Future of SharePoint Keynote Summary and My Key Takeaways

Ever since Microsoft RTMed SharePoint 2016 in March 2016, one event every SharePointers were looking forward to was – “Future of SharePoint” on May 4th, 2016.


Even though this event was marked as SharePoint 2016 GA availability, how Microsoft used it to instill the confidence in SharePoint community is masterstroke in my book. Personally I was looking forward to this event to see where I want to focus in near future as far as technology. As a SharePoint brand, there were few questions and Microsoft needed to answer. I won’t lie if I say I was approaching this event very cautiously but after the event – my faith in SharePoint on both Office 365 and On-premises have been restored.

In the nutshell, this was a vision and roadmap event specifically focused on SharePoint. As expected, event was well marketed and well attended. There were some bold announcements and demos. Most of them are in the process of being rolled out in the SharePoint Online. This tweet at the end of the event summarizes what I felt of SharePoint in the near future at that time.


Here are my key takeaways:

  • SharePoint is here to stay!! In fact, it’s been revitalized and modernized. Message has been reinforced – Innovations happens in cloud and few features will trickle down to the on-premises over the time.
  • “SharePoint” as brand is brought back in Office 365!! No more, it’s branded as “Sites” app. It’s a small change like this regains confidence from the community.
  • Office 365 Groups are NEW center of gravity in a cloud product. SharePoint team sites are re-branded with Office 365 Groups UI but two-way integration will challenge traditional hierarchical information architecture. Documents will flow horizontally across products rather than hierarchical SharePoint team sites in Office 365. Additionally, tight integration of SharePoint Online, OneDrive for Business, Office 365 Groups, and other Office 365 products will reinvent what we think of modern collaboration on office platforms.
  • Although Microsoft has delivered contextual and relevant SharePoint Online home page (similar as Delve UI) as Intranet in your pocket offering, my take here is that most of the organizations will create their own intranet home pages powered with Office Graph & Delve based UI. Ability to support customized version of Intranet home pages is key. There will be requirements from customers to support customized version of home page on “SharePoint” mobile app and browser experiences home page.
  • SharePoint On-premises are here to stay!! SharePoint Online & Office365 will innovate first and selective features will be pushed down to the On-Premises as feature backs. I won’t be surprised if feature packs replaces existing service pack model.
  • SharePoint Hybrid is must to have best of both worlds. New SharePoint browser & mobile apps would require hybrid infrastructure to display data from both cloud and on-premises.
  • Office 365 Graph and new SharePoint client side framework are must in developers’ toolkit. Both of them are built on modern JavaScript and REST based programming standards. Developers will require to learn 6th development/customization model in last 6 iterations of the product. Microsoft continue pushing developing on platform rather than service based on solutions they must have seen in their customer experience programs. It’s time to learn web stack if you haven’t already – Node.Js, Yeoman, Gulp, TypeScript, Visual Studio Code etc. It should be noted here is this is one more additional framework, it doesn’t replace Add-ins model released in SharePoint 2013 or Full trust model introduced in SharePoint 2007.
  • SharePoint and Office 365 professionals will have more challenges to architect solutions based on Office 365 only, SharePoint On-Premises only, or hybrid investments. Great SharePoint professional is key to success. Question of what’s supported/not supported, what’s licensed/not licensed, what’s enabled/disabled, architectural trade-offs will factor in how you architect information architecture and business processes. This is not new as of now but tight integration of Office 365 Groups and SharePoint Online will create many challenges for customers who won’t use  capabilities of whole Office 365 suite.

Here are my notes from the keynote:


  • SharePoint 2016 On-Premises and Office Online Server (2016 version of Office Web Apps) GA available from today
  • SharePoint 2016 isn’t last release but it’s a foundation for future – forged in cloud, first cloud run source code packaged for on-premises, probably enhanced as feature packs rather than service packs

Future of SharePoint

  • Microsoft’s current focus is on 3G’s – Groups, Graph, and Governance (Notice – no SharePoint, rather than focusing on products vertically, Microsoft’s focus is across products and security/compliance).
  • New SharePoint Principles – In Cloud, On your on-premises, and In your Pocket, in other words – cloud first, mobile first but still supported for on-premises.
  • SharePoint is Core of Office 365 productivity suite – No kidding!!!!
  • SharePoint On-Premises Updates – Feature Packs for SharePoint – Subset of features available on top of SP2016, starting from 2017.

