Applications Server
 

Overview of Oauth in Sharepoint 2013 : Application Authorization - On-Premises App Authentication with S2S

6/28/2014 8:57:05 PM

In some situations an organization might need its SharePoint environment and solutions to be purely on-premises. This could be for security reasons, technical reasons such as in disconnected network situations, or simply because on-premises solutions are the company policy. In these situations, using Office 365, Azure Access Control Services (ACS), and apps hosted in Azure will not work. An alternative is to host the apps on premises along with the SharePoint sites and to use Server to Server (S2S) authentication. S2S effectively removes reliance on Azure Access Control Services (ACS). In its place SharePoint acts as the Security Token Service (STS) and predefined certificates are used to sign and verify the tokens that are generated. S2S uses extensions to the OAuth 2.0 protocol that are not (at the time of this writing) currently part of the OAuth 2.0 standard, but have been submitted by Microsoft for future inclusion.

Applications that run using S2S are also said to be “high-trust” apps. High-trust apps must authenticate users independently themselves versus being passed a trusted identity as part of the context token from SharePoint. Typically, applications would authenticate a user using Windows Authentication (NTLM) or a similar scheme. High-trust apps are considered “high trust” because SharePoint trusts the application and trusts that it has authenticated and identified the user context being passed as part of an API call.

Part of the reason why high-trust apps establish the identity of users themselves is because of other authentication/authorization needs in on-premises scenarios. Take, for example, the scenario where a financial organization needs to keep all its data on premises for regulatory reasons. It builds an app that works with data in a variety of other on-premises systems and its organization uses Active Directory (AD) to manage users and security in those systems. A high-trust app would use a user’s Windows identity to authenticate him and check his permissions; that same identity could also be used for downstream systems such as SQL Server.

This means that high-trust apps can play in the same playground as other on-premises applications and, most importantly, use the same internally mandated authorization and authentication system.

Setting up S2S authentication requires a number of manual setup steps for it to work properly. Following them correctly is important to ensure proper authentication operation.

You must setup and configure two items prior to starting the S2S configuration:

  • User Profile Service Application
  • App isolation

For more setup steps for app isolation, see the following MSDN document: http://msdn.microsoft.com/en-us/library/office/apps/fp179923.aspx.

After you have the prerequisites set up then you can complete the following:

1. Create and export a certificate.

2. Register the app (see the previous section, “Creating and Managing Application Identities”).

3. Create a Provider-hosted app.

After completing the preceding items, you can start building Provider-hosted apps that are deployed on premises with IIS and SharePoint. The app and SharePoint are able to generate and verify the tokens required based on the trust set up with the certificate. You’ll need to create a certificate so that your app can generate and verify the tokens. You can either create a self-signed certificate or use a certificate obtained from a certificate issuing authority. A self-signed certificate is simply a certificate that you sign yourself rather than obtaining it from a trusted issuing authority, and, for the purposes of these steps, is adequate to use. To create a self-signed certificate, follow these steps (Windows Server 2012):

1. Open IIS Manager.

2. Click Server Certificates.

3. Select Create Self-Signed Certificate from the action menu.

4. Give your certificate a name, such as MyAppCert. Click OK and when complete you will see your new certificate listed.

5. Open your new certificate by double-clicking it.

6. Click Copy to File.

7. Click Next, leaving the fields with their defaults.

8. Click Next again, leaving the fields with their defaults.

9. Give your certificate a filename, such as c:\MyAppCert.cer.

10. Right-click your certificate in IIS Manager and choose Export.

11. Give it a filename such as c:\MyAppCert.pfx.

12. Provide a password and remember it.

You are now ready to register a new app identity in SharePoint. To do this, you can use the following PowerShell script. You need to generate a new GUID for the $clientid value, set the path to your certificate, and set the name of the app appropriately.

$clientid= "7c17e591-f4da-46fc-b85c-a22a6b09c059"
$publicCertificatePath = "C:\MyAppCert.cer"

$certificate = Get-PfxCertificate $publicCertificatePath
$web = Get-SPWeb "http://servername"
$realm = Get-SPAuthenticationRealm -ServiceContext $web.Site
$fullAppIdentifier = $issuerId + '@' + $realm

New-SPTrustedSecurityTokenIssuer -Name "My App"
-Certificate $certificate -RegisteredIssuerName $fullAppIdentifier

Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $web
-DisplayName "My App"

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()

The preceding script does the following:

  • Sets up a new trusted security token issuer.
  • Creates a new app identity/registration.
  • Turns off SSL for OAuth for development purposes.

NOTE Turning off SSL for OAuth makes it easier when developing to get your application up and running. No SSL certificates are needed which simplifies setup and configuration on developer machines with different machine names.

