none
ACS redirect problem with SharePoint hosted apps RRS feed

  • Question

  • I have a question on how to configure SharePoint Hosted Apps to use ACS as Identity provider without the creation a new Relying party with unique REALM and Return URL for each app. 

    The SharePoint 2013 environment is on-premise, with users connecting over the internet. It is configured correctly an all the apps are working 100% when using windows authentication. As soon as I add ACS with Windows Live as Identity provider, the Apps fail to authenticate.

    The SharePoint Apps prompt the user to choose the identity provider, redirects the user to the login screen for Windows Live but is then redirecting back the root site and not setting the token for the App.

    A work around is to create a new relying party in ACS with a unique REALM and return address and then use PowerShell to add the REALM to the trusted token issuer. I feel there must be a better way of doing this and avoid this administrative task.

    In addition to this it still seems that the authentication does not happen as it should, because as soon it the authentication process is complete, ACS returns the App URL (which is correct) but we then get an access denied error. In ULS it logs it as the “Issuer of the token is not a trusted issuer” but uses the exact same Certificate for token Signing and Encryption as the root site.

    The environment is configured as follows, using "domain.com" as an example:

    Root site: https://sharepoint.domain.com

    Apps: https://appprefix123456.apps.domain.com

    I'm using a Digicert wildcard SSL certificate that also allows for SANs to be added. I've added each app as a SAN, so the certificate is valid for *.domain.com and appprefix123456.apps.domain.com

    Thursday, March 13, 2014 3:05 PM

Answers

  • Hi Douglas,

    i agree with Qiao's explanation, sharepoint online use Azure Oauth, but sharepoint on-premise not use that. you need to create a low trust feature in your environment, or make a hybrid environment to pass the authentication.

    • Tips and FAQs: OAuth and remote apps for SharePoint 2013
    http://msdn.microsoft.com/en-us/library/fp179932.aspx

    In a server-to-server on-premises setup for a high-trust app, there is no context token, even if you use appredirect.aspx. The context token is specific to a configuration that uses Windows Azure Access Control Service (ACS). If you are using a server-to-server setup, your web application has to authenticate the user the same way that SharePoint does.
    • More TroubleShooting Tips for High Trust Apps on SharePoint 2013
    http://blogs.technet.com/b/speschka/archive/2012/11/01/more-troubleshooting-tips-for-high-trust-apps-on-sharepoint-2013.aspx

    It's important to remember when I say "high trust app", that means that you are NOT using ACS as the trust broker for your SharePoint app; instead your are creating the OAuth token and signing it with your own certificate.
    • http://blogs.architectingconnectedsystems.com/blogs/cjg/archive/2012/09/25/The-Azure-Access-Control-service-is-unavailable_2E00_.aspx
    Turns out that O365 SharePoint Farms have a special Service Application installed.  This service application is not available to us mere mortals with Beta version of SP2013 running on-premise.  The service application is called "Azure Access Control Service Application".  It has a corresponding Proxy that goes with it.  When your SharePoint App code executes, it makes a call to this ACS proxy.  If it doesn't find the existance of one of them in your Farm, it fails with a null reference, and then you get the "The Azure Access Control service is unavailable." error.
    SharePoint Low-Trust Apps for On-Premises Deployments
    http://blogs.msdn.com/b/besidethepoint/archive/2012/12/17/10376205.aspx
    This blog discusses how to connect an on-premise SharePoint 2013 app to an Azure domain and use ACS for security
    • Data access options for apps in SharePoint 2013'
    http://msdn.microsoft.com/en-us/library/fp179897.aspx
    Learn about the data access options you have when you build apps for SharePoint in SharePoint 2013, including data connectivity options for inbound and outbound data scenarios, and the APIs that are available when you want to access SharePoint data from your app.
    • Authorization and authentication for apps in SharePoint 2013
    http://msdn.microsoft.com/en-us/library/fp142384.aspx
    Get an overview of authentication and authorization in SharePoint 2013, which is used to authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user.
    • Design apps for SharePoint
    http://msdn.microsoft.com/en-us/library/jj164080.aspx
    Get an overview of the design and architecture options that are available in apps for SharePoint, and learn how to make the right decisions to ease the development of your app in SharePoint 2013.
    • Hosting options for apps for SharePoint
    http://msdn.microsoft.com/en-us/library/fp179887.aspx
    Learn about the different ways that you can host the components of apps for SharePoint.
    • How to: Create high-trust apps for SharePoint 2013 using the server-to-server protocol (advanced topic)
    http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx
    Learn how to create a high-trust app for SharePoint 2013. A high-trust app is a provider-hosted app for use on-premises that uses the server-to-server protocol.
    • How to: Use an Office 365 SharePoint site to authorize provider-hosted apps on an on-premises SharePoint site
    http://msdn.microsoft.com/en-us/library/office/apps/dn155905.aspx
    Use an Office 365 SharePoint site to create an environment where you can use ACS to establish trust between a provider-hosted app and an on-premises SharePoint 2013 farm, just as you would if you were developing apps for an Office 365 SharePoint site.


