3. About Me
Thomas Vochten
SharePoint MVP. Platform architect. Speaker.
Trainer. Involuntary DBA. Consultant at
Xylos. V-TSP at Microsoft.
@thomasvochten
http://thomasvochten.com
mail@thomasvochten.com
10. Welcome to the Cloud App Model
• Apps don’t run on the SharePoint server
• Can still interact with SharePoint
• On-Premises and in the cloud
• Free choice of tools, languages &
platforms
14. SharePoint Hosted Apps
• Run in the browser
• Use client side technologies only
• Relatively easy
• Can interact with the host web
• Use an app web with a funky URL
• On-Premises and in the cloud
• AuthZ with user privileges
15. Provider Hosted Apps
• Bring your own hosting
• Use any language or platform
• Greater flexibility
• Greater responsibility
• Can interact with the host web
17. Auto Hosted Apps
• Web & Azure components are provisioned
automatically
• Can interact with the host web
• Automagically provisioned provider-
hosted apps
26. Demo Environment
• Single farm
• Single content application pool
• Single services application pool
• Single content web application
• Host named site collections
• No host headers
• SSL Everywhere
29. DNS Prerequisites
• Choose your app domain
• Request a wildcard or SAN certificate
• Configure DNS with a wildcard record
• Setup SharePoint & IIS to accommodate
requests for your app domain
30. Choose an App Domain
• Unique domain
• No subdomains please
• You need one…per farm!
33. No Routing Web Application
https://app-bdf2016ea7dacb.contosoapps.com/...
34. Routing Web Application
• When you need to use IIS host headers
• Web application without a host header
• Contains no site collections
• Delete/disable the Default Website in IIS
• Consider multiple IP addresses
• Use the same application pool identity as your
content application pool
35. SharePoint Prerequisites
• Claims based authentication only
• Subscription Settings Service Application
Generates & manages App ID’s
• App Management Service Application
General settings
App licensing
37. Considerations
• You can use multiple zones for your app domain
(needs March 2013 PU)
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.SupportMultipleAppDomains = $true $contentService.Update()
New-SPWebApplicationAppDomain -AppDomain <AppDomain> -WebApplication <WebApplicationID> -
Zone <Zone> -Port <Port> -SecureSocketsLayer
• Use SSL… everywhere!
39. Simple, Right?
• Your environment is now ready to host
SharePoint Hosted Apps
• Office365 can use Provider Hosted Apps
without extra configuration
• Connecting on-premises farms to Provider
Hosted Apps requires additional configuration!
41. Security Basics
• User principals vs App principals
• Authentication vs Authorization
SharePoint 2013 can authenticate Apps!
42. App Identity using OAuth
• Client Id of the app
• Display name of the app
• App domain where the remote app is
hosted
43. App Authentication
• Internal Authentication
It just works
• External Authentication using S2S Trusts
• External Authentication using OAuth
44. Authentication Flowstart
authentication
does request target a
CSOM/REST endpoint?
does request carry
a claims token?
does request carry
an access token?
yes
no
end
authentication
No Authentication
(anonymous access)
no
App Authentication
(app and user
identity)
User Authentication
does request target
URL of an app web?
does access token
Carry user identity?
App Only
Authentication
yes no
yes yes
yes
no
no
45. App Permissions
• Granted by user approval
• All or nothing
• Default permissions (like app web control)
46. Low Trust vs High Trust
• Low trust apps need ACS as trust broker
(via Office365)
• High trust apps need Server To Server trust
(no need for Office365)
47. Low Trust vs High Trust
SharePoint Remote App Trust broker
On premises In cloud ACS, certificate
On premises On premises ACS, certificate
Office 365 In cloud ACS
Office 365 On premises ACS
You might need to open firewall ports towards ACS
54. Upgrade Apps
• Site collection admin needs to upgrade apps
• SharePoint manages notification state
• Timer Jobs:
App State Update
Internal App State Update
• Cmdlets:
Get-SPAppStateUpdateInterval
Get-SPAppStateSyncLastRunTime
Set-SPAppStateUpdateInterval
Update-SPAppInstance
55. Backup/Restore
• Site exports do not include app assets:
Export-SPWeb and Import-SPWeb
• Site backup and restore:
Backup-SPSite and Restore-SPSite
• App exports:
Export-SPAppPackage
57. SUMMARY
• Apps are good for you
• Don’t underestimate infrastructure impact
• Understand the security model of apps
• Strongly consider using host named site
collections
• Use SSL - Everywhere!