Now you are ready to create a Provider-hosted app in Visual Studio using the Microsoft Office Developer Tools for Visual Studio 2012 - Preview 2. Follow these steps:

1. Create a new SharePoint App project with Visual Studio.

2. Specify Provider-hosted as the app type during creation.

3. When you are asked whether you want to Use a Certificate to authenticate, say that you do and specify the path to the PFX certificate file you exported. Provide the password you also specified during the export.

4. Enter the $clientid GUID you created for the earlier PowerShell script into the Issuer ID field in the wizard.

5. Complete the wizard and complete your application development.

6. Click F5 to deploy and test your application.
 
Others
 
- Overview of Oauth in Sharepoint 2013 : Application Authorization - Requesting Permissions Dynamically
- Overview of Oauth in Sharepoint 2013 : Application Authentication (part 2) - Managing Tokens in Your Application
- Overview of Oauth in Sharepoint 2013 : Application Authentication (part 1) - Using TokenHelper
- Overview of Oauth in Sharepoint 2013 : Creating and Managing Application Identities
- Overview of Oauth in Sharepoint 2013 : Introduction to OAuth
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 3) - Don’t Upgrade Crap
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 2) - What You Can’t Upgrade
- Sharepoint 2013 : Upgrading to Sharepoint 2013 - Upgrade Considerations (part 1) - What You Can Upgrade
- Active Directory 2008 : Managing OUs (part 3) - Delegating Control of OUs
- Active Directory 2008 : Managing OUs (part 2) - Administering Properties of OUs
- Active Directory 2008 : Managing OUs (part 1) - Moving, Deleting, and Renaming OUs
- Microsoft Lync Server 2013 : Installing the Director Role (part 3) - Install Server
- Microsoft Lync Server 2013 : Installing the Director Role (part 2) - Creating a Director Pool - Edit Topology, Publish Topology
- Microsoft Lync Server 2013 : Installing the Director Role (part 1) - Prerequisites
- Microsoft Exchange Server 2013 : Creating special-purpose mailboxes (part 10) - Creating public folder mailboxes
- Microsoft Exchange Server 2013 : Creating special-purpose mailboxes (part 9) - Creating shared mailboxes
- Microsoft Exchange Server 2013 : Creating special-purpose mailboxes (part 8) - Creating arbitration mailboxes, Creating Discovery mailboxes
- Microsoft Exchange Server 2013 : Creating special-purpose mailboxes (part 7) - Creating and using archive mailboxes - Creating online archives, Managing archive settings
- Microsoft Exchange Server 2013 : Creating special-purpose mailboxes (part 6) - Creating and using archive mailboxes - Creating in-place archives
- Microsoft Exchange Server 2013 : Creating special-purpose mailboxes (part 5) - Creating forwarding mailboxes
 
 
Most View
 
- : Windows Server 2008 and Windows Vista : Administrative (.adm) Templates (part 3) - Adding .adm Templates
- SQL Server 2012 : Configuration Options (part 5) - Security-Configuration Properties
- Windows Server 2008 : Creating and Running a PowerShell Script - Setting the Security Context
- Windows 8 : Creating a Windows Network - Configuring a Peer-to-Peer Network (part 1)
- Windows Server 2012 : Installing the Web Server Role, Upgrading from Other Versions of IIS
- Creating Extended Events Sessions in SQL Server 2012 (part 2) - Monitoring Server Logins
- SQL Server 2012 : Delivering A SQL Server Health Check (part 9)
- Microsoft Access 2010 : Creating Your Own Databases and Tables - Working with Field Properties (part 2)
- Exchange Server 2013 : Extending Exchange - Accessing Exchange Programmatically
- Microsoft Lync Server 2013 : Mediation Server Administration
 
 
Top 10
 
- Upgrading to Sharepoint 2013 : Upgrading Service Applications
- Upgrading to Sharepoint 2013 : Upgrading Site Collections
- Upgrading to Sharepoint 2013 : Upgrading Content (part 4) - Attaching the Content Database
- Upgrading to Sharepoint 2013 : Upgrading Content (part 3) - Fixing the Issues, Additional Parameters
- Upgrading to Sharepoint 2013 : Upgrading Content (part 2) - Running Test-SPContentDatabase
- Upgrading to Sharepoint 2013 : Upgrading Content - Creating the Web Application, Testing the Content Database
- Windows 8 : Introducing Storage Spaces - Creating storage spaces
- Windows 8 : Working with file systems (part 5) - Working with quotas, Working with quotas for user accounts
- Windows 8 : Working with file systems (part 4) - Understanding Encrypting File System, BitLocker
- Windows 8 : Working with file systems (part 3) - Auditing access to securable objects by using SACLs