none
Sharepoint 2013 High Trust provider-hosted app: Allow single sign on between the app and sharepoint RRS feed

  • Question

  • My setup:

    - Sharepoint 2013 RTM with March PU and August CU - target site is a developer site (http://10.7.8.161/sites/dev)

    - A high trust provider-hosted MVC4 app hosted on the same IIS7 instance as the sharepoint web application, but with its own separate IIS web site outside of sharepoint instance (http://10.7.8.161:2200).

    - S2S connection is established by a trusted token issuer with a self-signed certificate.

    - This setup works fine except that the MVC app still prompts for user credentials when it's being launched from the authenticated sharepoint target site (http://10.7.8.161/sites/dev)

    What we don't want:

    - Adding the app URL as a trusted site from the browser to eliminate the credential prompt.

    - Putting the app in a virtual folder underneath the sharepoint web application (http://10.7.8.161/TestApp)

    - Making the app low trust that uses intermmediate trust brokers such as ADFS or Azure ACS.

    Could someone let me know if it's possible for a high trust app to be configured to accept authenticated credentials coming from Sharepoint and vice versa. And if so, how can it be done? 

    Thank you all

    Monday, September 9, 2013 7:57 PM

Answers

  • Hi Chris,

    You were right that the browser will issue NTLM challenge if two sites exist in difference zones - i.e. in my case http://10.7.8.161 and http://10.7.8.161:2200 are considered different zones. So what i did was putting the MVC app in a virtual directory under Sharepoint's web application, and a few tweaks in the app project and it started working. This however is less than ideal as the MVC app's url may clash with any subsite in sharepoint created with the same url.

    Details:

    1. Created a virtual dir under Apps/TestApp (http://10.7.8.161/Apps/TestApp), and ensured only Windows Authentication is enabled for authentication.

    2. Changed the following settings in the AppManifest.xml from the sharepoint app project:

    - Changed the url of StartPage to:

    ...
      <Properties>
        ...
        <StartPage>http://10.7.8.161/apps/testapp/Home?{StandardTokens}&amp;SPHostTitle={HostTitle}</StartPage>
      </Properties>
    ...

    - Added AllowAppOnly policy and change the permission scope to take care of "401 - Unauthorized" error:

    ...
      <AppPermissionRequests AllowAppOnlyPolicy="true" >
        <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read" />
      </AppPermissionRequests>
    </App> 

    3. To get around the error:

    Dynamic operations can only be performed in homogenous AppDomain

    I added the following to the web.config of the MVC app:

      <system.web>
    	...
    	<trust legacyCasModel="false" level="Full" />
      </system.web>

    4. Changed the following code in the HomeController's endpoint to get the Sharepoint ClientContext for AppOnly policy:

    Uri hostWeb = new Uri(Request["SPHostUrl"]);
    
    string appOnlyAccessToken = TokenHelper.GetS2SAccessTokenWithWindowsIdentity(hostWeb, null);
    
    using (ClientContext clientContext = TokenHelper.GetClientContextWithAccessToken(hostWeb.ToString(), appOnlyAccessToken)) {
    ...
    ...
    }

    There's actually no need to create a Managed Path for the root web application of the target sharepoint site as posted on some forum.

    Please feel free to post any comments and feedback.

    More info on AppOnly policy:

    http://blogs.msdn.com/b/kaevans/archive/2013/02/23/sharepoint-2013-app-only-policy-made-easy.aspx

    Thanks everyone!


    Monday, September 16, 2013 7:59 PM

All replies

  • Hi Jack,

    It sounds like the backend of the app isnt picking up who that user is automatically from the browser passing it along. i.e. the negotiation isnt happening for NTLM and its falling back to basic?

    Is it simply a zone issue in IE?  For example IE wont pass NTLM unless the site is in the Intranet zone.  By default any site with a "." in the address is in the Internet zone if memory serves me correctly. Could it be something that simple?  i.e. your problem might go away with DNS names without a "." in them for your backend app.


    -Chris.
    www.looselytyped.net

    Tuesday, September 10, 2013 3:48 AM
  • Hi Chris,

    The MVC app is configured with NTLM for Windows Authentication, and Anonymous authentication disabled. I also believe it is a problem with the browser not passing NTLM from the Sharepoint site to the app when the app is being launched from the sharepoint site.

    I tried changing the domain name of the app from http://10.7.8.161:2200 to http://s1:2200 and it did not work and it's still giving me an NTLM challenge.

    Any other options?

    Thanks for the reply Chris.

    Tuesday, September 10, 2013 12:19 PM
  • Hi Jack,

    SharePoint doesn't pass the NTLM token to your app, your browser does. 

    If you put a blank page in your app web and browse to it directly, not through sharepoint, do you see it prompt?  What zone does it show in?

    e.g. it should show as intranet zone below for NTLM to work


    -Chris.
    www.looselytyped.net

    Friday, September 13, 2013 6:34 PM
  • Hi Chris,

    Both the pages from sharepoint and from the remote app are showing Internet for the zone they are in. The trust between sharepoint and the remote MVC app is established once the sharepoint user gets authenticated by the prompt from the remote app. But what we want is to be able to sign in once from sharepoint and have the high trust app launched from a sharepoint site without having the app prompting user for credentials again.

    If NTLM does not delegate user credentials from sharepoint to the app (both hosted on the same server and same IIS) in the internet zone, it is a serious limitation. I also read that using kerberos may be a possible option, but I'm not sure if it can be made to work for single sign on between sharepoint and a high trust app.

