IT tutorials
 
Applications Server
 

Overview of Oauth in Sharepoint 2013 : Application Authorization - On-Premises App Authentication with S2S

6/28/2014 8:57:05 PM
- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

In some situations an organization might need its SharePoint environment and solutions to be purely on-premises. This could be for security reasons, technical reasons such as in disconnected network situations, or simply because on-premises solutions are the company policy. In these situations, using Office 365, Azure Access Control Services (ACS), and apps hosted in Azure will not work. An alternative is to host the apps on premises along with the SharePoint sites and to use Server to Server (S2S) authentication. S2S effectively removes reliance on Azure Access Control Services (ACS). In its place SharePoint acts as the Security Token Service (STS) and predefined certificates are used to sign and verify the tokens that are generated. S2S uses extensions to the OAuth 2.0 protocol that are not (at the time of this writing) currently part of the OAuth 2.0 standard, but have been submitted by Microsoft for future inclusion.

Applications that run using S2S are also said to be “high-trust” apps. High-trust apps must authenticate users independently themselves versus being passed a trusted identity as part of the context token from SharePoint. Typically, applications would authenticate a user using Windows Authentication (NTLM) or a similar scheme. High-trust apps are considered “high trust” because SharePoint trusts the application and trusts that it has authenticated and identified the user context being passed as part of an API call.

Part of the reason why high-trust apps establish the identity of users themselves is because of other authentication/authorization needs in on-premises scenarios. Take, for example, the scenario where a financial organization needs to keep all its data on premises for regulatory reasons. It builds an app that works with data in a variety of other on-premises systems and its organization uses Active Directory (AD) to manage users and security in those systems. A high-trust app would use a user’s Windows identity to authenticate him and check his permissions; that same identity could also be used for downstream systems such as SQL Server.

This means that high-trust apps can play in the same playground as other on-premises applications and, most importantly, use the same internally mandated authorization and authentication system.

Setting up S2S authentication requires a number of manual setup steps for it to work properly. Following them correctly is important to ensure proper authentication operation.

You must setup and configure two items prior to starting the S2S configuration:

  • User Profile Service Application
  • App isolation

For more setup steps for app isolation, see the following MSDN document: http://msdn.microsoft.com/en-us/library/office/apps/fp179923.aspx.

After you have the prerequisites set up then you can complete the following:

1. Create and export a certificate.

2. Register the app (see the previous section, “Creating and Managing Application Identities”).

3. Create a Provider-hosted app.

After completing the preceding items, you can start building Provider-hosted apps that are deployed on premises with IIS and SharePoint. The app and SharePoint are able to generate and verify the tokens required based on the trust set up with the certificate. You’ll need to create a certificate so that your app can generate and verify the tokens. You can either create a self-signed certificate or use a certificate obtained from a certificate issuing authority. A self-signed certificate is simply a certificate that you sign yourself rather than obtaining it from a trusted issuing authority, and, for the purposes of these steps, is adequate to use. To create a self-signed certificate, follow these steps (Windows Server 2012):

1. Open IIS Manager.

2. Click Server Certificates.

3. Select Create Self-Signed Certificate from the action menu.

4. Give your certificate a name, such as MyAppCert. Click OK and when complete you will see your new certificate listed.

5. Open your new certificate by double-clicking it.

6. Click Copy to File.

7. Click Next, leaving the fields with their defaults.

8. Click Next again, leaving the fields with their defaults.

9. Give your certificate a filename, such as c:\MyAppCert.cer.

10. Right-click your certificate in IIS Manager and choose Export.

11. Give it a filename such as c:\MyAppCert.pfx.

12. Provide a password and remember it.

You are now ready to register a new app identity in SharePoint. To do this, you can use the following PowerShell script. You need to generate a new GUID for the $clientid value, set the path to your certificate, and set the name of the app appropriately.

$clientid= "7c17e591-f4da-46fc-b85c-a22a6b09c059"
$publicCertificatePath = "C:\MyAppCert.cer"

$certificate = Get-PfxCertificate $publicCertificatePath
$web = Get-SPWeb "http://servername"
$realm = Get-SPAuthenticationRealm -ServiceContext $web.Site
$fullAppIdentifier = $issuerId + '@' + $realm

New-SPTrustedSecurityTokenIssuer -Name "My App"
-Certificate $certificate -RegisteredIssuerName $fullAppIdentifier

Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $web
-DisplayName "My App"

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()

The preceding script does the following:

  • Sets up a new trusted security token issuer.
  • Creates a new app identity/registration.
  • Turns off SSL for OAuth for development purposes.

NOTE Turning off SSL for OAuth makes it easier when developing to get your application up and running. No SSL certificates are needed which simplifies setup and configuration on developer machines with different machine names.

Now you are ready to create a Provider-hosted app in Visual Studio using the Microsoft Office Developer Tools for Visual Studio 2012 - Preview 2. Follow these steps:

1. Create a new SharePoint App project with Visual Studio.

2. Specify Provider-hosted as the app type during creation.

3. When you are asked whether you want to Use a Certificate to authenticate, say that you do and specify the path to the PFX certificate file you exported. Provide the password you also specified during the export.

4. Enter the $clientid GUID you created for the earlier PowerShell script into the Issuer ID field in the wizard.

5. Complete the wizard and complete your application development.

6. Click F5 to deploy and test your application.
 
Others
 
- Overview of Oauth in Sharepoint 2013 : Application Authorization - Requesting Permissions Dynamically
- Overview of Oauth in Sharepoint 2013 : Application Authentication (part 2) - Managing Tokens in Your Application
- Overview of Oauth in Sharepoint 2013 : Application Authentication (part 1) - Using TokenHelper
- Overview of Oauth in Sharepoint 2013 : Creating and Managing Application Identities
- Overview of Oauth in Sharepoint 2013 : Introduction to OAuth
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 3) - Don’t Upgrade Crap
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 2) - What You Can’t Upgrade
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 1) - What You Can Upgrade
- Active Directory 2008 : Managing OUs (part 3) - Delegating Control of OUs
- Active Directory 2008 : Managing OUs (part 2) - Administering Properties of OUs
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS