Setting Up Apps Service (ADFS 2.0 capable) & Where To Install Apps Certificate (*.apps.domain.com)

There seems to be sparse information on how to set up the Apps Service for SharePoint2013 using SSL, especially, if you decide not to set up a separate domain, but rather use a subdomain with a unique SSL cert (*.apps.domain.com).   Most of the setup is fairly straightforward, however, there are a few differences.

First, I do want to note that Microsoft does not recommend this model (http://technet.microsoft.com/en-us/library/fp161237.aspx).  We are doing this because we are using ADFS 2.0 and will be using Apps developed in-house.

Use a unique domain name, not a subdomain
For security reasons, the domain name that you choose should not be a subdomain of the root domain name that hosts other applications. This is because other applications that run under that host name might contain sensitive information that is stored in cookies that might not be protected. Code can set or read cookies across different domains that are under the same domain. A malicious developer could use code in an app for SharePoint to set or read information in a cookie on the root domain from the app for SharePoint subdomain. If a malicious app accessed that cookie information, then you could have an information leak. Internet Explorer honors the settings that SharePoint sites use to protect against this issue. However, you should still use a domain for apps that is separate from your other domains. For example, if the SharePoint sites are at Contoso.com, do not use Apps.Contoso.com. Instead use a unique name such as Contoso-Apps.com. This is not to say that you should never use a subdomain if you have business reasons to do this. However, consider all potential security risks.

This from Microsoft regarding ADFS and SharePoint Apps:

(post) SharePoint-hosted Apps do not support SAML auth – currently SharePoint-hosted Apps will not be redirected to correctly when using SAML auth.  This is because most identity providers (ADFS 2.0 included), do not support wildcards for return URLs – which would be needed due to the isolated domain model implemented for SharePoint-hosted Apps.  However, Azure hosted, or provider-hosted Apps will work when SharePoint is configured to use SAML auth – but there is some configuration required, which Steve Peschka covers off in quite some detail here:  Using SharePoint Apps with SAML and FBA Sites in SharePoint 2013.

With that said, the setup is as follows (in Powershell):

$subService = New-SPSubscriptionSettingsServiceApplication -ApplicationPool “Default SharePoint Service Application Pool” -Name “Subscription Settings Service” -DatabaseName “Subscription_Settings_Service_DB”

New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $subService

Get-SPServiceInstance | where {$_.TypeName -eq “Microsoft SharePoint Foundation Subscription Settings Service”} | Start-SPServiceInstance

Then go into DNS and set up your subdomain for “apps.domain.com” then add a CNAME entry for * to point back to the SharePoint server that has the apps service running.

Head over to Central Admin, go into “Manage Service Applications,” click “New”, select “App Management Service.”

Create a new App Management Service Application, being sure to clear out that nasty Guid and also selecting your default service app pool.

Next go to “Services on Server” and start the “App Management Service.”

You are almost done.  Then click on “Apps” in the left menu (second link from the bottom). Click “Configure App URLs.” Enter “apps.domain.com” and enter an App prefix “app.”

Last step is where the process deviates a bit. You will need to set up a web application without a host header listening on port 443.  This is so that SharePoint can listen for requests that are specific to the apps. Be sure to select “Use Secure Sockets Layer (SSL), and assign it to port 443.

Finally, last step is to install your certificate for “*.apps.domain.com”  I am assuming here you already have gotten one.

  1. Go into IIS Manager.
  2. Find the SharePoint – Apps site you just created.
  3. Click on it, click “Bindings…”
  4. Select the entry with port 443
  5. Click “Edit”
  6. Select the *apps.domain.com certificate
  7. Click OK

That’s it. You should be good to go now!

*I will add a caveat here that I have not built any apps yet, so I have yet to test this all the way through, but this post is based on all the materials I could find, and from what I can tell, it should work.

Posted in SharePoint 2013.

3 Comments

  1. Are you sure this work? I tried that as well and seems like everything worked well but then when you really add the apps to your site, redirection is messed up and user always end up on 404 page.

  2. I am not entirely convinced this scenario will work for Apps published in the SharePoint App Store. I just tried adding one, and I was unable to get it to work either. Our plan is to have our own in house apps. However, we have not built any yet. I will definitely be revising this post when we do if there are any issues.

  3. Sammy, also, if you are able to get this type of setup to work, I would love to hear about it. I put this post together because there seems to be a severe lack of information out there for ADFS & SharePoint configurations, and I thought it might help someone, but I would like to know what is actually working for people.

Leave a Reply

Your email address will not be published. Required fields are marked *