SharePoint 2016: Provider Hosted (High Trust) Development Environment Setup

1. Setup of the Development Environment

I mainly followed Configure an environment to run your provider-hosted high trust apps in SharePoint 2013, the best tutorial for beginners!

Domains

  • SharePoint Server: ssrpdap03
  • App domain (IIS site): ssrpdap03apps.com
  • Test app site: myapp.ssrpdap03apps.com  

DNS

  • Primary Zone: ssrpdap03
    • (no need to set as it's already in corporate's DNS server)
  • Primary Zone: ssrpdap03apps.com
    • Host A record: Name=empty, IP=127.0.0.1
    • Alias CName record: Name=*, FQDN=ssrpdap03apps.com
  • Preferred DNS Server for IPv4: 127.0.0.1
    • (no need to set 8.8.8.8.8 as Forwarders as corporate has default DNS Servers setting in Root Hints)

Create SharePoint website

  • https://ssrpdap03
    • Use Publishing site template
    • Neither Developer site template nor side loading feature were necessarily installed

Certificates

makecert -n "CN=ssrpdap03 Root,O=ssrpdap03,OU=IT,L=SharePoint,S=ON,C=CAN" -pe -ss Root -sr LocalMachine -sky exchange -m 120 -a sha256 -len 2048 -r

makecert -n "CN=ssrpdap03" -pe -ss My -sr LocalMachine -sky exchange -m 120 -in "ssrpdap03 Root" -is Root -ir LocalMachine -a sha256 -eku 1.3.6.1.5.5.7.3.1

makecert -n "CN=*.ssrpdap03apps.com" -pe -ss My -sr LocalMachine -sky exchange -m 120 -in "ssrpdap03 Root" -is Root -ir LocalMachine -a sha256 -eku 1.3.6.1.5.5.7.3.1

NOTE:  "My": The X.509 certificate store for personal certificates, see https://docs.ansible.com/ansible/2.6/modules/win_certificate_store_module.html.
Run Command Prompt as administrator, then type MMC/Add "Certificates" snap-in (select "Computer Account" and "Local Computer")/view certificates added by makecert:


Export to ssrpdap03.cer and ssrpdap03apps-com.cer respectively, then import both to Trusted Root Certification Authorities/certificates.

Creating a high trust

  • Get Token Issuer ID

Get provider-hosted app's token issuer ID by double clicking *.ssrpdapapps.com/Details/Authority Key Identifier: KeyID=7b 3b ed 05 06 5d 41 9e 1f 82 7a c7 27 c1 60 7c=>7b3bed05-065d-419e-1f82-7ac727c1607c


NOTE: Use lowercase according to https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/high-trust-configuration-scripts-for-sharepoint

  • Script
$publicCertPath = "C:\dev\wan\MyWindsor\Certs\ssrpdap03apps-com.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($publicCertPath)
New-SPTrustedRootAuthority -Name "ssrpdap03apps-com.cer" -Certificate $certificate
 
$realm = Get-SPAuthenticationRealm
$specificIssuerId = "7b3bed05-065d-419e-1f82-7ac727c1607c"
$fullIssuerIdentifier = $specificIssuerId + "@" + $realm
New-SPTrustedSecurityTokenIssuer -Name "ssrpdap03AppsIssuer" -Certificate $certificate –RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker

iisreset

Questions?

Is the Issuer Certificate (root CA) required to add too? (skip this step)

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/creating-sharepoint-add-ins-that-use-high-trust-authorization#RootAuthorities

$rootPublicCertPath= "C:\dev\wan\MyWindsor\Certs\ssrpdap03root.cer"
$rootCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($rootPublicCertPath)
New-SPTrustedRootAuthority -Name "ssrpdap03root.cer" -Certificate $rootCertificate

To remove a root CA:

Remove-SPTrustedRootAuthority  "ssrpdap03.cer"

To remove the trust relationship: 

Get-SPTrustedSecurityTokenIssuer | ?{$_.RegisteredIssuerName -eq $fullIssuerIdentifier} | Remove-SPTrustedSecurityTokenIssuer

  • Verify

Central Admin/Security/Manage trust


Create a Provider-hosted app website

Set certificate for SharePoint website

Get Private Key

MMC/Add "Certificates" snap-in (select "Computer Account" and "Local Account")/*.ssrpdap03apps.com/All tasks/Export/Yes, export the private key/Password:xxx/save to ssrpdap03apps-com.pfx

Start App Management Service and Subscription Settings Service

http://spcaca.blogspot.com/2013/10/create-on-premise-high-trust-provider.html

$account = Get-SPManagedAccount "domain\spfarmdevlocal"
$subscriptionSettingsServiceApplicationName = "Subscription Settings Service"
$subscriptionSettingsServiceApplicationPoolName = "SharePoint Subscription Settings Service"
$subscriptionSettingsServiceApplicationDatabaseName = "SP_SubscriptionSettingsServiceApplicationDB"

