As a SharePoint administrator managing your on-premises environment, building and managing environments to support 2013 apps is far from trivial. In this IT-Pro centric topic, we’ll bypass all of the developer ballyhoo and hone in on what matters most to you. Topics will include provisioning service applications and an app catalog; understanding and configuring OAuth and Server-to-Server (S2S) scenarios; understanding the app model’s security strengths and weaknesses; and developing governance policies to ensure you can properly manage and control these next-generation solutions.
Citation preview
1. An IT Pro Guide for Deploying and Managing SharePoint 2013
Apps Randy Williams [email protected] @tweetraw
2. Randy Williams Director of ACSAuthor
3. Our Agenda Understanding 2013 Apps Provisioning Support for
2013 Apps Managing 2013 Apps Deploying Provider- hosted Apps
4. UNDERSTANDING 2013 APPS
5. #espc14@tweetraw So - what exactly is an app? Can contain
some declarative SharePoint artifacts External app can provide UI
through SharePoint IFrame or full screen External app uses CSOM or
REST (OData) to call back No custom server-side code running on
SharePoint servers An application whose interface is launched from
or surfaced through SharePoint but code is executed elsewhere
6. How an app runs
7. #espc14@tweetraw Host web & app web The host web is
where app is added, removed, upgraded If app contains SharePoint
artifacts, a sub-web is created underneath the host web This
sub-web is called the app web App web is only accessible using
isolated domain name
https://{AppPrefix}-{ID}.{AppDomain}/path/{AppName}
https://teams.contoso.com
https://app-af48d482118ab1.appscontoso.com/myapp
8. #espc14@tweetraw Understanding the app web url The app
prefix is defined when you configure support for SharePoint apps
The app id is an app-unique hex string automatically generated The
app domain is the DNS name you configure The host web relative url
is the portion of the url that is relative to the web application
The app name is set by the developer https://.//
https://app-af48d482118ab1.appscontoso.com/sites/projects/foo/myapp
9. #espc14@tweetraw App principal A 2013 app uses a new
security principal called, app principal The developer sets the
permissions the app will need Permissions are delegated to app
principal when app is provisioned If user does not have the
permissions the app needs, it cannot be provisioned
10. #espc14@tweetraw App policies The developer sets the app
permission policy in the app manifest Policy type Attribute value
What it means User & app policy false (default) Both the user
and the app must have permissions to perform an action. App only
policy true Only the app needs permissions to perform an action.
You must be a site collection admin to provision apps of this type.
(Think of this as an elevation of privileges)
11. #espc14@tweetraw App permission scope Permissions are not
inherited like user principals Permissions are granted to one of
four scopes Tenancy (meaning all web apps if not using
multi-tenancy) Site collection Web (meaning host web) List (by
default, all lists in host web) App receives the requested
permission to all objects contained in this scope
12. DEMO Reviewing app web url
13. PROVISIONING SUPPORT FOR 2013 APPS
14. #espc14@tweetraw Four steps to host apps on premises 1.
Create an app tenancy 2. Configure app url settings 3. Configure
redirection web app 4. Configure DNS
15. #espc14@tweetraw Creating an app tenancy Create App
Management Service app Tracks app instances, licenses, app
principals Create Subscription Settings Service app Provides app
isolation Do not use the farm account for the app pools The account
does not need to be a local admin Start these services on the
designated server(s) 1
17. #espc14@tweetraw Configure app url settings There are two
settings you need to specify App Prefix and App Domain Security
wise, it is best to have app domain be a top-level domain (e.g.
