none
How to Setup SSL Cert for Apps

    Question

  • I have followed the directions to configure an environment for SharePoint apps. All went well until I downloaded app and clicked on it where I then get a certificate error.

    I trying to resolve my problem, I noticed that the directions tell you plan and buy an app domain (I.e. myspapps.com) and to get a wildcard SSL cerificate and I did (I.e. *.myspapps.com), but the instructions never have you do anything with certificate.

    Where is the certificate installed (I assume IIS 7) and where does one set the "binding" for the certificate?

    TIA

    Thursday, June 06, 2013 11:24 PM

Answers

  • in my screenshot above, the IIS binding for SharePoint web application, you see that i have an entry for port 443 and host header empty. This is the entry to route all the request for App Domain. The certificate associated with this IIS binding entry determine what your SharePoint hosted app use.

    Please note that certificate used for app web has nothing to do with token signing certificate for app. The former is used to establish the HTTPS traffic between browser and sharepoint hosted app web, the latter is to sign the trusted token issued by high trust provider hosted app.



    Sunday, June 09, 2013 2:26 AM

All replies

  • for how to import certificate to IIS 7: http://technet.microsoft.com/en-us/library/cc732785(v=ws.10).aspx

    for how to bind certificate two IIS site:


    And my thread describes something which you already have done http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/ff938115-e00b-4762-99fd-ce8e3b0b938a . Since i am use CA integrated with test domain, the process to get a wildcard certificate may be different from you. The same thing is that you need to get a wildcard certificate with private key.
    Friday, June 07, 2013 4:05 AM
  • I know how to get my certs into IIS. The wildcard cert is already there. My problem is specifically related to: SHAREPOINT APPS... I setup a separate domain. I setup the DNS entries. I configured SharePoint for apps and everything is working up to the last step: I can download and install a SharePoint app and it shows up in the site. However, if I click on the app it fails with a certificate error.

    Here is an example (sites are fictitious to demonstrate):

    I have a site similar to: https://portal.mysite.com and its up and working great.

    I have a domain registered and working with DNS for apps using a wildcard cert: *.mysiteapps.com

    I followed these directions: Configure an Environment for Apps for SharePoint 2013 but they don't show how to get the wildcard cert bound for applications. When following the directions there is no web application created in IIS to bind the cert. If I try to create a web application in SharePoint (https://mysiteapps.com) I get an error that it already exists... so the web application is there (somewhere), its just not listed in IIS and I don't have any idea how to bind the cert... something is missing from the instructions!

    Friday, June 07, 2013 4:26 AM
  • As an example, I think something like this post, that describes installing a cert for multiple apps, needs to be done to have apps works with an SSL wildcard cert:

    http://msdn.microsoft.com/en-us/library/jj945118.aspx

    Only that post is too vague on the last key step and provides no example. I still have no idea. I'm lost.

    Friday, June 07, 2013 4:46 AM
  • i think you mean the token signing certificate for your provider hosted app here, which is described in following steps in http://msdn.microsoft.com/en-us/library/fp179901.aspx :

    • Under How do you want your app to authenticate?, choose Use a certificate.
    • Click the Browse button next to the Certificate location box and navigate to the location of the self-signed certificate (.pfx file) that you created. Type the password for this certificate in the Password box. Type the issuer ID in the Issuer ID box.



    You don't need to bind this certificate to IIS site. After you had taken the steps above, the location of the certificate on file system will be add to the web.config file for your provider hosted app, you can search for ClientsigningCertificationPath in the web.config file.
    Friday, June 07, 2013 5:47 AM
  • Okay, I performed these steps trying to get the token service working:

    $publicCertPath = "C:\mycertpath\mywildcardcert.cer"

    $issuerId = ([Guid]"arandomnlygeneratedguidgoeshere").ToString()
    $spurl ="https://portal.mysite.com"
    $spweb = Get-SPWeb $spurl
    $sc = Get-SPServiceContext $spweb.site
    $realm = Get-SPAuthenticationRealm -ServiceContext $sc
    $certificate = Get-PfxCertificate $publicCertPath
    New-SPTrustedRootAuthority -Name "ssiapps.net_cert" -Certificate $certificate
    $fullIssuerIdentifier = $issuerId + '@' + $realm
    New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker

    iisreset

    My problem now is that the wrong certificate is being used for the apps.

    For the actual SharePoint site (https://portal.mysite.com), I use the wildcard cert for it: *.mysite.com)

    The application should be using the application cert (*.mysiteapps.com), BUT ITS NOT... the application is using the *.mysite.com certificate instead of the *.mysiteapps.com certificate.

    How do I check what certificate the app site uses for https? How do I change that cert?

