SharePoint Central Admin PrerequisitesSharePoint you must have the following service applications provisioned and started:
- Subscription Service Application with proxy
- Subscription Settings Service instance started
- Application Management Service Application and proxy
- App Management Service instance started
- Must have User Profile Service started
Prerequisite (Need to check if we need to setup ADFS on INT environment?)
- SharePoint 2013 server is ready with apps configured
- ADFS 3.0 server is ready with realm set to SharePoint.
- ADFS is registered with SharePoint as a trusted identity provider.
- ADFS 3.0 server is ready with realm set to asp.net provider hosted app
- Server is ready for hosting asp.net provider hosted app.
- Load balancer configured for provider hosted web application
- Certificate is available in private, public part along with password.
Step 1: Create a Certificate
- In the development environment you can use a self-signed certificate, but you would need a commercial certificate when you publish your Apps to store. So we will create a self-signed one. In the IIS manager, click on Server Certificates.
- Click on Create Self Signed Certificate
- Enter some meaningful name like HighTrustCert and Click on Ok.
- Now we need to export the personal exchange format (.pfx) file. Right Click on the Certificate in IIS click on Export and provide an accessible location. Also enter the password that you want to use and Click on Ok
- Next, double click on the Certificate in IIS. Click on Details tab and click on Copy to File.
- Now you should see the Certificate Export Wizard (remember earlier we exported the .pfx file). The first screen elucidate the significance of what we are doing. Keep Clicking Next across the three screens. Below screenshots demonstrate the same. I keep all the default options. Just one thing to mark that now we are now exporting the .cer file. I choose the same location. Click on Save.
- And finally, click on Finish. You should see you the message “The export was successful”.
Step 2: Run Windows PowerShell cmdlets to set up trusted security token service
- Run SharePoint 2013 Management Shell as administrator. First thing first, you need an Issuer ID. An important point, it has to be Lowercase only.
Create a GUID with Visual Studio. Make sure all letters are lowercase. For e.g. 7591c7a2-cc56-40ef-8f71-20a4d8450ed7
- Run the below PowerShell cmdlets to create trusted security token service. $publicCertPath = "D:\Certificate\WB_EBiz_WFACert.cer"$appId = "7591c7a2-cc56-40ef-8f71-20a4d8450ed7"$spurl = "http://wbgmsspsnd017/sites/EBiz"$spweb = Get-SPWeb $spurl$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site$certificate = Get-PfxCertificate $publicCertPath$fullAppIdentifier = $appId + '@' + $realmNew-SPTrustedSecurityTokenIssuer -Name "WB EBiz WFA App" -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName "WB EBiz WFA App"
This will add certificate to both Personal Store and Trusted Root Certification Authorities store in mmc. To verify, go to your Trusted Root Certification Authorities Store and you should see your Certificate there
Significance / additional info of the cmdlets
issuerID : assigning the GUID generated in the previous step
publicCertPath : path where I saved my .cer file.
web : your Developer site URL
realm : should be the same as your farm ID
New-SPTrustedSecurityTokenIssuer : Just a tip, when you use the Name parameter it can be helpful to include a readable name, such as “High Trust App” or “Contoso S2S apps” instead of the issuer ID.
IsTrustBroker: this flag ensures that you can use the same certificate for other apps as well. If you don’t include this, you might receive “The issuer of the token is not a trusted issuer" error.
So we have two possible approaches each having their own pros and cons .i.e. use the same certificate shared by multiple apps Or use a separate certificate for each app. Read additional details at Guidelines for using certificates in high-trust apps for SharePoint 2013
iisreset : to ensure the Issuer becomes valid, else it takes 24 hours.
Additionally you can turn off the https requirements using below PowerShell cmdlets. But ensure to turn it on by changing $true to $false in the second cmdlet below.
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
Refer to the screenshot below of for the complete steps:
Step 3: Create a Simple “High Trust” Provider Hosted App using Visual Studio 2012 (DEVELOPMENT)
- Click New Project -> App for SharePoint 2013
- Select ASP.NET MVC web app
- Now select the PFX certificate generated in the last step. Provide password and Issuer ID
- This will create a new MVC project.
