Configure the SharePoint Server 2013 app authentic- 123docz.net

There are two ways to configure an app authentication trust with SharePoint Server 2013:

 If you have an Office 365 subscription and the app is also using Windows Azure Access Control Service (ACS) for authentication, you configure the SharePoint farm to trust the ACS instance that corresponds to your Office 365 subscription. ACS then acts as a common authentication broker between the on-premises SharePoint farm and the app and as the online security token service (STS). ACS generates the context tokens when the app requests access to a SharePoint resource.

In this case, configure SharePoint Server 2013 to trust ACS.

 If you do not have an Office 365 subscription or if the app does not use ACS for authentication, you must configure a server-to-server trust relationship between the SharePoint farm and the app, known as a high-trust app. A high-trust app generates its own context tokens when it requests access to a SharePoint resource. This must be done for each high-trust app that a SharePoint farm must trust. For example, if multiple apps are running on one server and if they all use different token signing certificates, you must create a separate trust with each one.

In this case, configure SharePoint Server 2013 to trust the app.

Configure SharePoint Server 2013 to trust ACS

Use the following procedure to configure SharePoint Server 2013 to trust ACS.

To configure a SharePoint Server 2013 trust relationship with ACS

1. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

 securityadmin fixed server role on the SQL Server instance.

 db_owner fixed database role on all databases that are to be updated.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

2. Start the SharePoint 2013 Management Shell.

 For Windows Server 2008 R2:

 In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

 For Windows Server 2012:

 In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

If SharePoint 2013 Management Shell is not on the Start screen:

 Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

3. At the Windows PowerShell command prompt, type the following command:

$New-SPTrustedSecurityTokenIssuer –MetadataEndpoint "<Metadata endpoint URL of ACS>" – IsTrustBroker –Name "ACS"

Where:

 <Metadata endpoint URL of ACS> for SharePoint Server 2013 is

https://accounts.accesscontrol.windows.net/metadata/json/1/?realm=<contextID property of your Office 365 subscription>.

4. Keep the Windows PowerShell command prompt open for the Step 2. Register the app with the Application Management service.

Configure SharePoint Server 2013 to trust the app

Use the following procedure to configure SharePoint Server 2013 to trust the app.

To configure a SharePoint Server 2013 trust relationship with a high-trust app 1. Verify that you are a member of the Administrators group on the server on which you are

running Windows PowerShell cmdlets.

 securityadmin fixed server role on the SQL Server instance.

 db_owner fixed database role on all databases that are to be updated.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

Note:

2. In Central Administration on the SharePoint Server 2013 server in the farm, on the Quick Launch, click System Settings, and then click Manage services on server.

3. In the list of services on the server, make sure that that User Profile Service is started.

4. In Central Administration, on the Quick Launch, click Application Management, and then click Manage service applications.

5. In the list of service applications, make sure that that the App Management Service and User Profile Service Application are started.

6. Obtain a .CER version of the signing certificate of the high-trust app and store it in a location that can be accessed during the rest of this procedure.

7. Verify that you are a member of the Administrators group on the server on which you are running Windows PowerShell cmdlets.

 securityadmin fixed server role on the SQL Server instance.

 db_owner fixed database role on all databases that are to be updated.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

Note:

8. Click Start menu, click All Programs, click SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

9. At the Windows PowerShell command prompt, type the following commands:

$appId = "<AppID>"

$spweb = Get-SPWeb "<AppURL>"

$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site

$certificate = New-Object

System.Security.Cryptography.X509Certificates.X509Certificate2("<CERFilePath>")

$fullAppIdentifier = $appId + '@' + $realm

New-SPTrustedSecurityTokenIssuer -Name "<FriendlyName>" -Certificate $certificate - RegisteredIssuerName $fullAppIdentifier

Where:

 <AppID> is the client ID assigned to the high-trust app when it was created.

Important:

All of the letters in the AppID must be in lowercase.

 <AppURL> is the URL to the high-trust app’s location on the app server.

 <CERFilePath> is the path of the .CER version of the signing certificate of the high-trust app.

 <FriendlyName> is a friendly name that identifies the app.

10. Keep the Windows PowerShell command prompt open for the next procedure.

Configure the SharePoint Server 2013 app authentication trust

Configure the Web.Config files for an LDAP membership provider