    Friday, June 07, 2013 11:09 PM
  • BTW: I am trying to test with free apps from SharePoint store... so please don't complicate it with Visual Studio based apps.
    Saturday, June 08, 2013 3:51 AM
  • One more note: The blog post below EXACTLY describes my scenario.

    Blog Post

    I am not sure, that is my interpretation of that post. I am sure that nowhere in the documentation (at least that I found) is a proper guide to setup an on-premises deployment of SharePoint where ALL sites use SSL, and where the app domain is a separate domain, not a child domain, and where all app sites use a common SSL wildcard certificate. AI should also not that the default SharePoint behavior to assign random port numbers is offensive. In no way should that be a "best practice".

    The default behavior SHOULD be all sites using port 443(SSL). II could accept a simple choice at the beginning of the install process (1) Use SSL port 443 for all sites (recommended), or (2) Don't use SSL and have random ports assigned (easier for learning/development).

    Okay, so I was diverted... How do I get SharePoint to use SSL for all sites and have it configured to use a single wildcard cert for applications?


    Saturday, June 08, 2013 4:24 AM
  • Hello

    How many IIS sites do you have?  You need to have an IP address bound to each SSL listener.  I have seen instances where SSL CAN use host headers and works most of the time but it present problems where you're using different certificates for different sites.  In your case it may work just using host headers.  If you do not know how to enable host headers for SSL (greyed out), it's fairly simple:

    * Open the certificate MMC (computer account store)

    * Browse to your certificate and change the friendly name (under personal - certificate <open / double click> - under details click edit properties -> *domain <- doesn't really matter



    MCITP-EA | I really like cheese.. no, I really do

    Saturday, June 08, 2013 2:17 PM
  • in my screenshot above, the IIS binding for SharePoint web application, you see that i have an entry for port 443 and host header empty. This is the entry to route all the request for App Domain. The certificate associated with this IIS binding entry determine what your SharePoint hosted app use.

    Please note that certificate used for app web has nothing to do with token signing certificate for app. The former is used to establish the HTTPS traffic between browser and sharepoint hosted app web, the latter is to sign the trusted token issued by high trust provider hosted app.



    Sunday, June 09, 2013 2:26 AM
  • Okay, I am making progress.  I can open an app now without a cert error. This is what I did to fix it:

    1) Added a network adapter to the SharePoint web server and gave it a static IP address

    2) I edited the bindings for the no host header website in IIS and added an HTTPS entry bound to the new IP address using the *.mysiteapps.com cert

    3) Removed the CNAME entry for the mysiteapps.com domain and added a Host A record instead that points to the address above

    4) Ran IIS reset

    Now the redirections work and the correct certs are assigned ... HOWEVER...

    There are TWO login prompts:(1) to login to the site, and (2) a prompt for the application embedded as a web part on the page.

    How do I get the identity already registered with the SharePoint site on the first login prompt to get automatically passed on/registered with the application site, so the second prompt does not occur?

    Sunday, June 09, 2013 6:00 PM
  • BTW: I could not use one IP address because the "SharePoint Web Services" application in IIS had no host header as well. That website was auto-created by SharePoint and I di not want to break its functionality... There was no way to use different certs and one IP address. It works with two.

    I also should note that all websites were directly bound to "the other/original IP address" too. No website in IIS for me is configured to listen on all IP addresses now.

    Sunday, June 09, 2013 6:10 PM
  • >>I could not use one IP address because the "SharePoint Web Services" application in IIS had no host header as well.

    The SharePoint web service site use port 32843 and 32844, it won't be conflict with your web application. And usually, you don't need to configure SSL certifice for this site: http://blogs.msdn.com/b/besidethepoint/archive/2010/11/30/sharepoint-2010-certificates.aspx

    Monday, June 10, 2013 1:12 AM
  • That is not what I meant. What I meant... is that IIS will not allow more than one site to use the same IP address, the port (port 443 for SSL), and have those sites use DIFFERENT wildcard certificates.

    I had to bind my SharePoint sites to one particular IP Address and then bind the app site to another IP Address. If I didn't, IIS would auto-change the certificate used. The redirecting would simply NOT WORK with one IP Address.

    NOTE: This is because I do not use any custom port for any of my SharePoint sites. I use host headers. I also do not use http at all: all of my sites use SSL (port 443).

    My last problem getting apps to work properly still remains though: if I embed an app into a site (add it as a web part), the security token is not being passed on. A login prompt gets displayed for every instance of an app added to a site page.

    I will create a new topic for that issue and mark the post as the answer for getting redirection to work properly. The first problem I had.

    Tuesday, June 11, 2013 4:56 PM
  • This is a purely theoretical answer.