appscontoso.com) Set in Central Administration or PowerShell
Set-SPAppDomain "appscontoso.com" Set-SPAppSiteSubscriptionName `
-Name "apps" -Confirm:$false 2
18. #espc14@tweetraw Configure redirection web app Create a
dedicated SP web application Make sure host header is blank No
content database needed It is only used for app redirection Bind
IIS web site to a dedicated IP address SSL strongly recommended Use
a wildcard certificate (e.g. *.appscontoso.com) Bind certificate to
this IIS web site 3
19. #espc14@tweetraw Sample IIS bindings Type Host name Port IP
Address SSL certificate Description https teams.contoso.com 443
10.0.0.10 teams.contoso.com Regular SP web application https
portal.contoso.com 443 10.0.0.11 portal.contoso.com Regular SP web
application https 443 10.0.0.12 *.appscontoso.com SharePoint web
application used for app redirection
20. #espc14@tweetraw Configure DNS Create an authoritative zone
for the app domain Dynamic hostname resolution is needed, so youll
need a wildcard A record For example: *.appscontoso.com Host (A
record) points to the IP address for the redirection web app
10.0.0.12 from previous slide 4
21. DEMO Provisioning support for SharePoint 2013 apps
22. Book giveaway question
23. MANAGING 2013 APPS
24. #espc14@tweetraw Creating an app catalog Two primary
purposes Manages internally-developed apps Manage app requests Web
app can only have one app catalog App catalog is associated with
just one web app New-SPSite -Url
http://teams.contoso.com/sites/AppCatalog -OwnerAlias `
"contosoadmin" -Name "Contoso App Catalog" -Template "APPCATALOG#0"
Update-SPAppCatalogConfiguration -site `
http://teams.contoso.com/sites/AppCatalog
25. #espc14@tweetraw Managing app requests If users cannot
directly install apps, they must request Requests are stored in the
app catalog Add an alert to the App Requests list to be notified of
new requests Grant site collection admin on app catalog to delegate
to others
26. #espc14@tweetraw Managing licenses By default, only farm
admin can manage licenses Management can be delegated out on a
license-by- license basis
27. #espc14@tweetraw Common questions Who can provision apps?
Site owners (Create Sites + Manage permissions) Provisioning user
must have permissions requested by app Can I disable the SharePoint
Store? Not completely. You can restrict whether users must request
apps or not Editing AddAnApp.aspx page is a workaround to remove
the link
28. DEMO Managing SharePoint 2013 apps
29. DEPLOYING CUSTOM PROVIDER- HOSTED APPS
30. #espc14@tweetraw Provider-hosted apps Server-side code runs
remotely, outside SharePoint Each app has an app principal For
on-premises farm, you can use a S2S trust or Azure ACS (O365
tenancy) SSL is strongly recommended for remote web Integrated
Windows auth on remote web is required if using Visual Studio
helper class
31. #espc14@tweetraw Configuring OAuth in SharePoint Scenario:
SPOL and on-premises app Use AppRegNew.aspx to register app
principal Generate App Id and App Secret For app domain, use host
header of remote web Redirect URI is optional Configure remote web
using values from AppRegNew Use App Id value use App Secret value
Add the .app package into the app catalog
32. #espc14@tweetraw Configuring S2S in SharePoint Scenario:
On-premises farm and app Create a X.509 cert Export to .cer
(without private key) Export to .pfx (with private key) and store
on remote server Run New-SPTrustedSecurityTokenIssuer Run
Register-SPAppPrincipal Add the .app package into the app
catalog
34. #espc14@tweetraw S2S - configuring remote web Store .pfx
export of cert in a local folder Reference cert in configuration
(e.g. web.config) For ClientId, use $issuerId value from previous
script (from SharePoint) ClientId and IssuerId can be the same
35. Quick recap Understanding 2013 Apps Provisioning Support
for 2013 Apps Managing 2013 Apps Deploying Provider- hosted
Apps
36. For more information, see chapter 15 Q&A
37. #espc14@tweetraw Additional reading Topic Url App
permissions bit.ly/1g3w5wB Deploying apps with PowerShell
bit.ly/1ijTGsW OAuth authorization flow bit.ly/1g3wjEa App
principal registration bit.ly/1j49DZ9 Package and publish high
trust apps bit.ly/RmaNEh