    Thanks for the reply Chris.

    Friday, September 13, 2013 7:13 PM
  • Hi Jack,

    An NTLM token will NOT be passed from the browser if the site is in the Internet zone.  Only in the intranet zone.

    High Trust apps (S2S) don't get passed the user context and auth token from SharePoint.  They must establish who the user is through something like NTLM or some other auth system.

    I suggest fixing your app site first and making sure NTLM is working when the user browses to it directly.  Once you have that fixed then you can move on to accessing it from SharePoint.


    -Chris.
    www.looselytyped.net

    Friday, September 13, 2013 9:02 PM
  • Hi Chris,

    My high trust app is working fine with NTLM when supplied with a sharepoint user credentials prompted by it either when being launched from sharepoint or accessing it directly from the browser with its own URL. This points back to my original question of if it's possible to set up a high trust app to accept the user credentials already existing in the browser without prompting for the second time after the user has signed on to sharepoint. And if so how can it be done.

    Thanks  

    Saturday, September 14, 2013 2:27 AM
  • Hi Jack,

    No you cant. SharePoint wont "pass" the NTLM token to your app for you.  Your browser has to.

    The only way to stop the prompts you are seeing is to get your site into a Zone that supports passing NTLM tokens to the site. That wont happen when its in the Internet zone.



    -Chris.
    www.looselytyped.net

    Saturday, September 14, 2013 2:34 AM
  • Thanks for your quick reply Chris.

    I think there has to be a way to make user credential delegation work between sharepoint and a high trust S2S app in the internet zone. Or else, it'd defeat the purpose of having the app to connect with sharepoint in the first place.

    I'll keep looking for answers and post a solution if I find one.

    Thanks again for your help. 

    Saturday, September 14, 2013 2:43 AM
  • I am not sure if I missed something special that you are trying to do, but the provider hosted app model authentication is done through OAuth (not NTLM or other), which basically means that the app web site is anonymous.  

    Start by taking a look at http://msdn.microsoft.com/en-us/library/fp142384.aspx and just search for "SharePoint 2013 OAuth" from there.

    If you want to use NTLM, you can host the app under your site (i.e. http://my_sp_site/my_mvc_app) which I have done but I am not sure if it is supported and I am not sure if you can access SP data this way.

    Cheers


    -James
    MCPD: SharePoint Developer 2010
    Posting is provided "AS IS" with no warranties, and confers no rights.
    Please mark as answer or helpful as appropriate

    Saturday, September 14, 2013 2:22 PM
  • High trust (S2S) on prem apps don't use OAuth. This model works 100% without ACS on the net.

    oauth is the normal way for apps, but not if they are using the high trust model.


    -Chris.
    www.looselytyped.net

    Saturday, September 14, 2013 4:05 PM
  • Yeah please do. :)

    -Chris.
    www.looselytyped.net

    Saturday, September 14, 2013 4:06 PM
  • Sorry, Chris is correct.  Been doing too many Azure / auto hosted apps.

    -James
    MCPD: SharePoint Developer 2010
    Posting is provided "AS IS" with no warranties, and confers no rights.
    Please mark as answer or helpful as appropriate

    Saturday, September 14, 2013 4:58 PM
  • Hi Chris,

    You were right that the browser will issue NTLM challenge if two sites exist in difference zones - i.e. in my case http://10.7.8.161 and http://10.7.8.161:2200 are considered different zones. So what i did was putting the MVC app in a virtual directory under Sharepoint's web application, and a few tweaks in the app project and it started working. This however is less than ideal as the MVC app's url may clash with any subsite in sharepoint created with the same url.

    Details:

    1. Created a virtual dir under Apps/TestApp (http://10.7.8.161/Apps/TestApp), and ensured only Windows Authentication is enabled for authentication.

    2. Changed the following settings in the AppManifest.xml from the sharepoint app project:

    - Changed the url of StartPage to:

    ...
      <Properties>
        ...
        <StartPage>http://10.7.8.161/apps/testapp/Home?{StandardTokens}&amp;SPHostTitle={HostTitle}</StartPage>
      </Properties>
    ...

    - Added AllowAppOnly policy and change the permission scope to take care of "401 - Unauthorized" error:

    ...
      <AppPermissionRequests AllowAppOnlyPolicy="true" >
        <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read" />
      </AppPermissionRequests>
    </App> 

    3. To get around the error:

    Dynamic operations can only be performed in homogenous AppDomain

    I added the following to the web.config of the MVC app:

      <system.web>
    	...
    	<trust legacyCasModel="false" level="Full" />
      </system.web>

    4. Changed the following code in the HomeController's endpoint to get the Sharepoint ClientContext for AppOnly policy:

    Uri hostWeb = new Uri(Request["SPHostUrl"]);
    
    string appOnlyAccessToken = TokenHelper.GetS2SAccessTokenWithWindowsIdentity(hostWeb, null);
    
    using (ClientContext clientContext = TokenHelper.GetClientContextWithAccessToken(hostWeb.ToString(), appOnlyAccessToken)) {
    ...
    ...
    }

    There's actually no need to create a Managed Path for the root web application of the target sharepoint site as posted on some forum.

    Please feel free to post any comments and feedback.

    More info on AppOnly policy:

    http://blogs.msdn.com/b/kaevans/archive/2013/02/23/sharepoint-2013-app-only-policy-made-easy.aspx

    Thanks everyone!


    Monday, September 16, 2013 7:59 PM