Microsoft Sharepoint 2013 : Office Web Apps Configuration Options (part 4) - Configuring the Security Token Service, Using the HTTP Protocol

Configuring the Security Token Service

In the next two sections you choose whether you want to access the OWA farm from SharePoint over HTTP or HTTPS. In most cases you will choose HTTPS because this is a more secure solution, but there is one other consideration. You need to know if your SharePoint content web applications will use HTTP or HTTPS. If there is any chance your web app will use HTTP, then you need to change the Security Token Service to allow OAuth to pass over HTTP. What happens, in a simplified nutshell, is that SharePoint passes the request over to the OWA server using HTTPS but then the OWA server accesses SharePoint over the calling web application’s URL. If that URL is http://portal.contoso.com, the communication will fail, with some cryptic errors in the ULS logs of the OWA server.

In order for HTTP to work properly, you must make the following change on the SharePoint farm:

$config = (Get-SPSecurityTokenServiceConfig)

$config.AllowOAuthOverHttp = $true

$config.Update()

Refer to Figure 6 to confirm what you typed. Once these commands are run your farm will allow OAuth to happen over the HTTP protocol, which is a security risk in itself. The only way to avoid making this change is to have everything in your environment run over SSL. This means you will make this change if you are using the HTTP method described in the next section, but also even when using the HTTPS method you would have to make this change if your SharePoint content is accessible using HTTP.

FIGURE 6

Using the HTTP Protocol

After the Office Web Apps program is installed on your target server you can begin the actual configuration of that server. As you walk through the configuration process, note that you are using HTTP communications for intra-farm communications. As mentioned previously, it is recommended that any production-level farm use the HTTPS protocol. This section outlines a single Office Web Apps server, which will be configured with the farm.

The first step is to access the OWA server and create the OWA farm:

1. Remote desktop into the OWA server as the account with which you performed the install. In this example, that is Contoso\sp_install.

2. Open Windows PowerShell by right-clicking on it and choose Run as Administrator.

3. Type the following line and press Enter to load the Office Web Apps PowerShell cmdlets:

Import-Module OfficeWebApps

4. To create the farm, type the following PowerShell command and press Enter:

New-OfficeWebAppsFarm –InternalURL http://OWA.contoso.com -AllowHttp 
–EditingEnabled:$true

5. Acknowledge yes, that you are enabling this specific functionality, by pressing Enter when prompted.

6. When completed, you will receive the OWA summary farm confirmation shown in Figure 7.

FIGURE 7

7. Confirm your farm is operational by using a web browser. To do so open the following URL: http://owa.contoso.com/hosting/discovery. You should see the web app Open Platform Interface (WOPI)-discovery XML file, as shown in Figure 8.

FIGURE 8

That completes the installation and configuration of the Office Web Apps farm. From here you need to bind that farm to whichever host you choose. In this case, the next section steps you through binding the Office Web Apps farm with the SharePoint 2013 farm. You will bind to the SharePoint farm using HTTP.

The final step is the connection of SharePoint and OWA using HTTP. Skip this section if you want to use HTTPS and proceed directly to the next section.

New-SPWOPIBinding –ServerName owa.contoso.com –AllowHTTP

Set-SPWopiZone –zone "internal-http"

Now SharePoint is ready to take advantage of the Office Web Apps.