Export (0) Print
Expand All

Configure app authentication in SharePoint Server 2013

SharePoint 2013
 

Applies to: SharePoint Server 2013 Standard, SharePoint Server 2013 Enterprise

Topic Last Modified: 2014-07-28

Summary:Learn how to configure app authentication in SharePoint Server 2013.

When you use an app for SharePoint, an external component of the app might want to access SharePoint resources. For example, a web server that is located on the intranet or the Internet might try to access a SharePoint resource. When this occurs, SharePoint has to confirm the following:

  • The authentication of the identity of the app and the user on whose behalf the app is acting.

  • The authorization of the access for both the app and the user whose behalf the app is acting.

App authentication is the combination of these two confirmations.

This topic describes how to configure a SharePoint Server 2013 farm for app authentication by configuring a trust, by registering the app with the Application Management service, and by configuring app permissions.

ImportantImportant:
SharePoint web applications that include app authentication endpoints for incoming requests must be configured to use Secure Sockets Layer (SSL). For information about how to configure SSL for a new web application, see Create claims-based web applications in SharePoint 2013.
NoteNote:
This topic does not apply to SharePoint Foundation 2013.

This configuration has the following steps that must be performed in consecutive order:

  1. Configure the SharePoint Server 2013 app authentication trust.

  2. Register the app with the Application Management service.

  3. Configure app permissions.

For information about apps for SharePoint, see Overview of apps for SharePoint 2013.

NoteNote:
Because SharePoint Server 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint Server 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

There are two ways to configure an app authentication trust with SharePoint Server 2013:

  • If you have an Office 365 subscription and the app is also using Windows Azure Active Directory (AD) for authentication, you configure the SharePoint farm to trust the Windows Azure AD instance that corresponds to your Office 365 subscription. You do not have to have a Office 365 subscription. You can obtain a Windows Azure AD account separately. For more information, see Windows Azure Active Directory. Windows Azure AD then acts as a common authentication broker between the on-premises SharePoint farm and the app and as the online security token service (STS). Windows Azure AD generates the context tokens when the app requests access to a SharePoint resource.

    In this case, configure SharePoint Server 2013 to trust Windows Azure AD.

  • If you do not have an Office 365 subscription or if the app does not use Windows Azure AD for authentication, you must configure a server-to-server trust relationship between the SharePoint farm and the app, known as a high-trust app. A high-trust app generates its own context tokens when it requests access to a SharePoint resource. This must be done for each high-trust app that a SharePoint farm must trust. For example, if multiple apps are running on one server and if they all use different token signing certificates, you must create a separate trust with each one.

    In this case, configure SharePoint Server 2013 to trust the app.

Use the following procedure to configure SharePoint Server 2013 to trust Windows Azure AD.

To configure a SharePoint Server 2013 trust relationship with Windows Azure AD
  1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, type the following command:

    $New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "<Metadata endpoint URL of Windows Azure AD>" -IsTrustBroker -Name "Azure AD"
    

    Where:

    • <Metadata endpoint URL of Windows Azure AD> is https://accounts.accesscontrol.windows.net/<Windows Azure AD domain name or realm ID>/metadata/json/1.

  4. Keep the Windows PowerShell command prompt open for the Register the app with the Application Management service procedure.

Use the following procedure to configure SharePoint Server 2013 to trust the app.

To configure a SharePoint Server 2013 trust relationship with a high-trust app
  1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. In Central Administration on the SharePoint Server 2013 server in the farm, on the Quick Launch, click System Settings, and then click Manage services on server.

  3. In the list of services on the server, make sure that that User Profile Service is started.

  4. In Central Administration, on the Quick Launch, click Application Management, and then click Manage service applications.

  5. In the list of service applications, make sure that that the App Management Service and User Profile Service Application are started.

  6. Obtain a .CER version of the signing certificate of the high-trust app and store it in a location that can be accessed during the rest of this procedure.

  7. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  8. Click Start menu, click All Programs, click SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

  9. At the Windows PowerShell command prompt, type the following commands:

    $appId = "<AppID>"
    
    $spweb = Get-SPWeb "<AppURL>"
    
    $realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
    
    $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<CERFilePath>")
    
    $fullAppIdentifier = $appId + '@' + $realm
    
    New-SPTrustedSecurityTokenIssuer -Name "<FriendlyName>" -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier
    

    Where:

    • <AppID> is the client ID assigned to the high-trust app when it was created.

      ImportantImportant:
      All of the letters in the AppID must be in lowercase.
    • <AppURL> is the URL to the high-trust app’s location on the app server.

    • <CERFilePath> is the path of the .CER version of the signing certificate of the high-trust app.

    • <FriendlyName> is a friendly name that identifies the app.

  10. Keep the Windows PowerShell command prompt open for the next procedure.

Use the following procedure to register the app with the Application Management service.

To register the app as a SharePoint app principal
  1. At the Windows PowerShell command prompt, type the following command:

    $appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName "<DisplayName>" 
    

    Where:

    • <DisplayName> is the name of the app as displayed in Central Administration.

  2. Keep the Windows PowerShell command prompt open for the next procedure.

Use the following Windows PowerShell command to add or change individual app permissions. Repeat this procedure for as many times as needed to configure the permissions of the app.

To configure app permissions
  • At the Windows PowerShell command prompt, type the following command:

    Set-AppPrincipalPermission -appPrincipal $appPrincipal -site $web -right <Level> -scope <Scope>
    

    Where:

    • <Level> is Read, Write, Manage, or FullControl.

    • <Scope> is Farm, Site collection, SharePoint Online, Web, Documents, List, or Library.

    For more information, see Set-SPAppPrincipalPermission

For more information, see Plan app permissions management in SharePoint 2013.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft