Configuring SharePoint SSL App setup

01.12.16 09:27 PM Comment(s) By Jordan

This is a guide the Umlindi team created to assist with the configuration of SSL for SharePoint App Store

Create a forward lookup zone for the app domain name

  1. Verify that the user account that performs this procedure is a domain.administrator on the domain controller.
  2. Click Start, point to Administrative Tools, and then click DNS.
  3. In DNS Manager, right-click Forward Lookup Zones, and then click New Zone….
  4. In the New Zone Wizard, click Next.
  5. In the Zone Type page, accept the default of Primary zone, and then click Next.
  6. In the Active Directory Zone Replication Scope page, select the appropriate replication method for your environment (the default is To all DNS servers in this domain), and then click Next.
  7. In the **Zone Name** page, in the **Zone name** box type the name for your new app domain name (for example, ContosoApps.com), and then click **Next**.

The New Zone Wizard shows the new domain name for apps.



8. On the Dynamic Update page, select the appropriate type of dynamic updates for your environment (the default is Do not allow dynamic updates), and then click Next.

9. On the Completing the New Zone Wizard page, review the settings, and then click Finish.

For more information about how to create a forward lookup zone, see Add a Forward Lookup Zone.

You have now created a forward lookup zone (and a domain name) to use for apps in your environment.

To create a wildcard Alias (CNAME) record for the new domain name

  1. Verify that the user account that performs this procedure is a domain administrator on the domain controller.
  2. In DNS Manager, under Forward Lookup Zones, right-click the new app domain name, and then click New Alias (CNAME).
  3. In the New Resource Record dialog box, in the **Alias name (uses parent domain if left blank)** box, type *****.

The Fully qualified domain name (FQDN) box displays *. followed by the domain name that you created for apps. For example, *.ContosoApps.com or *.Contoso-Apps.com.

4.

Next to the Fully qualified domain name (FQDN) for target host box, type the FQDN of the server that hosts the SharePoint sites.

For example, SharePoint.Contoso.com.

Or:

  1. Next to the **Fully qualified domain name (FQDN) for target host** box, click **Browse** and navigate to the Forward Lookup Zone for the domain that hosts the SharePoint sites.

For example, Contoso.com.

2.

And then navigate to the record that points to the server that hosts the SharePoint site.

For example, SharePoint.

New Resource Record dialog box shows the wildcard alias for the app domain and the FQDN of the server that hosts the SharePoint sites.



5. Click OK.

Configure the Subscription Settings and App Management service applications

Apps rely on the App Management and Microsoft SharePoint Foundation Subscription Settings service applications. These service applications use the multi-tenancy features to provide app permissions and create the subdomains for apps. Therefore, even if you are not hosting multiple tenants, you must still establish a name for the default tenant for your environment (any SharePoint site that is not associated with a tenant will be in the default tenant).

To configure these services, you first start the services in Central Administration. After the services are started, you use Windows PowerShell to create the Subscription Settings service application, and then use either Windows PowerShell or Central Administration to create the App Management service application.

To start the Subscription Settings and App Management services in Central Administration

  1. Verify that you are a member of the farm administrators group in Central Administration.
  2. In SharePoint 2013 Central Administration, click System Settings.
  3. On the System Settings page, under Servers, click Manage services on server.
  4. On the Services on Server page, next to App Management Service, click Start.
  5. On the Services on Server page, next to Microsoft SharePoint Foundation Subscription Settings Service, click Start.
  6. Verify that the App Management and Microsoft SharePoint Foundation Subscription Settings services are running. The following illustration shows the **Services on Server** page where you can verify that the App Management and Subscription Settings services are running.

Services on Server showing the App Management and Subscription Settings services running.


To configure the Subscription Settings service application by using Windows PowerShell

  • Verify that you have the following memberships:

- securityadmin fixed server role on the SQL Server instance.

  • db_owner fixed database role on all databases that are to be updated.
  • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 15 Products cmdlets.