    For your issue where you are encountering multiple authentication prompts:

    In production you should use use back connection host names, but in dev you can also try the DisableLoopBackCheck  (http://support.microsoft.com/kb/896861) as a blanket fix.  This is especially so if the authentication issue is occurring when you try and access the site while on the server.

    Another (here's the theoretical part) component is that your domains are separate.  For example SharePointApps.com and SharePoint.com  while SharePoint.com consumes apps from SharePointApp.com the authentication token requires a new cookie be created.  (The Shared token service actually has the client store the claims as a cookie (FedAuth).

    The browser may simply not be passing this cookie across apps due to security limitations of the browser.

    To test I recommend setting up a self-signed setup where you have *.apps.SharePoint.com and SharePoint.com  (noting that *.apps is a subdomain of SharePoint.com).

    Anyway, let me know if either of those work.

    Tuesday, June 11, 2013 6:03 PM
  • I just created this topic that explains a lot:

    High Trust Configuration to Support On-Premises App Domain - Trying to Get Single Sign-On

    In regard to your points:

    1) I already have the DisableLoopBackCheck  set as I have had horrible luck getting "back connections" to work. Also there are more than just back connections that arise as a problem... that is another topic.

    2) We do have separate app domains per guidance from Microsoft and Consultants, as I noted within that link to the other topic. A single domain is not an option.

    3) That is what I need to get working: I need that cookie and security token passed across the app domains. I thought this article: How to: Create high-trust apps for SharePoint 2013 using the server-to-server protocol (advanced topic) would get it done but either (1) it simply doesn't work for what I need, or (2) I am misunderstanding how to get done correctly.


    Tuesday, June 11, 2013 6:13 PM
  • I believe I found the right information, but have yet to follow all the instructions and confirm. This is a link that I believe does address my issue:

    Claims-Based Single Sign-On for Microsoft SharePoint 2010

    If anyone has gone through this or could post anything useful they've learned.... the feedback would be greatly appreciated. I will post back my results regardless.

    Wednesday, June 12, 2013 8:14 PM
  • >>What I meant... is that IIS will not allow more than one site to use the same IP address, the port (port 443 for SSL), and have those sites use DIFFERENT wildcard certificates.

    I had to bind my SharePoint sites to one particular IP Address and then bind the app site to another IP Address. If I didn't, IIS would auto-change the certificate used.

    See what you mean, i use a single certificate to include both SharePoint domain and App domain in subject alternative name:

    Thursday, June 20, 2013 8:43 AM
  • No, I didn't mean a token signing certificate for a provider hosted application. I want the entire wildcard of possible apps to work. I also intend to actually write and publish my own applications.

    It is clear now that I need to setup AD FS (Active Directory Federation Services). The websites and the apps need to be configured with AD FS so that they all trust each other. I also get another feature I really need: SSO or single sign on.

    Thursday, June 20, 2013 8:02 PM
  • Just find on IE10 that browser gives mismatched address error for my *.sp2013app.guyuming.com. But Chrome recognise it.
    Update: just tried in the same IE10 again, the error disappeared! the warn about certificate address mismatch setting is still checked. Then why did i see the error just a moment ago?

    I had just migrated my certificate authority to another server, that might cause CRL issue. And i had just change certificate in IIS binding. But i was testing on Chrome at about the same time.

    Friday, June 21, 2013 7:12 AM
  • Okay, I am making progress.  I can open an app now without a cert error. This is what I did to fix it:

    1) Added a network adapter to the SharePoint web server and gave it a static IP address

    2) I edited the bindings for the no host header website in IIS and added an HTTPS entry bound to the new IP address using the *.mysiteapps.com cert

    3) Removed the CNAME entry for the mysiteapps.com domain and added a Host A record instead that points to the address above

    4) Ran IIS reset

    Now the redirections work and the correct certs are assigned ... HOWEVER...

    There are TWO login prompts:(1) to login to the site, and (2) a prompt for the application embedded as a web part on the page.

    How do I get the identity already registered with the SharePoint site on the first login prompt to get automatically passed on/registered with the application site, so the second prompt does not occur?

    I too am struggling with SharePoint Apps/SSL. Trevor, trying to follow some of your threads and it looks like you've solved the Certificate Mismatch by using another IP address on your SharePoint server and binding the Apps Wildcard Cert to that IP?

    But right now, you're still getting multiple authentication prompts? We use Group Policy to push the external FQDN of the SharePoint to the user's Local Intranet zone. I believe if we did the same for the App domain, we'd bypass the additional prompt. Naturally, MS documentation says to leave the App domain in the Internet zone.

    Tuesday, October 15, 2013 3:48 PM