Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
description
Transcript of Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
SharePoint Apps for the IT Pro
Thomas Vochten
About Me
Thomas Vochten SharePoint MVP. Platform architect. Speaker. Trainer. Involuntary DBA. Consultant at Xylos. V-TSP at Microsoft.
@thomasvochtenhttp://[email protected]
Agenda• Introduction to Apps• Preparing the infrastructure• Apps Security• Apps Management
INTRODUCTION TO APPS
The problem with Full Trust Code
• Performance• Maintenance• Security• Upgrades• Supportability• …
Previous attempt to fix the problem
Custom code in Sandboxed Solutions is deprecated with SharePoint 2013
More Frustrations
SharePoint developers felt, well… a bit left behind
Welcome to the Cloud App Model
• Apps don’t run on the SharePoint server
• Can still interact with SharePoint• On-Premises and in the cloud• Free choice of tools, languages &
platforms
The new Microsoft?
http://officespdev.uservoice.com/
https://officeams.codeplex.com/
Everything is an App
TYPES OF APPS
SharePoint Hosted Apps• Run in the browser• Use client side technologies only• Relatively easy• Can interact with the host web• Use an app web with a funky URL• On-Premises and in the cloud• AuthZ with user privileges
Provider Hosted Apps• Bring your own hosting• Use any language or platform• Greater flexibility• Greater responsibility• Can interact with the host web
Provider Hosted Apps
Auto Hosted Apps
• Web & Azure components are provisioned automatically
• Can interact with the host web• Automagically provisioned provider-
hosted apps
Apps Positioning
APPS USER EXPERIENCE
SharePoint Store
Who do you trust?
App Provisioning• Timer job kicks in• App web is provisioned• Permissions are configured
Full Page• Mimics SharePoint look and feel
UI ComponentsRibbon extensions App Parts
PREPARE THE INFRASTRUCTURE
Demo Environment• Single farm• Single content application pool• Single services application pool• Single content web application• Host named site collections• No host headers• SSL Everywhere
“Host-named site collections are the preferred method to deploy
sites in SharePoint 2013”
From: TechNet
DEMO | EXPLORE
DNS Prerequisites• Choose your app domain• Request a wildcard or SAN certificate• Configure DNS with a wildcard record• Setup SharePoint & IIS to
accommodate requests for your app domain
Choose an App Domain• Unique domain• No subdomains please• You need one…per farm!
Certificates
Wildcard Certificate*.contoso.com
Wildcard Certificate*.contosoapps.com
SAN Certificate*.contoso.com*.contosoapps.com
Multiple web applicationsIIS Host headers
Routing web application for apps
Single web applicationHost named site collections
No IIS host headers
Routing Web Applicationhttps://app-bdf2016ea7dacb.contosoapps.com/...
DNS Lookupapp-bdf2016ea7dacb.contosoapps.com
Web AppHost header: intranet.contoso.com
Web AppHost header: teams.contoso.com
Default WebsiteNo host headerDefault WebsiteNo host header
Routing Web AppNo host header
Certificate
Certificate
WC Certificate
No Routing Web Applicationhttps://app-bdf2016ea7dacb.contosoapps.com/...
DNS Lookupapp-bdf2016ea7dacb.contosoapps.com
Web AppNo host header
SAN Certificate
Routing Web Application• When you need to use IIS host headers• Web application without a host header• Contains no site collections• Delete/disable the Default Website in IIS• Consider multiple IP addresses• Use the same application pool identity as
your content application pool
SharePoint Prerequisites• Claims based authentication only
• Subscription Settings Service ApplicationGenerates & manages App ID’s
• App Management Service ApplicationGeneral settingsApp licensing
SharePoint Configuration• Provision service applications• Configure App domain• Configure App prefix• Configure App Catalog• Configure SharePoint Store settings
Considerations• You can use multiple zones for your app
domain (needs March 2013 PU)
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.SupportMultipleAppDomains = $true $contentService.Update()
New-SPWebApplicationAppDomain -AppDomain <AppDomain> -WebApplication
<WebApplicationID> -Zone <Zone> -Port <Port> -SecureSocketsLayer
• Use SSL… everywhere!
DEMO | CONFIGURE
Simple, Right?• Your environment is now ready to host
SharePoint Hosted Apps
• Office365 can use Provider Hosted Apps without extra configuration
• Connecting on-premises farms to Provider Hosted Apps requires additional configuration!
APPS SECURITY
Security Basics• User principals vs App principals• Authentication vs Authorization
SharePoint 2013 can authenticate Apps!
App Identity using OAuth• Client Id of the app• Display name of the app• App domain where the remote app is
hosted
App Authentication• Internal Authentication
It just works
• External Authentication using S2S Trusts
• External Authentication using OAuth
Authentication Flowstart
authentication
does request target aCSOM/REST endpoint?
does request carrya claims token?
does request carryan access token?
yes
no
endauthentication
No Authentication(anonymous access)
no
App Authentication(app and user
identity)
User Authenticationdoes request targetURL of an app web?
does access token Carry user identity?
App OnlyAuthentication
yes no
yes yes
yes
no
no
App Permissions• Granted by user approval• All or nothing• Default permissions (like app web control)
Low Trust vs High Trust• Low trust apps need ACS as trust
broker (via Office365)
• High trust apps need Server To Server trust (no need for Office365)
Low Trust vs High Trust
SharePoint Remote App Trust broker
On premises In cloud ACS, certificate
On premises On premises ACS, certificate
Office 365 In cloud ACS
Office 365 On premises ACS
You might need to open firewall ports towards ACS
Kerberos?
SAML Authentication• Identity provider should support:
Wildcard return URLWreply parameter
• Supported by latest ADFS version
APPS MANAGEMENT
The G-Word
App Management• Timer Job:
App Installation Service
• Cmdlets:Import-SPAppPackageInstall-SPAppUninstall-SPAppInstance
Licensing• Timer Job:
License renewal
• Powershell for DR:$appProxy = Get-SPServiceApplicationProxy “AppManagementProxyId”$appProxy.GetDeploymentID()Set-SPAppManagementDeploymentID
Upgrade Apps• Site collection admin needs to upgrade apps• SharePoint manages notification state
• Timer Jobs:App State UpdateInternal App State Update
• Cmdlets:Get-SPAppStateUpdateIntervalGet-SPAppStateSyncLastRunTimeSet-SPAppStateUpdateIntervalUpdate-SPAppInstance
Backup/Restore• Site exports do not include app assets:
Export-SPWeb and Import-SPWeb
• Site backup and restore:Backup-SPSite and Restore-SPSite
• App exports:Export-SPAppPackage
DEMO | MANAGE
SUMMARY• Apps are good for you• Don’t underestimate infrastructure
impact• Understand the security model of apps• Strongly consider using host named site
collections• Use SSL - Everywhere!
QUESTIONS ?@thomasvochten #itproceed
And take home the Lumia 1320
Present your feedback form when you exit the last session & go for the drink
Give Me Feedback
Follow Technet Belgium@technetbelux
Subscribe to the TechNet newsletteraka.ms/benews
Be the first to know
Belgiums’ biggest IT PRO Conference