#Create Subscription Settings Service Application and Proxy
$subscriptionSettingsServiceApplicationPool = New-SPServiceApplicationPool -Name $subscriptionSettingsServiceApplicationPoolName -Account $account
$subscriptionSettingsServiceApplication = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $subscriptionSettingsServiceApplicationPool –Name $subscriptionSettingsServiceApplicationName –DatabaseName $subscriptionSettingsServiceApplicationDatabaseName
New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $subscriptionSettingsServiceApplication

#Create app Management Service Application and Proxy
$appManagementServiceApplicationName = "App Management Service"
$appManagementServiceApplicationPoolName = "SharePoint App Management Service"
$appManagementServiceApplicationDatabaseName = "SP_AppManagementServiceApplicationDB"
$appManagementServiceApplicationPool = New-SPServiceApplicationPool -Name $appManagementServiceApplicationPoolName -Account $account
$appManagementServiceApplication = New-SPAppManagementServiceApplication –ApplicationPool $appManagementServiceApplicationPool –Name $appManagementServiceApplicationName –DatabaseName $appManagementServiceApplicationDatabaseName
New-SPAppManagementServiceApplicationProxy –ServiceApplication $appManagementServiceApplication
Set-SPAppSiteSubscriptionName -Name "AanuWizardApp" -Confirm:$false

Note:

Start User Profile Service

By default, SharePoint Server uses the built-in User Profile service application to resolve the identity.

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/set-up-an-on-premises-development-environment-for-sharepoint-add-ins#configure-services-in-sharepoint-for-server-to-server-add-in-use
Use Central Admin UI to start a new User Profile Service Application. Then create at least one profile:

Central Admin/Manage service applications/User Profile Service Application/People/Manage User Profiles/New Profiles/Save and Close

Configure App URLs (only required for SharePoint hosted. Skip this step for provider hosted)


NOTE: App domain is only used for SharePoint hosted apps.
Central Admin/Apps/Configure App URLs:
  • App domain: ssrpdap03apps.com
  • App prefix: app

NOTE: The above is equivalent to the following PowerShell cmdlets:

Set-SPAppDomain -AppDomain ssrpdap03apps.com"
Set-SPAppSiteSubscriptionName -Name "app" -Confirm:$false

Create App Catalog

(Required for both SharePoint hosted and Provider hosted apps)
Central Admin/Apps/Management App Catalog: Create a new app catalog site:

2. Create a provider-hosted app


Visual Studio/Create a Provider-hosted app used for SharePoint site https://ssrpdap03.

For Authentication, select User a certificate:
  • Certificate location: C:\dev\wan\MyWindsor\Certs\ssrpdap03apps-com.pfx
  • Password: (private key password)
  • Issuer ID: 1e36e7d2-c5b4-2b2f-77cb4a52ebdae83f

Visual Studio will auto-generate two projects. We need to deploy SharePointAddIn1 to SharePoint site https://ssrpdap03, and deploy SharePointAddIn1Web to remote host site i.e. IIS site https://myapp.ssrpdap03apps.com.
  

Web.Config

<appSettings>
<add key="ClientId" value="27d0dbff-5050-43e0-92b0-e8141d82c11b" />
<add key="ClientSecret" value="bhG0CXmCLWz5MsVoOE6hxEnP9JT0yU5BcGajHjXI5Bs=" />
<add key="ClientSigningCertificatePath" value="C:\dev\wan\MyWindsor\Certs\ssrpdap03apps-com.pfx" />
<add key="ClientSigningCertificatePassword" value="Sharep01nt" />
<add key="IssuerId" value="1e36e7d2-c5b4-2b2f-77cb4a52ebdae83f" />
</appsettings>
Two options to get ClientId and ClientSecret:

Option 1:  When clicking F5 to start the app, Visual Studio will auto-fill temporary values.
Option 2 (suggested): Use https://ssrpdap03/_layouts/15/appregnew.aspx to auto-generate the values.

AppManifest.xml


Set Start page and permission:
<Properties>
<Title>SharePointAddIn1</Title>
<StartPage>https://myapp.ssrpdap03apps.com/home/contact?{StandardTokens}?{StandardTokens}</StartPage>
</Properties>

<AppPrincipal>
<RemoteWebApplication ClientId="*" />
</AppPrincipal>

<AppPermissionRequests AllowAppOnlyPolicy="true" >
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read" />
</AppPermissionRequests>

Register the App in SharePoint

(Required for Provider-hosted app only)
Before deploying, we need to register the app with SharePoint site by
https://ssrpdap03/_layouts/15/appregnew.aspx:



Note: Redirect URL here is no use. It's determined by StartPage value in AppManifest.xml.

Note:

If ClientId is set to "*", then Visual Studio will automatically register the app when pressing F5:

<AppPrincipal>
<RemoteWebApplication ClientId="*" />
</AppPrincipal>

However if ClientId is set to a specific value, then each time you have to use appregnew.aspx before pressing F5.

 Deployment

  • Deploy to the remote app website   


Option 1: Right click the SharePointAddIn1Web project/publish. This is the same as deploying an usual MVC web site, just create a user profile:



Option 2: Right click SharePointAddIn1 project/publish/Deploy your web project. 

