You see an HTTP 401 - Access Denied error when you try to
access high trust app from SharePoint. This happens because multiple issuer Ids have been registered.
Please follow the below steps:
Check if any previously registered SPTrustedSecurityTokenIssuer is there. If mal-functioned one is there and if –IsTrustBroker switch was used, means the bad token issuer might be getting called. If this is the first time you are configuring high trust app then you can skip (a and b).
a. Run Get-SPTrustedSecurityTokenIssuer. If no Azure workflow is configured this command should return empty. If you get any issuer apart from
workflow one, run below script to delete it.
b. Remove- SPTrustedSecurityTokenIssuer (pass Id value from above output)Create new SPTrustedSecurityTokenIssuer, by running below script, passing
your SharePoint Developer SiteUrl and Cert path (.cer) that you will use to sign the token (you need to create a self signed cert).
For more info see http://msdn.microsoft.com/en-us/library/fp179901.aspx
Take a note of the $issuerId = "447f40c6-99df-4d37-9739-5370102489f7" in below, we will be using it later.
param
(
[Parameter(Mandatory=$true)]
[string] $TargetSiteUrl, [Parameter(Mandatory=$true)][string]
$CertPath = $(throw "Usage: ConfigureS2SApp.ps1 <TargetSiteUrl> <Certificate>")
)
# On error, stop
$ErrorActionPreference = "Stop"
# Add SharePoint snap in
add-PSSnapin Microsoft.SharePoint.PowerShell
function ConfigureS2SApp([string]$TargetSiteUrl, [string]$CertPath)
{
write-host "Configuring with parameters $appTitle , $TargetSiteUrl , $CertPath"
write-host "you passed"
$TargetSiteUrl $CertPath -foregroundcolor Green $issuerId = "447f40c6-99df-4d37-9739-5370102489f7"
$spweb = Get-SPWeb $TargetSiteUrl
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$fullAppIdentifier = $issuerId + '@' + $realm
$certificate = Get-PfxCertificate $CertPath
New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier –IsTrustBroker
# turning off https <optional> will make our SharePoint site run on http and still work with high trust app.
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()
}
# ConfigureS2SApp
$TargetSiteUrl $CertPath #Done
Write-host "S2S is now configured" -foregroundcolor Green
<add key="ClientSigningCertificatePath" value="C:\SP15\MasterReference\SimpleHighTrust\S2SCert.pfx" />
<add key="ClientSigningCertificatePassword" value="password" />
<add key="IssuerId" value="447f40c6-99df-4d37-9739-5370102489f7" />
</appSettings>
Open AppManifest in code mode and paste the above ClientId. it should look like below:
<AppPrincipal>
<RemoteWebApplication ClientId="6534b629-f722-4207-9d7b-4673646c3ab1" />
</AppPrincipal>
$spweb = Get-SPWeb "http://mspx2013"
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$fullAppIdentifier = $clientId + '@' + $realm
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName "SimpleHTApp"
Set-SPAppPrincipalPermission -Site $spweb -AppPrincipal $appPrincipal -Scope Site -Right FullControl
Please follow the below steps:
Check if any previously registered SPTrustedSecurityTokenIssuer is there. If mal-functioned one is there and if –IsTrustBroker switch was used, means the bad token issuer might be getting called. If this is the first time you are configuring high trust app then you can skip (a and b).
a. Run Get-SPTrustedSecurityTokenIssuer. If no Azure workflow is configured this command should return empty. If you get any issuer apart from
workflow one, run below script to delete it.
b. Remove- SPTrustedSecurityTokenIssuer (pass Id value from above output)Create new SPTrustedSecurityTokenIssuer, by running below script, passing
your SharePoint Developer SiteUrl and Cert path (.cer) that you will use to sign the token (you need to create a self signed cert).
