An IT Pro Guide for Deploying and Managing SharePoint

Transcription

An IT Pro Guide for Deploying and Managing SharePoint
An IT Pro Guide for Deploying and
Managing SharePoint 2013 Apps
Randy Williams
randy.williams@avepoint.com
@tweetraw
Randy Williams
Author
Director of ACS
Our Agenda
Understanding
2013 Apps
Provisioning
Support for
2013 Apps
Managing
2013 Apps
Deploying
Providerhosted Apps
UNDERSTANDING 2013 APPS
So - what exactly is an app?
An application whose interface is
launched from or surfaced through
SharePoint but code is executed
elsewhere
• Can contain some declarative SharePoint artifacts
• External app can provide UI through SharePoint IFrame or full
screen
• External app uses CSOM or REST (OData) to call back
• No custom server-side code running on SharePoint servers
@tweetraw
#espc14
How an app runs
Host web & app web
• The host web is where app is added, removed, upgraded
• If app contains SharePoint artifacts, a sub-web is
created underneath the host web
• This sub-web is called the app web
• App web is only accessible using isolated domain name
– https://{AppPrefix}-{ID}.{AppDomain}/path/{AppName}
https://teams.contoso.com
https://app-af48d482118ab1.appscontoso.com/myapp
@tweetraw
#espc14
Understanding the app web url
https://<app prefix>–<app id>.<app domain>/<host web relative url>/<app name>
https://app-af48d482118ab1.appscontoso.com/sites/projects/foo/myapp
• The app prefix is defined when you configure support for SharePoint
apps
• The app id is an app-unique hex string automatically generated
• The app domain is the DNS name you configure
• The host web relative url is the portion of the url that is relative to the
web application
• The app name is set by the developer
@tweetraw
#espc14
App principal
• A 2013 app uses a new security principal called, app
principal
• The developer sets the
permissions the app will need
• Permissions are delegated to
app principal when app is
provisioned
If user does not have the permissions the
app needs, it cannot be provisioned
@tweetraw
#espc14
App policies
The developer sets the app permission policy in the
app manifest
<AppPermissionRequests AllowAppOnlyPolicy="true|false">
Policy type
Attribute value
What it means
User & app
policy
false (default)
Both the user and the app must have
permissions to perform an action.
App only
policy
true
Only the app needs permissions to
perform an action. You must be a site
collection admin to provision apps of
this type. (Think of this as an elevation
of privileges)
@tweetraw
#espc14
App permission scope
• Permissions are not inherited like user principals
• Permissions are granted to one of four scopes
–
–
–
–
Tenancy (meaning all web apps if not using multi-tenancy)
Site collection
Web (meaning host web)
List (by default, all lists in host web)
• App receives the requested permission to all objects
contained in this scope
@tweetraw
#espc14
Reviewing app web url
DEMO
PROVISIONING SUPPORT FOR
2013 APPS
Four steps to host apps
on premises
1.
2.
3.
4.
Create an app tenancy
Configure app url settings
Configure redirection web app
Configure DNS
@tweetraw
#espc14
1 Creating an app tenancy
• Create App Management Service app
– Tracks app instances, licenses, app principals
• Create Subscription Settings Service app
– Provides app isolation
• Do not use the farm account for the app pools
• The account does not need to be a local admin
• Start these services on the designated server(s)
@tweetraw
#espc14
Scripting the app tenancy
$dbserver="sql1"
$wfe="wfe1"
$acct = "contoso\SP.AppPool“
$subPool = New-SPServiceApplicationPool -name "SubscriptionSettingsAppPool" –account $acct
$appPool = New-SPServiceApplicationPool -name "AppManagementAppPool" -account $acct
$name = "App Management Service"
$svc = New-SPAppManagementServiceApplication -ApplicationPool $appPool -Name $name - `
DatabaseName "AppManagement" -DatabaseServer $dbserver
New-SPAppManagementServiceApplicationProxy -ServiceApplication $svc -Name "$name Proxy"
$name = "Subscription Settings Service"
$svc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $subPool -Name $name `
-DatabaseName "SubscriptionSettings" -DatabaseServer $dbserver
New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $svc
Get-SPServiceInstance | where {$_.typename -in ("App Management Service", `
"Microsoft SharePoint Foundation Subscription Settings Service") -and $_.Parent -like `
"*$wfe"} | Start-SPServiceInstance
2 Configure app url settings
• There are two settings you need to specify
– App Prefix and App Domain
• Security wise, it is best to have app domain be a top-level
domain (e.g. appscontoso.com)
• Set in Central Administration or PowerShell
Set-SPAppDomain "appscontoso.com"
Set-SPAppSiteSubscriptionName `
-Name "apps" -Confirm:$false
@tweetraw
#espc14
3 Configure redirection web app
• Create a dedicated SP web application
– Make sure host header is blank
– No content database needed
– It is only used for “app redirection”