If you have been redirected to the remote app but it keeps asking you for credential for the remote app site myapp.ssrpdap03apps.com:



Please follow:
https://sharepoint.stackexchange.com/questions/119774/sharepoint-app-giving-credentials-popup/119806
https://sureshpydi.blogspot.com/2013/04/sharepoint-2013-issue-app-prompting-for.html?showComment=1470215481580#c6116519647350364803

Solution:  Regedit/ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa/Right click/New /DWord (32-bit) Value/Name: "DisableLoopbackCheck"/Value: "1"

Error Messages


 1. App Deploy Error: “A different version of this App is already installed with the same version number”

Check SharePointAddIn2\AppManifest.xml and increase version number as follows:

    Version="1.0.0.11" => Version="1.0.0.12"

2. Error message 401.2.: 
Unauthorized: Logon failed due to server configuration.

Check SharePointAddIn2Web\Web.config and replace deny with allowa s follows:

    <authorization>
      <!--<deny users="?" />-->
      <allow users="*" />
    </authorization>

3. Error message 401.2.: 
Unauthorized: Logon failed due to server configuration.

Check SharePointAddIn2Web\Web.config and replace deny with allowa s follows:
4. Run time error:

An unexpected error has occurred. Please try again by launching the app installed on your site.

  • Check 1

    public class HomeController : Controller
    {
        [SharePointContextFilter]
        public ActionResult Index()
        {
            User spUser = null;


            var spContext = SharePointContextProvider.Current.GetSharePointContext(HttpContext);
...

To use  [SharePointContextFilter], SPHostUrl=SharePointSiteUrl must be passed when access the Add-In, i.e.:

https://myapp.ssrpdap03apps.com/?SPHostUrl=https%3A%2F%2Fssrpdap03

Sharepoint 2013 MVC provider-hosted app. Fails to pass [SharePointContextFilter] on HttpPost

This means you should call the Add-in from SharePoint or from Visual Studio. This way the SPHosuUrl will be automatically passed to the Add-in.


  • Check 2

IIS/myapp.ssrpdap03apps.com/Authentication/Ensure Anonymous Authentication is disabled. Only Windows Authentication should be enabled.

Comments

Post a Comment

Popular posts from this blog

Use GnuPG Tools or C# Code for PGP Encryption and Signature

For PGP encryption and signature, usually we use PGP command line tools for test purpose and finally use C# application for production. Mine is a Net Core 2.0 console application using NuGet package PgpCore,  https://github.com/mattosaurus/PgpCore. PgpCore is based on BouncyCastle.NetCore which supports the standard OpenPGP keys. Here w use the popular GnuPG (GPG) tools to generate OpenPGP key pair. Download and Install GPG for Windows Download from  https://gpg4win.org/download.html . By default the installation will create two folders (here we use command line tools only): Gpg4Win UI (Kleopatra): C:\Program Files (x86)\Gpg4win Command line tools: C:\Program Files (x86)\GnuPG\bin Generate a GPG Key Pair For GnuPG 2.2.1 and above:     C:\Program Files (x86)\GnuPG\bin> gpg --full-generate-key For old versions of GnuPG:     C:\Program Files (x86)\GnuPG\bin> gpg --gen-key Common GPG Commands List public keys: gpg --list-key or gpg -k List private keys: gpg
Read more

Errors in Net Core Add-Migration

Visual Studio 2017 version 15.5.2, Net Core 2. Add-Migration error: Exception calling "SetData" with "2" argument(s): "Type  'Microsoft.VisualStudio.ProjectSystem.VS.Implementation.Package.Automation.OAProject' in  assembly 'Microsoft.VisualStudio.ProjectSystem.VS.Implementation, Version=15.0.0.0,  Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' is not marked as serializable." At C:\Users\wanj\.nuget\packages\entityframework\6.2.0\tools\EntityFramework.psm1:720 char:5 +     $domain.SetData('project', $project) +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException     + FullyQualifiedErrorId : SerializationException Exception calling "SetData" with "2" argument(s): "Type  'Microsoft.VisualStudio.ProjectSystem.VS.Implementation.Package.Automation.OAProject' in  assembly 'Microsoft.VisualStudio.ProjectSystem.VS.Impl
Read more

Confusing Concepts about SFTP: SSH2 vs OpenSSH

Credit and copied from https://dada.tw/2008/01/03/70/ Terminology: SSH Protocols and Products SSH A generic term referring to SSH protocols or software products. SSH-1 The SSH protocol, Version 1. This protocol went through several revisions, of which 1.3 and 1.5 are the best known, and we will write SSH-1.3 and SSH-1.5 should the distinction be necessary. SSH-2 The SSH protocol, Version 2, as defined by several draft standards documents of the IETF SECSH working group. SSH1 Tatu Ylönen's software implementing the SSH-1 protocol; the original SSH. Now distributed and maintained (minimally) by SSH Communications Security, Inc. SSH2 The "SSH Secure Shell" product from SSH Communications Security, Inc. This is a commercial SSH-2 protocol implementation, though it is licensed free of charge in some circumstances. ssh (all lowercase letters) A client program included in SSH1, SSH2, OpenSSH, F-Secure SSH, and other
Read more