For more info see http://msdn.microsoft.com/en-us/library/fp179901.aspx
Take a note of the $issuerId = "447f40c6-99df-4d37-9739-5370102489f7" in below, we will be using it later.
param
(
[Parameter(Mandatory=$true)]
[string] $TargetSiteUrl, [Parameter(Mandatory=$true)][string]
$CertPath = $(throw "Usage: ConfigureS2SApp.ps1 <TargetSiteUrl> <Certificate>")
)
# On error, stop
$ErrorActionPreference = "Stop"
# Add SharePoint snap in
add-PSSnapin Microsoft.SharePoint.PowerShell
function ConfigureS2SApp([string]$TargetSiteUrl, [string]$CertPath)
{
write-host "Configuring with parameters $appTitle , $TargetSiteUrl , $CertPath"
write-host "you passed"
$TargetSiteUrl $CertPath -foregroundcolor Green $issuerId = "447f40c6-99df-4d37-9739-5370102489f7"
$spweb = Get-SPWeb $TargetSiteUrl
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$fullAppIdentifier = $issuerId + '@' + $realm
$certificate = Get-PfxCertificate $CertPath
New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier –IsTrustBroker
# turning off https <optional> will make our SharePoint site run on http and still work with high trust app.
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()
}
# ConfigureS2SApp
$TargetSiteUrl $CertPath #Done
Write-host "S2S is now configured" -foregroundcolor Green
- Create an App using VS2012 (provider hosted).
- In Second screen, use same cert that you used the in step 2 (this time its .pfx file path).
- Issuer ID in VS will be the value that we supplied in PS in Step 2 in this sample its "447f40c6-99df-4d37-9739-5370102489f7"
- Open Web.Config of the AppWeb and generate a guid for the ClientId.
The <appSettings> of the web.config looks like below
<appSettings>
<add key="ClientSigningCertificatePath" value="C:\SP15\MasterReference\SimpleHighTrust\S2SCert.pfx" />
<add key="ClientSigningCertificatePassword" value="password" />
<add key="IssuerId" value="447f40c6-99df-4d37-9739-5370102489f7" />
</appSettings>
Open AppManifest in code mode and paste the above ClientId. it should look like below:
<AppPrincipal>
<RemoteWebApplication ClientId="6534b629-f722-4207-9d7b-4673646c3ab1" />
</AppPrincipal>
-
Give appropriate permission in the AppManifest. For VS template generated provider hosted app code, give Web Read permission.
-
Create an IIS site, make sure .Net 4.0 is the target framework.
-
Enable https on this IIS site and also enable Windows Authentication and Disable Anonymous Access.
-
You can use same cert for https, but if its on a separate IIS, make sure you copy certificates.
-
Compile and publish the app, you will be prompted like below:
Where is your website hosted? –
This will be the url of the site where you want to host the appweb. In our
sample it’s the IIS site that we created in the
previous steps (if this is on a separate IIS server, give that url). Also note that it has to be Https, OAuth requires https.
previous steps (if this is on a separate IIS server, give that url). Also note that it has to be Https, OAuth requires https.
Client ID
-6534b629-f722-4207-9d7b-4673646c3ab1
Cert location = location of cert (.pfx file)
Cert password = password of the cert
IssuerId = "447f40c6-99df-4d37-9739-5370102489f7"
Cert location = location of cert (.pfx file)
Cert password = password of the cert
IssuerId = "447f40c6-99df-4d37-9739-5370102489f7"
9. This will
generate app.publish folder in
project\bin\debug. You will see .app file and
AppWeb.Web.zip folder (this is what we want to run on a
separate IIS site)
-
Drill down the AppWeb.Web.zip folder and copy all the content of PackageTmp in the virtual directory of the IISSite.
-
Go to SharePoint PowerShell and Register our appprincipal by using below script
$spweb = Get-SPWeb "http://mspx2013"
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$fullAppIdentifier = $clientId + '@' + $realm
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName "SimpleHTApp"
Set-SPAppPrincipalPermission -Site $spweb -AppPrincipal $appPrincipal -Scope Site -Right FullControl
- Go to SharePoint Developer Site, Click “new app to deploy”, Click upload, and browse to the .app file in app.publish folder.
13. Consent to the perm
prompt the app requests.
14. Click the app, this
will redirect to the separate IIS site where our app is configured, and you
should see the Title of the HostWeb (your SharePoint Developer Site).
No comments:
Post a Comment