- Now Visual studio created two projects with in the same solution. MVCApp1 is the SharePoint App and MVCApp1Web is the remote webapp. Only artifact of the MVCApp1 is the appmanifest.xml. This is similar to what feature.xml to WSP. We provide the version, permission and startpage details of the app.
- Make sure Windows authentication is enabled for web project, and check other settings as well.
- Now you can directly debug the app by pressing f5. Now login to app using your windows credentials and trust the app. This will lead to sample app hosted from VS2013 if all the settings are right.
Step 4: Create App Domain and Set for SharePoint (DEPLOYMENT)
Configure App Domain
- Create App Catalog site – new site from going in Central Admin – Apps – Manage App Catalog, Create new site collection
Configure App URLs
- If you get a message - The Subscription Settings service and corresponding application and proxy needs to be running in order to make changes to these settings.
Run the belowPS script to create new service application for subscription service... Though service is already running but service application is missing
$account = Get-SPManagedAccount "WB\spm13devep1"
$appPool = New-SPServiceApplicationPool -Name SubscriptionServiceAppPool -Account $account
$serviceApp = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPool -name "Subscription Settings Service Application" -DatabaseName "SP2013INT-SubscriptionSettingsDB"
$serviceAppProxy = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $serviceApp
Then try again
Step 5: IIS Site Creation (DEPLOYMENT)
- App Catalog Server (IIS) Configuration
- Copy the Personal Information Exchange (.pfx) and published files into the app catalog server.
- Enable the required features (refer the below screenshot) through “Add Roles and Features” in Server Manager.
- Import the Certificate, IIS -> Server Certificates -> then click “Import” link in the right top.
- Create a Folder for place the web app published files (ex. C:\inetpub\wwwroot\eBizApps )
- Create a Website in IIS. Right click in “Sites” then choose “Add Website”.
- In the “Add Website” window, enter the proper site name, select the physical path (C:\inetpub\wwwroot\eBizApps) and then click “OK” button.
- Select the site name (ex. eBizApps), click the “Bindings” link in right side.
- In the Site Bindings window, Click “Add” button”
- In the Add Site Binding window, select the Type as “https” and then select the SSL certificate. And then click “OK” button
- Browse this site using Internet Explorer. The site will open.
- Once created, create SSL binding also
Click Bindings on right side
So we should have 2 bindings now
This website is empty now we need to deploy content from code (11 machine) to 08 machine which is here
Deployment involves App deployment and Website deployment
App Deployment: Before publishing the app, a new client ID for the App should be generated form the app site. SharePoint uses this client ID to validate the App file while installing. Navigate to appregnew.aspx
Navigate to https://sp2013.gsi.local/sites/apps/ and generate AppId
So we might get a result like this when hit create button
The app identifier has been successfully created.
- The App Domain is the domain name set on the remote web application server’s IIS Site that will be hosting this app.
App Id: 1b395959-b36f-47b3-84dc-f695d3a6a585 -- this is APP/ CLIENT ID
App Secret: Cf6n+YWaBJ8bDIqJp656J76IoJNPcNh+C3H99Ob0i/U=
App Domain: wbgmsspsnd008
Right click the solution and click publish and select Package the app. And enter the client ID and the remote site URL.
This wizard will generate a package
Take this package on 08 machine where IIS is. And run this command
Now IIS website should have all the content. Web project has been deployed
Make changes to web config file specific to environment.
Step 6: Package SharePoint App
Update clientId in App Manifest file.
Check for correct permissions assigned in AppManifest file. – Web (Full control)
Target url should be of the site to be deployed
Click Finish and this will publish the file in the bin\debug folder under “app.publish” folder
On opening the .app file with good old WINRAR all the resources can be extracted out. And verify appmanifest.xml .
Step 7: Add app to App CatalogFor an app to be consumed, it must be added to an app catalog.
- Navigate to the app catalog and select Apps for SharePoint
- Select New App and upload the .app file produced from the last set of steps
Step 8: Add app to site
- Access a team site and selected site contents and clicked Add App.
- Click on it and click Trust It . Note: If it errors on this step and you’re logged in as the system account, try again using a non-system account.
- After install, test by clicking on the app.
Redirect should work!