Files Access & Sharing Innovations

futuresharepoint-file access and sharing roadmap

  • Simple and powerful file on any device – intuitive browser experience.
  • Selective sync for OD4B & SPO document libraries. Sync shared folders in roadmap.
  • Move or Copy OD4B files and folders to SharePoint.
  • New activity view pan for files (replacement for versioning?).
  • File Share/Document Analytics in OD4B (Likes and Shares coming in future as well).
  • Mobile app for SharePoint Online (SharePoint On-Premises support in roadmap including SharePoint 2013).

Reinventing SharePoint Intranets and Team Sites

futuresharepoint-intranet roadmap

  • Modern Intranets
    • Next-Gen, Responsive, and Mobile & Touch Friendly Intranets
    • Innovate on all three fronts – communication, collaboration, and custom apps.
    • Intranet on your pocket
      • New SharePoint home page, powered by office graph, contextual information, looks much similar to Delve UI. Show frequently visited sites or suggested sites based on your profile activities. It can show sites from both cloud and on-premises (requires hybrid configuration).
      • Intelligent discovery of content based on your activities. It shows pages, libraries, lists, and people. Again, similar as Delve UI.
      • New team and organizational news feature – News feature out of box, will roll out in H2.
    • Intranet Web Experience
      • Renamed “Sites” tab to “SharePoint” to match mobile app name.
      • Frequent sites, suggested sites, Tiles view.
      • Instant search – people, sites, files etc.
      • Easy new site creation – simplified and faster, requires you to select collaboration or publishing sites, you can also create Office365 group in this wizard, will require enforcement of governance.
  • Modern Team Sites
    • Groups Integration – Each Team Site creation will create Office 365 Group and same true on other way around as well. Groups are tightly integrated in Office 365 with SharePoint team sites. Will roll out in H2.
    • Power Apps and Microsoft Flow integrated with SharePoint Online out of box. This would allow it use SharePoint document libraries and lists as data source. Possible replacements for workflow & forms workloads. Both products are in preview now. Will roll out in H2 this year.
    • New Home Page experience – Tied to group, group name & members shows up, left hand navigation still exists, you can bring in group features on team sites (e.g. conversations etc.), by default – news & activities are available as tiles view, you can highlight document or blog article in news section, activities are documents with tiles view. It’s rolling out now.
    • New Pages experience – Mobile and touch friendly pages authoring experience, you can add documents, links, medias etc. You have gallery of OOB web parts (similar as Adobe AEM). It’s rolling out now.
    • New Document Library experience – looks & feels like OD4B, consistent experience. Quick contextual metadata editing experience, grid/thumb nail view experience, ability to pin feature, everything on your fingertip either via quick action bar or informaion panel, no more ribbon. It’s rolling out now.
    • New SharePoint Lists experience – Integration of OOB Microsoft flow UX and Power Apps and context are passed to these apps.  It’s rolling out now.
    • Team site activities and analytics – Modern graphical analytics.  It’s rolling out now.

Platform Extensibility

futuresharepoint-openconnected roadmap


  • Data Layer – Office Graph API – REST based, single end-point – we will have SP REST API available via Office 365 API in near future.
  • UI Layer – New SharePoint Framework – New JavaScript based client side development layer, it’s backward compatible, it will be open source, client side web parts & client side page/canvas applications framework – this framework will be released in Q3 for SPO as First Release and for on-premises as features packs hopefully in 2017.
  • SharePoint Bench – A SharePoint specific mock debugging environment to test development without needing of SharePoint in local VM.
  • Microsoft will deliver few responsive experiences based new SharePoint Framework. New SharePoint online document library experiences, Delve UI, & lightweight publishing model (Delve blog) are some of them.

Community and Microsoft Resources

New SharePoint Framework Reactions

Happy SharePointing!!!

Posted in Office 365 | 2 Comments

Modernizing SharePoint? – My thoughts on SharePoint Online Document Library Experience Updates

Update on May 5th – Drawbacks mentioned in this article are no longer a drawbacks if you are using new SharePoint Online experiences. New SharePoint Online experiences announced as “Future of SharePoint” event on May 4th spans not only document libraries but throughout SharePoint including new SharePoint Team Site experiences. See Updates herehere, and here. I never had a blog article invalidates itself in few weeks. It’s a power of modern product updates & release cycle. I still think communication and feature rollout could have been better.

