SharePoint Hosted Apps in AAM or host-header environments for SharePoint 2013 with ADFS

Hey Guys,
Many of you might have started working on or at least looking at Hybrid Implementation of SharePoint 2013 and Office 365, probably using some federated Authentication like ADFS 3.0.You might not have faced any issues when installing and running even basic apps from SharePoint store in Office 365 environment, it is not that easy, well at least not that well documented on how this exactly works for In-Premise sites.

In some case, you might have got it working in your lab/dev environment easily, but what if you have a SharePoint site with Host Headers defined in IIS. As per “Setting up your App domain for SharePoint 2013“, you must not use Host Headers in your SharePoint site to ensure Apps work properly. However, this may not be the ideal scenario always in production environment, as there could be multiple sites hosted in IIS, on port 443 to enable use of SSL and that can only be achieved  by either having multiple IP addresses or Host Headers.

While exploring for a solution, I found this article “Configuring SharePoint 2013 Apps and Multiple Web Applications on SSL with a Single IP Address“, while this has some very nice explanation, I could not get my Apps working using that Listener Site, as my SharePoint sites are using ADFS authentication and I could not get past that Authentication of the Listener site.

Also, even after going through the technet article “Enable apps in AAM or host-header environments for SharePoint 2013” multiple times, I could not understand where was it actually creating the app domain and which certificate it was applying !

I’ll just focus on the In-Premise part, as for office 365, it just works without any additional configurations !

So, lets summarize our problem statement:

  1. We have a SharePoint web application (say https://sites.contoso.com) with Host Header set in IIS, using 443 and have a valid SSL certificate attached.
  2. Our SharePoint Web Application is configured to use ADFS Authentication
  3. We need to configure this environment so that we can use SharePoint Hosted Apps (Including SharePoint Store Apps)
  4. We have already configured the App Environment as explained in the technet article “Configure an environment for apps for SharePoint (SharePoint 2013)
BUT: Apps are just not working !!!
Lets see what we can do about it:
 
1. Open IIS and take a look at your SharePoint site’s bindings. If your site is using Host Headers, most probably it would look similar to this. 
 
Note: If Require Server Name Indication is not checked, Check that.
 
 
 
·         2. Run the POwerShell command – New-SPWebApplicationAppDomain -AppDomain -WebApplication -Zone -Port -SecureSocketsLayer
 
       E.g. New-SPWebApplicationAppDomain -AppDomain “contosoapps.com” -WebApplication “https://sites.contoso.com” -Zone Default -Port 10000 –SecureSocketsLayer
 
·         3. Enable the required Feature
            $contentService =     Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.SupportMultipleAppDomains = $true
   $contentService.Update()
  IIsreset

4. Now, lets' go back to IIS and open your SharePoint site's binding again
 
 
You can see a new entry has got added there with the port number you had specified in previous PowerShell command.
5. Let’s Edit the second entry, change the port number to 443 and select the wildcard certificate for contosoapps.com. Don’t put any host header here and Don’t select Require Server Name Indication.
6. Your IIS binding should now look like this
And that’s it. The same SharePoint site can now accept the apps requests authenticate with whatever authentication mode has been set for the SharePoint site and you can see your SharePoint store apps working perfectly fine 🙂

If your need to run apps in any other zone than the default one, you need to make some changes otherwise SharePoint seems to redirect apps requests always back to your default zone URL.

Obviously, you would change the zone in the command from say default to Intranet
New-SPWebApplicationAppDomain -AppDomain “contosoapps.com” -WebApplication “https://sites.contoso.com” -Zone Intranet -Port 10000 –SecureSocketsLayer

then, in Central admin –> Apps –> Configure Apps URL, change the app domain to something else like ContosoApps2.com… If it is contosoapps.com, the requests will go to the default zone.

To share the app domain with other sharepoint web apps which are using same zone, authentication and app pool identity, simply run this command

New-SPWebApplicationAppDomain -AppDomain “contosoapps.com” -WebApplication “https://portal.contoso.com” -Zone Intranet -Port 10000 –SecureSocketsLayer

Hope this helps.

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *