Development environment for low-trust: Configuring Low Trust Apps
205This post is in the article series “Development environment for low-trust” where we aim to set up an environment that replicates a live production environment as closely as possible. Here, we also switch from High Trust apps to Low Trust apps to support ADFS, Azure AD and future-proof app/add-in models.
App Catalog Configuration
You must configure a new name in Domain Name Services (DNS) to host the apps. To help improve security, the domain name should not be a subdomain of the domain that hosts the SharePoint sites. When an app is provisioned, it provisions a unique DNS domain name (for example, apps-12345678ABCDEF.spapps.dev.com, where 12345678ABCDEF is a unique identifier for the app). You need a wildcard Canonical Name (CNAME) entry for your DNS domain to support these unique names
- You need to configure DNS as a wildcard CNAME entry in the same zone as the SharePoint site domain.
- You will need to install the wildcard SSL certificate for *.dev.com on the SharePoint WFEs.
- You will need to start the subscription settings and App management services applications using configuration and PowerShell scripts
- You need to configure the App URLs to use (spapps.dev.com)
- You need to configure internet-facing endpoints for apps
- In Central Administration, click Application Management.
- On the Application Management page, click Manage Web applications.
- On the Manage Web Applications page, select the web application that you want to change.
- On the ribbon, click Manage Features.
- In the feature list, next to Apps that require accessible internet facing endpoints, click Activate.
- Click OK.
Configure an environment for apps for SharePoint http://technet.microsoft.com/en-us/library/fp161236(v=office.15).aspx
You must also ensure that at least one profile is created in the User Profile Service Application. The steps are as follows:
- In Central Administration, under Application Management, select Manage service applications.
- Next, select User Profile Service Application.
- On the Manage Profile Service: User Profile Service Application page, under People, select Manage User Profiles.
- On the Manage User Profiles page, select New Profiles.
- On the Add User Profile page, type your account name and email address.
- Select Save and Close.
Note: If you get a message saying that the profile you are trying to create already exists, select Cancel and Go Back.
Back on the Manage User Profiles page, you should see Total number of profiles: 1.
Configuration of ACS
The following configuration steps are required for low trust apps using ACS:
- Set up the Office 365 subscription and obtain global tenant administrator account details
- Replace the signing certificate in SharePoint using the Set-SPSecurityTokenServiceConfig command. This will change the certificate used in the SharePoint trusted token issuer to support the signing requirements of ACS. This needs to be done on all SharePoint servers.
- Configure SharePoint for ACS using the Connect-SPFarmToAAD script. This creates two new shared services and is done once per farm.
- Register each individual app using the Add-ServicePrincipalToAAD and Register-SPAppPrincipalEx commands. The second command can optionally receive existing client ID and client secret for migration purposes.
Scripts needed for the configuration can be found at https://msdn.microsoft.com/EN-US/library/office/dn155905.aspx. Details on app registration can be found at http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-apps-powershell-helpers.aspx.