Provider Hosted Application is very useful to
re-use the existing .Net application with very minor changes and their hosting
environment. The topology of the Provider Hosted Application is as follows.
The user calls the SharePoint server and the SharePoint
portal intern calls the .Net Application as a Separate Application. Moreover,
there is an option to create an App Part and loads the .Net Application inside
the App Part which can be placed on the SharePoint Page
Create a Provider Hosted App (High-trust) for SharePoint
SharePoint 2013
introduced the SharePoint App model for developers. Out of the three app
models, SharePoint Hosted, Auto Hosted and Provider Hosted I’m creating and
explaining the step by step approach to develop a simple Provider Hosted
(High-trust) app in this post. This is not an introduction to SharePoint App
model but an introduction to Provider Hosted (PH) Apps.
Diagram below denote my dev environment.
One VM for AD and DNS and
the second VM hosts SharePoint 2013 and SQL 2012.
Configure an environment for apps for SharePoint (SharePoint 2013): How to Configure DNS for App Development Model in SharePoint 2013:
Please follow the tech net Microsoft link.
https://technet.microsoft.com/en-us/library/fp161236.aspx
There are two types of PH
Apps. Apps that can be hosted in Office 365 environments and the PH Apps that
can be only hosted in On-Premises environments which are also called as
High-trust apps.
Provider Hosted app consists of an App deployed in to SharePoint and a
separately deployed web application. In a production environment the web
application is normally deployed in a separate server or a separate server
farm.
The reason why high-trust
apps are only compatible with On-Premises environments is, it uses a
certificate instead of a context token (OAuth) to make the trust between the
two servers. So these apps require some sort of configuration on the SharePoint
server as well as the remote server hosting the web application. SharePoint
includes server-to-server security token service (STS) which provides access
tokens for server-to-server authentication. The server-to-server STS enables
temporary access tokens to access other application services including apps for
SharePoint 2013. To establish a trust relationship between the SP Server and
App we use a X.509 certificate and a few PowerShell cmdlets.
We need to create a .pfx
file and a corresponding .cer file. First file which is the pfx, contains the
private key which will be used by the remote web application to encrypt it’s
communication to SharePoint server. The .cer file contains the public key which
will be used by SharePoint server to decrypt the messages and to verify those
messages come from the same remote web application. Also to verify that the
remote web application has an access token from a token issuer that SharePoint
trusts which in this case the certificate.
For the demonstration
purposes I will use a self signed certificate instead of a certificate issued
by a certificate authority.
Create and export a Test Certificate
Open IIS Manager in the SharePoint server and select server
certificates.
Click Create a self-signed certificate.
Name the certificate. Mine is SharePointProviderHostedApps.
As the next step, right
click the certificate created, export it to a folder providing a password. It
will create a file with a pfx extension.
If
your dev environment is not similar to mine and if you have a separate server
to host the remote web application, please move the pfx file to the same.
Create
the .cer file
Go
to IIS Manager and open Server Certificates.
On the details tab, click Copy to file, where it opens the certificate
export wizard. Click next and move forward with the default option, “No, Do not
export the private key”.
Click
next with default options and save the certificate.
Now
we are done with certification creation & exporting part. But we have to make sure
STS application pool identity as well as SharePoint Web Application;
application pool identity have read permission to the location of the .cer file.
Configure SharePoint 2013 Server
to use the Certificate and trust the App hosted in Remote Server.
Create SharePoint trusted token ID (Issuer ID)
for Provider hosted App
We know that
provider hosted app’s logic executes outside of the SharePoint farm and hence
SharePoint farm needs to be authenticated via issuer Id and following script
will help you to generate the Issuer ID
#Validate the request
sent by external server via public certificate
Add-PSSnapin "Microsoft.SharePoint.PowerShell"
$issuerID
= "af8e95ec-39c4-4578-93a6-77222fea8256"
$targetSiteUrl
= "http://c2wk32cmrshpwas42:11108/sites/test/"
$targetSite
= Get-SPSite
$targetSiteUrl
$realm = Get-SPAuthenticationRealm
-ServiceContext $targetSite
$registeredIssuerName
= $issuerID
+ '@' + $realm
$publicCertificatePath
= "D:\Certs\SharePointApp2TogetSqlData.cer"
$publicCertificate
= Get-PfxCertificate
$publicCertificatePath
Write-Host "Create Security token issuer"
$secureTokenIssuer
= New-SPTrustedSecurityTokenIssuer
-Name $issuerID
-RegisteredIssuerName $registeredIssuerName
-Certificate $publicCertificate
-IsTrustBroker
$secureTokenIssuer
| select *
$secureTokenIssuer | select * | Out-File -FilePath "D:\Certs\SecureTokenIssuer.txt"
#Turn off the
HTTPS requirement for OAuth during development
$serviceConfig
= Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp =
$true
$serviceConfig.Update()
Write-Host "All done..."