  • On the Start menu, click All Programs.
  • Click Microsoft SharePoint 2013 Products.
  • Click SharePoint 2013 Management Shell.
  • First you must establish the application pool, run as account, and database settings for the services. Use a managed account for the SPManagedAccount (which will be used for the application pool runas account).

At the Windows PowerShell command prompt, type the following commands, and press ENTER after each one to create the application pool:

**$account = Get-SPManagedAccount “ ”
**

# Gets the name of the managed account and sets it to the variable $account for later use.

Where:

  •  is the name of the managed account in the SharePoint farm.

**$appPoolSubSvc = New-SPServiceApplicationPool -Name SettingsServiceAppPool -Account $account
**

# Creates an application pool for the Subscription Settings service application.

# Uses a managed account as the security account for the application pool.

# Stores the application pool as a variable for later use.

  • At the Windows PowerShell command prompt, type the following commands, and press ENTER after each one to create the new service application and proxy:

**$appSubSvc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPoolSubSvc -Name SettingsServiceApp -DatabaseName
**

# Creates the Subscription Settings service application, using the variable to associate it with the application pool that was created earlier.

# Stores the new service application as a variable for later use.

Where:

  •  is the name of the Subscription Settings service database.

**$proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $appSubSvc
**

# Creates a proxy for the Subscription Settings service application.

You can use either Windows PowerShell or Central Administration to create and configure the App Management service application. The following procedures provide the steps for each method.

To configure the App Management service application by using Windows PowerShell

  • Verify that you have the following memberships:

- securityadmin fixed server role on the SQL Server instance.

  • db_owner fixed database role on all databases that are to be updated.
  • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 15 Products cmdlets.

  • On the Start menu, click All Programs.
  • Click Microsoft SharePoint 2013 Products.
  • Click SharePoint 2013 Management Shell.
  • First you must establish the application pool, run as account, and database settings for the services. Use a managed account for the SPManagedAccount (which will be used for the application pool runas account).

At the Windows PowerShell command prompt, type the following commands, and press ENTER after each one to create the application pool:

**$account = Get-SPManagedAccount “ ”
**

# Gets the name of the managed account and sets it to the variable $account for later use.

Where:

  • * * is the name of the managed account in the SharePoint farm.

**$appPoolAppSvc = New-SPServiceApplicationPool -Name AppServiceAppPool -Account $account
**

# Creates an application pool for the Application Management service application.

# Uses a managed account as the security account for the application pool.

# Stores the application pool as a variable for later use.

  • At the Windows PowerShell command prompt, type the following commands, and press **ENTER** after each one to create the new service application and proxy:

**$appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $appPoolAppSvc -Name AppServiceApp -DatabaseName
**

# Creates the Application Management service application, using the variable to associate it with the application pool that was created earlier.

# Stores the new service application as a variable for later use.

Where:

  • * * is the name of the App Management service database.

**$proxyAppSvc = New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc
**

# Creates a proxy for the Application Management service application.

To create the App Management service application in Central Administration

  • In SharePoint 2013 Central Administration, on the Application Management page, click Manage service applications.
  • On the ribbon, click New, and then click App Management Service.
  • In the New App Management Service Application page, in the Service Application Name box, type the name for the service application.
  • In the Database section, in the Database Server box, type the instance of SQL Server where you want to store the database, or use the default server.
  • In the **Database Name** box, type a database name, or use the default name.

The database name must be unique.

  • Under Database authentication, select the authentication that you want to use by doing one of the following:

- If you want to use Windows authentication, leave this option selected. We recommend this option because Windows authentication automatically encrypts the password when it connects to SQL Server.

  • If you want to use SQL authentication, click SQL authentication. In the Account box, type the name of the account that you want the service application to use to authenticate to the SQL Server database, and then type the password in the Password box.
  • In the Failover Database Server section, if you want to use a failover database server, specify the server name.
  • In the Application Pool section, do one of the following:

- Click Use existing application pool, and then select the application pool that you want to use from the drop-down list.

  • Click **Create a new application pool**, type the name of the new application pool, and then under **Select a security account for this application pool** do one of the following:

- Click Predefined to use a predefined security account, and then select the security account from the drop-down list.

