Thomas Vochten

SharePoint Apps for the IT Pro #spsnl 2014

ABOUT ME

Thomas Vochten SharePoint MVP. Platform architect. Speaker. Trainer. Involuntary DBA. Consultant at Xylos. V-TSP at Microsoft.

@thomasvochtenhttp://thomasvochten.com

AGENDA

• Introduction to Apps• Preparing the infrastructure• Apps Management• Apps Security

INTRODUCTION TO APPS

THE PROBLEM WITH FULL TRUST CODE (FTC)• Performance• Maintenance• Security• Upgrades• Supportability• …

PREVIOUS ATTEMPTS TO FIX THE PROBLEM

Custom code in Sandboxed Solutions is deprecated with SharePoint 2013

MORE FRUSTRATIONS

SharePoint developers felt, well… a bit left behind

WELCOME TO THE CLOUD APP MODEL (CAM)• Apps don’t run on the SharePoint server• Can still interact with SharePoint• On-Premises and in the cloud• Free choice of tools, languages & platforms

EVERYTHING IS AN APP

THE NEW MICROSOFT ?

http://officespdev.uservoice.com/

https://officeams.codeplex.com/

TYPES OF APPS

SHAREPOINT HOSTED APPS

• Run in the browser• Use client side technologies only• Relatively easy• Can interact with the host web• Use an app web with a funky URL• On-Premises and in the cloud• AuthZ with user privileges

PROVIDER HOSTED APPS

• Bring your own hosting• Use any language or platform• Greater flexibility• Greater responsibility• Can interact with the host web

PROVIDER HOSTED APPS

AUTO HOSTED APPS

• Web & Azure components are provisioned automatically• Can interact with the host web• Automagically provisioned provider-hosted apps

APPS POSITIONING

APPS USER EXPERIENCE

SHAREPOINT STORE

WHO DO YOU TRUST ?

APP PROVISIONING

• Timer job kicks in• App web is provisioned• Permissions are configured

FULL PAGE

Mimics SharePoint look and feel

APPS UI COMPONENTS

Ribbon extensions

App Parts

PREPARING THE INFRASTRUCTURE

DEMO ENVIRONMENT

• Single farm• Single content application pool• Single services application pool• Single content web application• Host named site collections• No host headers• SSL Everywhere

“Host-named site collections are the preferred method to deploy sites in

SharePoint 2013”

From: TechNet

DEMO

Exploring the demo environment

DNS PREREQUISITES

• Choose your app domain• Request a wildcard or SAN certificate• Configure DNS with a wildcard record• Setup SharePoint & IIS to accommodate requests for your app domain

CHOOSE AN APP DOMAIN

• Unique domain• No subdomains please• You need one…per farm!

CERTIFICATES

Wildcard Certificate*.contoso.com

Wildcard Certificate*.contosoapps.com

SAN Certificate*.contoso.com

*.contosoapps.com

Multiple web applicationsIIS Host headersRouting web application for apps

Single web applicationHost named site collectionsNo IIS host headers

ROUTING WEB APPLICATION

https://app-bdf2016ea7dacb.contosoapps.com/...

DNS Lookupapp-bdf2016ea7dacb.contosoapps.com

Web AppHost header: intranet.contoso.com

Web AppHost header: teams.contoso.com

Default WebsiteNo host header

Default WebsiteNo host header

Routing Web AppNo host header

Certificate

Certificate

WC Certificate

ROUTING WEB APPLICATION

https://app-bdf2016ea7dacb.contosoapps.com/...

DNS Lookupapp-bdf2016ea7dacb.contosoapps.com

Web AppNo host header

SAN Certificate

ROUTING WEB APPLICATION• When you need to use IIS host headers• Web application without a host header• Contains no site collections• Delete/disable the Default Website in IIS• Consider multiple IP addresses• Use the same application pool identity as your content application pool

SHAREPOINT PREREQUISITESClaims based authentication only

Subscription Settings Service ApplicationGenerates & manages App ID’s

App Management Service ApplicationGeneral settingsApp licensing

SHAREPOINT CONFIGURATION• Configure App domain• Configure App prefix• Configure App Catalog• Configure SharePoint Store settings

CONSIDERATIONS

• You can use multiple zones for your app domain (needs March 2013 PU)

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService$contentService.SupportMultipleAppDomains = $true $contentService.Update() iisreset

New-SPWebApplicationAppDomain -AppDomain <AppDomain> -WebApplication <WebApplicationID> -Zone <Zone> -Port <Port> -SecureSocketsLayer

• Use SSL… everywhere!

DEMO

Configuring infrastructure for Apps

SIMPLE, RIGHT?

• Your environment is now ready to host SharePoint Hosted Apps

• Office365 can use provider hosted apps without extra configuration

• Connecting on-premises farms to provider hosted apps requires additional configuration!

APPS SECURITY

SECURITY BASICS

• User principals vs App principals• Authentication vs Authorization

SharePoint 2013 can authenticate Apps!

APP AUTHENTICATION

• Internal AuthenticationIt just works

• External Authentication using S2S Trusts

• External Authentication using OAuth

AUTHENTICATION FLOWstart

authentication

does request target aCSOM/REST endpoint?

does request carrya claims token?

does request carryan access token?

yes

no

endauthentication

No Authentication(anonymous access)

no

App Authentication(app and user

identity)

User Authenticationdoes request targetURL of an app web?

does access token Carry user identity?

App OnlyAuthentication

yes no

yes yes

yes

no

no

APP PERMISSIONS

• Granted by user approval• All or nothing• Default permissions (like app web control)

LOW TRUST VS HIGH TRUST

• Low trust apps need ACS as trust broker (via Office365)

• High trust apps need Server To Server trust (no need for Office365)

LOW TRUST VS HIGH TRUST

SharePoint Remote App Trust broker

On premises In cloud ACS, certificate

On premises On premises ACS, certificate

Office 365 In cloud ACS

Office 365 On premises ACS

You might need to open firewall ports towards ACS

KERBEROS?

Sorry, something went wrong

SAML AUTHENTICATION

Identity provider should support:

• Wildcard return URL• Wreply parameter

ADFS 2.0 does not, ADFS 3.0 does

SUMMARY

• Apps are good for you• Don’t underestimate infrastructure impact• Understand the security model of apps• Strongly consider using host named site collections• Use SSL - Everywhere!

QUESTIONS ?

THANK YOU#spsnl @thomasvochten