SharePoint Apps for the IT Pro

Thomas Vochten

About Me

Thomas Vochten SharePoint MVP. Platform architect. Speaker. Trainer. Involuntary DBA. Consultant at Xylos. V-TSP at Microsoft.

@thomasvochtenhttp://thomasvochten.commail@thomasvochten.com

Agenda• Introduction to Apps• Preparing the infrastructure• Apps Security• Apps Management

INTRODUCTION TO APPS

The problem with Full Trust Code

• Performance• Maintenance• Security• Upgrades• Supportability• …

Previous attempt to fix the problem

Custom code in Sandboxed Solutions is deprecated with SharePoint 2013

More Frustrations

SharePoint developers felt, well… a bit left behind

Welcome to the Cloud App Model

• Apps don’t run on the SharePoint server

• Can still interact with SharePoint• On-Premises and in the cloud• Free choice of tools, languages &

platforms

The new Microsoft?

http://officespdev.uservoice.com/

https://officeams.codeplex.com/

Everything is an App

TYPES OF APPS

SharePoint Hosted Apps• Run in the browser• Use client side technologies only• Relatively easy• Can interact with the host web• Use an app web with a funky URL• On-Premises and in the cloud• AuthZ with user privileges

Provider Hosted Apps• Bring your own hosting• Use any language or platform• Greater flexibility• Greater responsibility• Can interact with the host web

Provider Hosted Apps

Auto Hosted Apps

• Web & Azure components are provisioned automatically

• Can interact with the host web• Automagically provisioned provider-

hosted apps

Apps Positioning

APPS USER EXPERIENCE

SharePoint Store

Who do you trust?

App Provisioning• Timer job kicks in• App web is provisioned• Permissions are configured

Full Page• Mimics SharePoint look and feel

UI ComponentsRibbon extensions App Parts

PREPARE THE INFRASTRUCTURE

Demo Environment• Single farm• Single content application pool• Single services application pool• Single content web application• Host named site collections• No host headers• SSL Everywhere

“Host-named site collections are the preferred method to deploy

sites in SharePoint 2013”

From: TechNet

DEMO | EXPLORE

DNS Prerequisites• Choose your app domain• Request a wildcard or SAN certificate• Configure DNS with a wildcard record• Setup SharePoint & IIS to

accommodate requests for your app domain

Choose an App Domain• Unique domain• No subdomains please• You need one…per farm!

Certificates

Wildcard Certificate*.contoso.com

Wildcard Certificate*.contosoapps.com

SAN Certificate*.contoso.com*.contosoapps.com

Multiple web applicationsIIS Host headers

Routing web application for apps

Single web applicationHost named site collections

No IIS host headers

Routing Web Applicationhttps://app-bdf2016ea7dacb.contosoapps.com/...

DNS Lookupapp-bdf2016ea7dacb.contosoapps.com

Web AppHost header: intranet.contoso.com

Web AppHost header: teams.contoso.com

Default WebsiteNo host headerDefault WebsiteNo host header

Routing Web AppNo host header

Certificate

Certificate

WC Certificate

No Routing Web Applicationhttps://app-bdf2016ea7dacb.contosoapps.com/...

DNS Lookupapp-bdf2016ea7dacb.contosoapps.com

Web AppNo host header

SAN Certificate

Routing Web Application• When you need to use IIS host headers• Web application without a host header• Contains no site collections• Delete/disable the Default Website in IIS• Consider multiple IP addresses• Use the same application pool identity as

your content application pool

SharePoint Prerequisites• Claims based authentication only

• Subscription Settings Service ApplicationGenerates & manages App ID’s

• App Management Service ApplicationGeneral settingsApp licensing

SharePoint Configuration• Provision service applications• Configure App domain• Configure App prefix• Configure App Catalog• Configure SharePoint Store settings

Considerations• You can use multiple zones for your app

domain (needs March 2013 PU)

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService

$contentService.SupportMultipleAppDomains = $true $contentService.Update()

New-SPWebApplicationAppDomain -AppDomain <AppDomain> -WebApplication

<WebApplicationID> -Zone <Zone> -Port <Port> -SecureSocketsLayer

• Use SSL… everywhere!

DEMO | CONFIGURE

Simple, Right?• Your environment is now ready to host

SharePoint Hosted Apps

• Office365 can use Provider Hosted Apps without extra configuration

• Connecting on-premises farms to Provider Hosted Apps requires additional configuration!

APPS SECURITY

Security Basics• User principals vs App principals• Authentication vs Authorization

SharePoint 2013 can authenticate Apps!

App Identity using OAuth• Client Id of the app• Display name of the app• App domain where the remote app is

hosted

App Authentication• Internal Authentication

It just works

• External Authentication using S2S Trusts

• External Authentication using OAuth

Authentication Flowstart

authentication

does request target aCSOM/REST endpoint?

does request carrya claims token?

does request carryan access token?

yes

no

endauthentication

No Authentication(anonymous access)

no

App Authentication(app and user

identity)

User Authenticationdoes request targetURL of an app web?

does access token Carry user identity?

App OnlyAuthentication

yes no

yes yes

yes

no

no

App Permissions• Granted by user approval• All or nothing• Default permissions (like app web control)

Low Trust vs High Trust• Low trust apps need ACS as trust

broker (via Office365)

• High trust apps need Server To Server trust (no need for Office365)

Low Trust vs High Trust

SharePoint Remote App Trust broker

On premises In cloud ACS, certificate

On premises On premises ACS, certificate

Office 365 In cloud ACS

Office 365 On premises ACS

You might need to open firewall ports towards ACS

Kerberos?

SAML Authentication• Identity provider should support:

Wildcard return URLWreply parameter

• Supported by latest ADFS version

APPS MANAGEMENT

The G-Word

App Management• Timer Job:

App Installation Service

• Cmdlets:Import-SPAppPackageInstall-SPAppUninstall-SPAppInstance

Licensing• Timer Job:

License renewal

• Powershell for DR:$appProxy = Get-SPServiceApplicationProxy “AppManagementProxyId”$appProxy.GetDeploymentID()Set-SPAppManagementDeploymentID

Upgrade Apps• Site collection admin needs to upgrade apps• SharePoint manages notification state

• Timer Jobs:App State UpdateInternal App State Update

• Cmdlets:Get-SPAppStateUpdateIntervalGet-SPAppStateSyncLastRunTimeSet-SPAppStateUpdateIntervalUpdate-SPAppInstance

Backup/Restore• Site exports do not include app assets:

Export-SPWeb and Import-SPWeb

• Site backup and restore:Backup-SPSite and Restore-SPSite

• App exports:Export-SPAppPackage

DEMO | MANAGE

SUMMARY• Apps are good for you• Don’t underestimate infrastructure

impact• Understand the security model of apps• Strongly consider using host named site

collections• Use SSL - Everywhere!

QUESTIONS ?@thomasvochten #itproceed

And take home the Lumia 1320

Present your feedback form when you exit the last session & go for the drink

Give Me Feedback

Follow Technet Belgium@technetbelux

Subscribe to the TechNet newsletteraka.ms/benews

Be the first to know

Belgiums’ biggest IT PRO Conference