Post on 06-Dec-2014
description
Thomas Vochten
SharePoint Apps for the IT Pro #spsnl 2014
ABOUT ME
Thomas Vochten SharePoint MVP. Platform architect. Speaker. Trainer. Involuntary DBA. Consultant at Xylos. V-TSP at Microsoft.
@thomasvochtenhttp://thomasvochten.com
AGENDA
• Introduction to Apps• Preparing the infrastructure• Apps Management• Apps Security
INTRODUCTION TO APPS
THE PROBLEM WITH FULL TRUST CODE (FTC)• Performance• Maintenance• Security• Upgrades• Supportability• …
PREVIOUS ATTEMPTS TO FIX THE PROBLEM
Custom code in Sandboxed Solutions is deprecated with SharePoint 2013
MORE FRUSTRATIONS
SharePoint developers felt, well… a bit left behind
WELCOME TO THE CLOUD APP MODEL (CAM)• Apps don’t run on the SharePoint server• Can still interact with SharePoint• On-Premises and in the cloud• Free choice of tools, languages & platforms
EVERYTHING IS AN APP
THE NEW MICROSOFT ?
http://officespdev.uservoice.com/
https://officeams.codeplex.com/
TYPES OF APPS
SHAREPOINT HOSTED APPS
• Run in the browser• Use client side technologies only• Relatively easy• Can interact with the host web• Use an app web with a funky URL• On-Premises and in the cloud• AuthZ with user privileges
PROVIDER HOSTED APPS
• Bring your own hosting• Use any language or platform• Greater flexibility• Greater responsibility• Can interact with the host web
PROVIDER HOSTED APPS
AUTO HOSTED APPS
• Web & Azure components are provisioned automatically• Can interact with the host web• Automagically provisioned provider-hosted apps
APPS POSITIONING
APPS USER EXPERIENCE
SHAREPOINT STORE
WHO DO YOU TRUST ?
APP PROVISIONING
• Timer job kicks in• App web is provisioned• Permissions are configured
FULL PAGE
Mimics SharePoint look and feel
APPS UI COMPONENTS
Ribbon extensions
App Parts
PREPARING THE INFRASTRUCTURE
DEMO ENVIRONMENT
• Single farm• Single content application pool• Single services application pool• Single content web application• Host named site collections• No host headers• SSL Everywhere
“Host-named site collections are the preferred method to deploy sites in
SharePoint 2013”
From: TechNet
DEMO
Exploring the demo environment
DNS PREREQUISITES
• Choose your app domain• Request a wildcard or SAN certificate• Configure DNS with a wildcard record• Setup SharePoint & IIS to accommodate requests for your app domain
CHOOSE AN APP DOMAIN
• Unique domain• No subdomains please• You need one…per farm!
CERTIFICATES
Wildcard Certificate*.contoso.com
Wildcard Certificate*.contosoapps.com
SAN Certificate*.contoso.com
*.contosoapps.com
Multiple web applicationsIIS Host headersRouting web application for apps
Single web applicationHost named site collectionsNo IIS host headers
ROUTING WEB APPLICATION
https://app-bdf2016ea7dacb.contosoapps.com/...
DNS Lookupapp-bdf2016ea7dacb.contosoapps.com
Web AppHost header: intranet.contoso.com
Web AppHost header: teams.contoso.com
Default WebsiteNo host header
Default WebsiteNo host header
Routing Web AppNo host header
Certificate
Certificate
WC Certificate
ROUTING WEB APPLICATION
https://app-bdf2016ea7dacb.contosoapps.com/...
DNS Lookupapp-bdf2016ea7dacb.contosoapps.com
Web AppNo host header
SAN Certificate
ROUTING WEB APPLICATION• When you need to use IIS host headers• Web application without a host header• Contains no site collections• Delete/disable the Default Website in IIS• Consider multiple IP addresses• Use the same application pool identity as your content application pool
SHAREPOINT PREREQUISITESClaims based authentication only
Subscription Settings Service ApplicationGenerates & manages App ID’s
App Management Service ApplicationGeneral settingsApp licensing
SHAREPOINT CONFIGURATION• Configure App domain• Configure App prefix• Configure App Catalog• Configure SharePoint Store settings
CONSIDERATIONS
• You can use multiple zones for your app domain (needs March 2013 PU)
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService$contentService.SupportMultipleAppDomains = $true $contentService.Update() iisreset
New-SPWebApplicationAppDomain -AppDomain <AppDomain> -WebApplication <WebApplicationID> -Zone <Zone> -Port <Port> -SecureSocketsLayer
• Use SSL… everywhere!
DEMO
Configuring infrastructure for Apps
SIMPLE, RIGHT?
• Your environment is now ready to host SharePoint Hosted Apps
• Office365 can use provider hosted apps without extra configuration
• Connecting on-premises farms to provider hosted apps requires additional configuration!
APPS SECURITY
SECURITY BASICS
• User principals vs App principals• Authentication vs Authorization
SharePoint 2013 can authenticate Apps!
APP AUTHENTICATION
• Internal AuthenticationIt just works
• External Authentication using S2S Trusts
• External Authentication using OAuth
AUTHENTICATION FLOWstart
authentication
does request target aCSOM/REST endpoint?
does request carrya claims token?
does request carryan access token?
yes
no
endauthentication
No Authentication(anonymous access)
no
App Authentication(app and user
identity)
User Authenticationdoes request targetURL of an app web?
does access token Carry user identity?
App OnlyAuthentication
yes no
yes yes
yes
no
no
APP PERMISSIONS
• Granted by user approval• All or nothing• Default permissions (like app web control)
LOW TRUST VS HIGH TRUST
• Low trust apps need ACS as trust broker (via Office365)
• High trust apps need Server To Server trust (no need for Office365)
LOW TRUST VS HIGH TRUST
SharePoint Remote App Trust broker
On premises In cloud ACS, certificate
On premises On premises ACS, certificate
Office 365 In cloud ACS
Office 365 On premises ACS
You might need to open firewall ports towards ACS
KERBEROS?
Sorry, something went wrong
SAML AUTHENTICATION
Identity provider should support:
• Wildcard return URL• Wreply parameter
ADFS 2.0 does not, ADFS 3.0 does
SUMMARY
• Apps are good for you• Don’t underestimate infrastructure impact• Understand the security model of apps• Strongly consider using host named site collections• Use SSL - Everywhere!
QUESTIONS ?
THANK YOU#spsnl @thomasvochten