the Visual Studio using publish approach Create Profile (e.g. NiksRemote) Connection - Publish Method - Web deploy package, Package Location (e.g.

C:\Deploy\ProdProviderHostedAppWeb\ProdProviderHostedAppWeb.zip) and Remote IIS Web Site Name (e.g. ProviderHostedProdApp/prodphapp)

Click Next - Release and Publish Package

Publishing Add-ins Package

Publishing App produces App file (.app extension) and that needs to be uploaded on App Catalog site to make it available for SharePoint sites

Create App package from the Visual Studio using publish approach Remote Add-ins URL where web site is hosted (e.g.

https://phprodapp.niks.local/prodphapp)

Remote Add-ins Client ID (e.g. f5b99211-2f48-4747-8af0-bdfbbcf1b1b5)

Deploying App Web Package Copy the Package to the Remote Add-ins server,

make sure webdeploy is installed on the additional server

Open cmd file and run Appweb deployment command (e.g. C:\Deploy\ProdProviderHostedAppWeb>ProdProviderHostedAppWeb.deploy.cmd /y)

Verify all the contents are getting published on the IIS virtual directory

Deploy App Package to App Catalog

https://msdn.microsoft.com/en-us/library/office/fp179921.aspx

Q&A

• Blog - http://nikpatel.net/

• Twitter - @nikxpatel

• Slideshare - slideshare.net/patenik2