  • Click Configurable to specify a new security account to be used for an existing application pool. You can create a new account by clicking the Register new managed account link.
  • In the Create App Management Service Application Proxy section, leave the Create App Management Service Application Proxy and add it to the default proxy group check box selected.
  • Click **OK**.

The following illustration shows the App Management service application and proxy that were created.

Manage Service Applications page showing the App Management service application and proxy.


Now you must start the service on the server.

  • In SharePoint 2013 Central Administration, click System Settings.
  • On the System Settings page, under Servers, click Manage services on server.
  • On the Services on Server page, next to App Management Service, click Start.

 

Configure the app URLs to use

 

In this section, you create the app domain prefix and the tenant name to use for apps in your environment. The app URL points to your app domain and a prefix that determines how each app is named. If you host multiple tenants in your environment, you must use Windows PowerShell to configure the app URLs.

Use the following procedure to configure app URLs for non-hosting (single tenant) environments by using Central Administration.

To configure app URLs

  1. In Central Administration, click Apps.
  2. On the Apps page, click Configure App URLs.
  3. In the **App domain** box, type the isolated domain that you created for hosting apps.

For example, ContosoApps.com or Contoso-Apps.com.

4.

In the App prefix box, type a name to use for the URL prefix for apps.

For example, you could use “apps” as the prefix so that you would see a URL for each app such as “apps-12345678ABCDEF.ContosoApps.com”. The following illustration shows the Configure App URLs page after you have filled in the App domain and prefix.

The Configure App URLs page in Central Administration shows the App domain and App prefix.



5. Click OK.

6. If you will install apps and you have changed the App prefix (also known as the site subscription name), you must perform additional steps that involve restarting the World Wide Web Publishing Service (WWW Service) that hosts the apps.

Configuring SSL

Remember when we created the wildcard CNAME record for our app domain to use? This technically means that anyrandomurl.onfpwebapps.net will be pointing to the same IP address as my SharePoint site. So let’s talk about IIS bindings and how they relate to this situation:


Every IIS site must have a unique binding. That means that some combination of the IP address, port and host name has to be unique on the server. This is to prevent any conflicts of multiple sites trying to serve the same requests.

Before IIS 8, in order to have multiple SSL’s, the most common thing to do was to use a ***different ***IP address for each SSL site. This is due to the fact that you couldn’t specify host names in the bindings for an SSL site. This leads back to the situation I’m in with my app domain configuration. My app domain is pointing to my site’s FQDN in DNS which means that it’s using the same IP address. So how will we work that out?

**Step 1: Acquire a wildcard SSL for your app domain. **

(In this scenario, it is assumed you’re already using SSL for your SharePoint site itself.)

Since I’m doing this in a lab environment, I am just using a self-signed certificate. In a production environment, you will definitely want to purchase the wildcard certificate from a 3rd party certificate authority.


Step 2: Create a placeholder web application for your app domain

This step isn’t technically necessary since you can add the additional app domain binding to one of your other SharePoint sites in IIS, but I like to do it to separate my SSL bindings to different sites in IIS. This web application will have no site collections since it’s not actually hosting any app content (remember that SharePoint apps can be hosted off the SharePoint server itself). It’s basically just going to serve as a placeholder:


Step 3: Update IIS bindings to use the SSL’s

This is where the magic is going to happen. The reason we can use multiple SSL certificates with the same IP address in IIS 8 is because of the new Server Name Indication option (SNI for short). This allows us to specify host names for SSL secured sites. Here are the bindings for my two SharePoint web applications:

My app domain’s placeholder web application has one HTTPS binding that is using the wildcard certificate and no Server Name Indication (since SNI requires that you specify one host name and each app would be using a different host name).


My SharePoint site’s web application’s bindings also have one HTTPS binding that uses the site’s specific SSL certificate. This binding is using the SNI option to specify the host name:


Testing the apps now produce the correct results when opening:

**References:

https://technet.microsoft.com/en-us/library/fp161236.aspx

By John Torrance

Jordan

Share -