    Regards,
    Aries
    Microsoft Online Community Support


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, March 14, 2014 8:41 AM

All replies

  • Not sure about this question, based on my understanding, if it is an OAuth call, SharePoint use ACS as the app identity provider, OAuth is used in cases where calls are made from a remote server to SharePoint on behalf of the user. SharePoint hosted app doesn’t use OAuth.

    I would involve someone familiar with this topic to further look at it.

    Thanks,


    Qiao Wei
    TechNet Community Support

    Friday, March 14, 2014 6:47 AM
    Moderator
  • Hi Douglas,

    i agree with Qiao's explanation, sharepoint online use Azure Oauth, but sharepoint on-premise not use that. you need to create a low trust feature in your environment, or make a hybrid environment to pass the authentication.

    • Tips and FAQs: OAuth and remote apps for SharePoint 2013
    http://msdn.microsoft.com/en-us/library/fp179932.aspx

    In a server-to-server on-premises setup for a high-trust app, there is no context token, even if you use appredirect.aspx. The context token is specific to a configuration that uses Windows Azure Access Control Service (ACS). If you are using a server-to-server setup, your web application has to authenticate the user the same way that SharePoint does.
    • More TroubleShooting Tips for High Trust Apps on SharePoint 2013
    http://blogs.technet.com/b/speschka/archive/2012/11/01/more-troubleshooting-tips-for-high-trust-apps-on-sharepoint-2013.aspx

    It's important to remember when I say "high trust app", that means that you are NOT using ACS as the trust broker for your SharePoint app; instead your are creating the OAuth token and signing it with your own certificate.
    • http://blogs.architectingconnectedsystems.com/blogs/cjg/archive/2012/09/25/The-Azure-Access-Control-service-is-unavailable_2E00_.aspx
    Turns out that O365 SharePoint Farms have a special Service Application installed.  This service application is not available to us mere mortals with Beta version of SP2013 running on-premise.  The service application is called "Azure Access Control Service Application".  It has a corresponding Proxy that goes with it.  When your SharePoint App code executes, it makes a call to this ACS proxy.  If it doesn't find the existance of one of them in your Farm, it fails with a null reference, and then you get the "The Azure Access Control service is unavailable." error.
    SharePoint Low-Trust Apps for On-Premises Deployments
    http://blogs.msdn.com/b/besidethepoint/archive/2012/12/17/10376205.aspx
    This blog discusses how to connect an on-premise SharePoint 2013 app to an Azure domain and use ACS for security
    • Data access options for apps in SharePoint 2013'
    http://msdn.microsoft.com/en-us/library/fp179897.aspx
    Learn about the data access options you have when you build apps for SharePoint in SharePoint 2013, including data connectivity options for inbound and outbound data scenarios, and the APIs that are available when you want to access SharePoint data from your app.
    • Authorization and authentication for apps in SharePoint 2013
    http://msdn.microsoft.com/en-us/library/fp142384.aspx
    Get an overview of authentication and authorization in SharePoint 2013, which is used to authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user.
    • Design apps for SharePoint
    http://msdn.microsoft.com/en-us/library/jj164080.aspx
    Get an overview of the design and architecture options that are available in apps for SharePoint, and learn how to make the right decisions to ease the development of your app in SharePoint 2013.
    • Hosting options for apps for SharePoint
    http://msdn.microsoft.com/en-us/library/fp179887.aspx
    Learn about the different ways that you can host the components of apps for SharePoint.
    • How to: Create high-trust apps for SharePoint 2013 using the server-to-server protocol (advanced topic)
    http://msdn.microsoft.com/en-us/library/office/apps/fp179901.aspx
    Learn how to create a high-trust app for SharePoint 2013. A high-trust app is a provider-hosted app for use on-premises that uses the server-to-server protocol.
    • How to: Use an Office 365 SharePoint site to authorize provider-hosted apps on an on-premises SharePoint site
    http://msdn.microsoft.com/en-us/library/office/apps/dn155905.aspx
    Use an Office 365 SharePoint site to create an environment where you can use ACS to establish trust between a provider-hosted app and an on-premises SharePoint 2013 farm, just as you would if you were developing apps for an Office 365 SharePoint site.


    Regards,
    Aries
    Microsoft Online Community Support


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, March 14, 2014 8:41 AM