• Bind IIS web site to a dedicated IP address
• SSL strongly recommended
– Use a wildcard certificate (e.g. *.appscontoso.com)
– Bind certificate to this IIS web site
@tweetraw
#espc14
Sample IIS bindings
Type
Host name
Port
IP Address SSL certificate
Description
https
teams.contoso.com
443
10.0.0.10
teams.contoso.com
Regular SP web
application
https
portal.contoso.com
443
10.0.0.11
portal.contoso.com
Regular SP web
application
*.appscontoso.com
SharePoint web
application used for
app redirection
https
<blank>
443
10.0.0.12
@tweetraw
#espc14
4 Configure DNS
• Create an authoritative zone for the app domain
• Dynamic hostname resolution is needed, so you’ll
need a wildcard “A” record
– For example: *.appscontoso.com
• Host (“A” record) points to the IP address for the
“redirection” web app
– 10.0.0.12 from previous slide
@tweetraw
#espc14
Provisioning support for SharePoint 2013 apps
DEMO
MANAGING 2013 APPS
Creating an app catalog
• Two primary purposes
– Manages internally-developed apps
– Manage app requests
• Web app can only have one app catalog
– App catalog is associated with just one web app
New-SPSite -Url http://teams.contoso.com/sites/AppCatalog -OwnerAlias `
"contoso\admin" -Name "Contoso App Catalog" -Template "APPCATALOG#0"
Update-SPAppCatalogConfiguration -site `
http://teams.contoso.com/sites/AppCatalog
@tweetraw
#espc14
Managing app requests
• If users cannot directly install apps, they must request
• Requests are stored in the app catalog
• Add an alert to the App Requests list to be notified of
new requests
• Grant site collection admin on app catalog to delegate
to others
@tweetraw
#espc14
Managing licenses
• By default, only farm admin can manage licenses
• Management can be delegated out on a license-bylicense basis
@tweetraw
#espc14
Common questions
• Who can provision apps?
– Site owners (Create Sites + Manage permissions)
– Provisioning user must have permissions requested by app
• Can I disable the SharePoint Store?
– Not completely. You can restrict whether users must request
apps or not
– Editing AddAnApp.aspx page is a workaround to remove the
link
@tweetraw
#espc14
Managing SharePoint 2013 apps
DEMO
DEPLOYING CUSTOM PROVIDERHOSTED APPS
Provider-hosted apps
• Server-side code runs remotely, outside SharePoint
• Each app has an app principal
• For on-premises farm, you can use a S2S trust or
Azure ACS (O365 tenancy)
• SSL is strongly recommended for remote web
• Integrated Windows auth on remote web is required
if using Visual Studio helper class
@tweetraw
#espc14
Configuring OAuth in SharePoint
• Scenario: SPOL and on-premises app
• Use AppRegNew.aspx to register app principal
– Generate App Id and App Secret
– For app domain, use host header of remote web
– Redirect URI is optional
• Configure remote web using values from AppRegNew
<add key="ClientId" value="…" /> Use App Id value
<add key="ClientSecret" value="…" /> use App Secret value
• Add the .app package into the app catalog
@tweetraw
#espc14
Configuring S2S in SharePoint
• Scenario: On-premises farm and app
• Create a X.509 cert
– Export to .cer (without private key)
– Export to .pfx (with private key) and store on remote
server
• Run New-SPTrustedSecurityTokenIssuer
• Run Register-SPAppPrincipal
• Add the .app package into the app catalog
@tweetraw
#espc14
S2S – configuring SharePoint
$certPath = "c:\temp\app.cer"
$spUrl = "https://teams.contoso.com"
$appName = "My app name"
$stsName = $appName + " STS"
$issuerId = [System.Guid]::NewGuid().ToString().ToLower()
$spweb = Get-SPWeb $spUrl
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$cert = Get-PfxCertificate $certPath
New-SPTrustedRootAuthority -Name "STS cert" -Certificate $cert `
$fullAppIdentifier = $issuerId + '@' + $realm
New-SPTrustedSecurityTokenIssuer -name $stsName -Certificate $cert `
-RegisteredIssuerName $fullAppIdentifier -IsTrustBroker
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier `
-Site $spweb -DisplayName $appName
S2S - configuring remote web
• Store .pfx export of cert in a local folder
• Reference cert in configuration (e.g. web.config)
• For ClientId, use $issuerId value from previous script
(from SharePoint)
• ClientId and IssuerId can be the same
<add
<add
<add
<add
key="ClientId" value="a63e90ea-289d-469b-8b35-c5748779c1b4" />
key="ClientSigningCertificatePath" value="{path}\app.pfx" />
key="ClientSigningCertificatePassword" value="pass@word1" />
key="IssuerId" value=" a63e90ea-289d-469b-8b35-c5748779c1b4" />
@tweetraw
#espc14
Quick recap
Understanding
2013 Apps
Provisioning
Support for
2013 Apps
Managing
2013 Apps
Deploying
Providerhosted Apps
Q&A
For more
information,
see chapter 15
Additional reading
Topic
Url
App permissions
bit.ly/1g3w5wB
Deploying apps with PowerShell
bit.ly/1ijTGsW
OAuth authorization flow
bit.ly/1g3wjEa
App principal registration
bit.ly/1j49DZ9
Package and publish high trust apps
bit.ly/RmaNEh
@tweetraw
#espc14
Thank
You
Thank You
randy.williams@avepoint.com
@tweetraw