Issuer Id :
af8e95ec-39c4-4578-93a6-77222fea8256
We can move on to the creation of Basic Provider Hosted Application using Visual Studio 2012.
Steps to Create a Provider Hosted Application:
4. On the Creation of the Solution, Visual Studio will ask for the Site Collection against which we are going to deploy our app. And on the same screen, we need to choose the type of hosting which we are planning. In our case, it is going to be Provider Hosted Application.
a. ProviderHostedAppsForSQLData [App Project]
b. ProviderHostedAppsForSQLDataWeb [AppWeb Project]
9. ProviderHostedAppsForSQLData Project– This is going to be deployed on the SharePoint.
10. ProviderHostedAppsForSQLDataWeb Project – This is going to be the .Net Web Application. This application can be hosted on any IIS.
12. Create
the virtual directory will be helpful to host our AppWeb on the Local IIS,
instead of using the IIS Express, let us host our application on the IIS
itself
13. By clicking
the “Create Virtual Directory” button on the Web Tab, virtual directory will be
created on the local IIS. You can confirm this by going to inetmgr.
16. Modify
the Start Page attribute to point the IIS directly. Please refer the below
figure.
17. Go to
Permissions Tab. Add the corresponding scope and the permissions as per the
requirement. In this demo, I am adding the web as full control. This will give
the rights to do CRUD Operations over the list present with in my web.
By doing
this, we are sure that our app is having the Full Control Permission through
the Web Scope.
xml version="1.0" encoding="utf-8" ?>
<App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
Name="ProviderHostedAppsForSQLData"
ProductID="{23eed756-8c12-42bc-9a6d-2733e204b5be}"
Version="1.0.0.0” SharePointMinVersion="15.0.0.0">
<Properties>
<Title>ProviderHostedAppsForSQLData</Title>
<StartPage>http://c245wccmrs456yfwas74/ProviderHostedAppsForSQLDataWeb/Pages/Default.aspx?{StandardTokens}</StartPage>
</Properties>
<AppPrincipal>
<RemoteWebApplication ClientId="*" />
</AppPrincipal>
<AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web"
Right="FullControl"
/>
</AppPermissionRequests>
</App>
19. Now, we
came to the final step of our provider hosted application creation. That is, we
need to register our clientID with the SharePoint before deploying the app.
20. ClientID
is nothing but a GUID. But the only special thing about the ClientID is, it
should be small case. i.e., something like 24576c92-961f-442b-a866-e612222cad36
21. To
generate the GUID, we can’t use the “Create GUID” option in the Visual Studio.
Because that will generate the GUID with Upper Case too. But, it will not work
for our scenario.
22. Hence,
from our SharePoint site itself, go to the AppRegNew.aspx page. The page will
present inside the layouts folder. The URL would be something like https://c2dk76edwas74:45108/sites/test/_layouts/15/Appregnew.aspx.
23. The page
will look like
25. Copy the GUID and we need to paste that in 2 places.
<appSettings>
<add key="ClientId"
value="5c3994bd-1e0a-4dd5-ad08-22a5e178a9f3"
/>
<add key="ClientSigningCertificatePath"
value="D:\Certs\SharePointProviderHostedApps.pfx"
/>
<add key="ClientSigningCertificatePassword"
value="Welcome123"
/>
<add key="IssuerId"
value="af8e95ec-39c4-4578-93a6-77222fea8256"
/>
</appSettings>
<AppPrincipal>
<RemoteWebApplication ClientId="5c3994bd-1e0a-4dd5-ad08-22a5e178a9f3"
/>
</AppPrincipal>
26. After
updating the ClientID, we can build and deploy the solution. Right click the
solution and click Deploy.
 
[The
specified application identifier 5c3994bd-1e0a-4dd5-ad08-22a5e178a9f3 is
invalid or does not ex
ist.]
28. To rectify this error, we need to register our
ClientID on the SharePoint Farm. We can do this by using PowerShell on the
SharePoint Farm.
Add-PSSnapin "Microsoft.SharePoint.PowerShell"
$appDisplayName = "ProviderHostedAppsForSQLData"
$clientID = "5c3994bd-1e0a-4dd5-ad08-22a5e178a9f3"
$targetSiteUrl = "http://c245wccmrs456yfwas74:11108/sites/test/"
$targetSite = Get-SPSite $targetSiteUrl
$realm = Get-SPAuthenticationRealm
-ServiceContext $targetSite
$fullAppPrincipalIdentifier = $clientID + '@' + $realm
Write-Host "Registering new app principal"
$registeredAppPrincipal = Register-SPAppPrincipal
-NameIdentifier $fullAppPrincipalIdentifier
-Site $targetSite.RootWeb -DisplayName
$AppDisplayName
$registeredAppPrincipal | select * | Format-List
$registeredAppPrincipal | select * | Format-List | Out-File -FilePath "Output.txt"
Write-Host "Registration Completed"
|
