In some situations an
organization might need its SharePoint environment and solutions to be
purely on-premises. This could be for security reasons, technical
reasons such as in disconnected network situations, or simply because
on-premises solutions are the company policy. In these situations,
using Office 365, Azure Access Control Services (ACS), and apps hosted
in Azure will not work. An alternative is to host the apps on premises
along with the SharePoint sites and to use Server to Server (S2S)
authentication. S2S effectively removes reliance on Azure Access
Control Services (ACS). In its place SharePoint acts as the Security
Token Service (STS) and predefined certificates are used to sign and
verify the tokens that are generated. S2S uses extensions to the OAuth
2.0 protocol that are not (at the time of this writing) currently part
of the OAuth 2.0 standard, but have been submitted by Microsoft for
future inclusion.
Applications that run using S2S are also said to
be “high-trust” apps. High-trust apps must authenticate users
independently themselves versus being passed a trusted identity as part
of the context token from SharePoint. Typically, applications would
authenticate a user using Windows Authentication (NTLM) or a similar
scheme. High-trust apps are considered “high trust” because SharePoint
trusts the application and trusts that it has authenticated and
identified the user context being passed as part of an API call.
Part of the reason why high-trust apps establish
the identity of users themselves is because of other
authentication/authorization needs in on-premises scenarios. Take, for
example, the scenario where a financial organization needs to keep all
its data on premises for regulatory reasons. It builds an app that
works with data in a variety of other on-premises systems and its
organization uses Active Directory (AD) to manage users and security in
those systems. A high-trust app would use a user’s Windows identity to
authenticate him and check his permissions; that same identity could
also be used for downstream systems such as SQL Server.
This means that high-trust apps can play in the
same playground as other on-premises applications and, most
importantly, use the same internally mandated authorization and
authentication system.
Setting up S2S authentication requires a number
of manual setup steps for it to work properly. Following them correctly
is important to ensure proper authentication operation.
You must setup and configure two items prior to starting the S2S configuration:
- User Profile Service Application
- App isolation
For more setup steps for app isolation, see the following MSDN document: http://msdn.microsoft.com/en-us/library/office/apps/fp179923.aspx.
After you have the prerequisites set up then you can complete the following:
1. Create and export a certificate.
2. Register the app (see the previous section, “Creating and Managing Application Identities”).
3. Create a Provider-hosted app.
After completing the preceding items, you can
start building Provider-hosted apps that are deployed on premises with
IIS and SharePoint. The app and SharePoint are able to generate and
verify the tokens required based on the trust set up with the
certificate. You’ll need to create a certificate so that your app can
generate and verify the tokens. You can either create a self-signed
certificate or use a certificate obtained from a certificate issuing
authority. A self-signed certificate is simply a certificate that you
sign yourself rather than obtaining it from a trusted issuing
authority, and, for the purposes of these steps, is adequate to use. To
create a self-signed certificate, follow these steps (Windows Server
2012):
1. Open IIS Manager.
2. Click Server Certificates.
3. Select Create Self-Signed Certificate from the action menu.
4. Give your certificate a name, such as MyAppCert. Click OK and when complete you will see your new certificate listed.
5. Open your new certificate by double-clicking it.
6. Click Copy to File.
7. Click Next, leaving the fields with their defaults.
8. Click Next again, leaving the fields with their defaults.
9. Give your certificate a filename, such as c:\MyAppCert.cer.
10. Right-click your certificate in IIS Manager and choose Export.
11. Give it a filename such as c:\MyAppCert.pfx.
12. Provide a password and remember it.
You are now ready to register a new app identity
in SharePoint. To do this, you can use the following PowerShell script.
You need to generate a new GUID for the $clientid
value, set the path to your certificate, and set the name of the app
appropriately.
$clientid= "7c17e591-f4da-46fc-b85c-a22a6b09c059"
$publicCertificatePath = "C:\MyAppCert.cer"
$certificate = Get-PfxCertificate $publicCertificatePath
$web = Get-SPWeb "http://servername"
$realm = Get-SPAuthenticationRealm -ServiceContext $web.Site
$fullAppIdentifier = $issuerId + '@' + $realm
New-SPTrustedSecurityTokenIssuer -Name "My App"
-Certificate $certificate -RegisteredIssuerName $fullAppIdentifier
Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $web
-DisplayName "My App"
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()
The preceding script does the following:
- Sets up a new trusted security token issuer.
- Creates a new app identity/registration.
- Turns off SSL for OAuth for development purposes.
NOTE
Turning off SSL for OAuth makes it easier when developing to get your
application up and running. No SSL certificates are needed which
simplifies setup and configuration on developer machines with different
machine names.
Now you are ready to create a Provider-hosted app
in Visual Studio using the Microsoft Office Developer Tools for Visual
Studio 2012 - Preview 2. Follow these steps:
1. Create a new SharePoint App project with Visual Studio.
2. Specify Provider-hosted as the app type during creation.
3. When you
are asked whether you want to Use a Certificate to authenticate, say
that you do and specify the path to the PFX certificate file you
exported. Provide the password you also specified during the export.
4. Enter the $clientid GUID you created for the earlier PowerShell script into the Issuer ID field in the wizard.
5. Complete the wizard and complete your application development.
6. Click F5 to deploy and test your application.
