Publishing SharePoint-Hosted Apps with Web Application Proxy

To continue the SharePoint on Web Application Proxy theme, something that’s not been covered yet is how to publish SharePoint-hosted applications with Web Application Proxy, in particular with single-sign-on (via ADFS) to make sure we only authenticate users once for any URL. It’s a legitimate question given SharePoint & SharePoint app URLs are different by design so there’s a bunch of extra considerations that need to be taken into account.

Here’s what we want to accomplish, as I’ve managed on a test environment:

image

We want to publish SharePoint-hosted applications so that users outside the internal network can access SharePoint-hosted applications with the same authentication they access normal SharePoint site with. The user should only have to login once for both domains in other words.

We assume that the URLs are the same both internally & externally, and that you’ve got a working ADFS with SharePoint working already. If you’ve not set this up, then you need to do so & familiarise yourself with this architecture first.

SSL Certificates Needed

The first thing to take into account is the SSL certificate you’ll need as Web Application Proxy is HTTPS only. No HTTP only here; SSL all the way, so this in itself is something that’ll need some studying to make sure you don’t get certificate validation errors when you try and access any part of SharePoint.

In short, the certificate that WAP/SharePoint will use will need to be valid for app URLs too. Normally that means adding a wildcard common-name for all possible apps – “CN =*.apps.contoso.com” for example, in addition to the normal common-names in the certificate (“CN = sharepoint.contoso.com”).

clip_image003

Remember of course that when you setup Web Application Proxy, you give a separate certificate then for the ADFS bit so you just need to two domains for the application publishing certificate.

Default HTTPS Website in SharePoint

You’ll also need SharePoint setup with a default 443 IIS site – at least one default-header, non Server Name Indication (SNI) site as the app-URL will obviously not match the normal SharePoint hostname, so if your IIS site has host-headers then the connection for your app URL (apps*.contoso.com for example) will never work for an SNI-enabled IIS site for a normal SharePoint header (sharepoint.contoso.com for example) – IIS would reject the connection because the headers wouldn’t match. Because of this, we need a single “one-size-fits all” SSL site for apps + normal SharePoint SSL.

For the record, I only managed to get this setup working when my HTTPS site was the default zone, but I’ve not yet confirmed why exactly. If you’re having issues, after authenticating back from ADFS then make sure your default zone site is the only SSL site.

Publish Applications in Web Application Proxy

Next up, we need to publish the URLs in Web Application Proxy. For both the normal application URL and any application URL, you need to do the same:

clip_image005

Each URL needs to use the ADFS server configured.

clip_image007

Also the same relying party in said ADFS server.

clip_image009

Make sure both URLs are the same, and we select the right certificate – the one that’s valid for both the normal site URL + SharePoint apps wildcard.

That’s pretty much it! Once done your WAP console should look something like this:

clip_image011

We should now be done with Web Application Proxy.

Configure WReply on the ADFS Identity Provider

You’ll need to enable WReply on the SPTrustedIdentityTokenIssuer that you’ve already configured in SharePoint by running this PowerShell (changing the “Name” of course):

$ap =Get-SPTrustedIdentityTokenIssuer “Name”

$ap.UseWReplyParameter = $true

$ap.Update()

Also, in the ADFS relying-partner you’ve already configured you need to add a wildcard WS-Federation endpoint like so:

clip_image012

Once done, ADFS can now authenticate for both normal & (any) app domains.

Testing SharePoint App Access via Web Application Proxy

Once it’s all in place, from outside we go to the normal URL, where we get sent to ADFS (via the proxy) to login.

clip_image014

Here we log-in like normal; from externally the ADFS DNS is pointing at the WAP server of course.

…and now we’re into the SharePoint site. Click the application link:

clip_image016

Here’s the magic bit: no authentication prompt when we redirect, despite being a different domain – the existing token is valid!

clip_image018

User identity has carried over just fine - job done!

Wrap-Up

Once this is all running, your Web Application Proxy + ADFS will now be able to authenticate for any app published only authenticating once. It’s not particularly simple, but it is possible

 

Cheers,

Sam Betts