Microsoft has pushed out one more “Sneaky” release in Office 365 relating to SharePoint Online document library experiences. If you have “First Release” tenant, you would start noticing new banner on SharePoint online document library page stating – “Check out new document library look!”.

Doc library UX Banner

I call this “Sneaky” release. Even though this is a huge change in SharePoint (first major Document Library UI change since SharePoint 2003/2007 days, almost 10-12 years ago), it was never announced on Microsoft Office blogs. I have heard this news on twitter after seeing few posts from MVPs and other community leaders regarding this release.

Unlike MVPs or other community leaders, my thoughts on this change are bitter-sweet. On one hand, I love this new modern experience with lots of core features stands out in UI for end-users. On other hand, I hate the navigation experience from SharePoint Online document library UI to One Drive for Business document library UI. More on navigation concerns later.

If you have never seen new SPO document library experience, here is the preview:

This is classic SharePoint Online document library experience with invitation to try out new experience:

SPO OLD Doc Library UX

This is how new SharePoint Online document library experience looks like (with ability to rollback to classic view for time being):

SPO New Doc Library List View UX

SPO New Doc Library Grid View UX

Let’s first talk about Pros. I hugely welcome modern UI of new SharePoint Online user experiences. Not only Microsoft have bubble up many key features as easy actions but modernized the UI along with it.

Here are some of the highlights of new features and I must say – I love them all.

  • Library Level Features
    1. Ability to Pin documents as Highlights above the library view
    2. Ability to “Alert Me” from quick action bar
    3. Ability to have Grid view with previews, rather than traditional list view
  • Document Level Actions
    1. Ability to see “History” on the right bar
    2. Document Action Bar – Ability to get a link, ability to Move to another location (one of the long standing issues with traditional UI)

Now, let’s talk about major drawback. With all the love for new UI, one of the major down side of this new update is what happens to existing collaboration sites. Even though Office 365 have new workloads rolling out every few months to tackle modern collaboration like Yammer Groups, Office 365 Groups, Planner, Delve, many of our customers are still using SharePoint team sites for document collaboration.

Along with SharePoint team sites, they are accustomed to use “Blue” SharePoint/Office 365 global OOB UI and SharePoint Online ribbon bar. One of the major issues with new UI is end-users will require to traverse back and forth between SharePoint Online UI (Blue Globar bar with Ribbon) and OneDrive for Business UI (Black Global bar without Ribbon) while using document libraries and that’s where challenge is.

Many of us additionally apply SharePoint online themes (recommended by Office 365 PnP as supported version of branding), which would affect seemless UI experience and navigation as users are accessing team sites, document libraries, and documents. My only hope here is Microsoft have further plans to roll out SPO changes to reflect this new UI in SPO to match overall Office 365 experience.

But, Wait – There is a solution to all these – Having all said that, Microsoft didn’t leave us with this as forced update. You have option to use old or new experience depending on your organization’s appetite for change. Each document library have option to use new or old experience. This would allow document library owners to use whatever experience they like. Additionally, there is a global SharePoint Online administrative setting to apply this change to all document libraries in SharePoint online team sites. Few tips here – library level settings will definitely affect the governance policies and how organizations want to standardize the document library experiences. Few more things to worry about as you trying to govern your environment.🙂

You can manage list document library experiences settings from library’s advanced settings page. There are three experiences here:

SPO Library Admin Settings

  • Default experience set by my administrator – Configured at the SharePoint Online Administrative page.
  • New experience – New experience with OD4B UI
  • Classic experience – Classic Old and Gold SharePoint document library view

Here is the screenshot of SharePoint Online Admin Setting.

SPO Admin Settings

Here are my initial reactions on twitter. I am hoping to have more positive reactions and better document library experience stories as we go through initial period.

Nik's reaction 0.PNG

Nik's reaction 1.PNG

Nik's reaction 2.PNG

SharePoint Online is changing!!! Good luck SPO!!!

Additional Resources and Community Reactions


Posted in Office 365, SP2013 Online | Leave a comment

Nik’s SharePoint Saturday Chicago Suburbs 2016 Session Deck on Modern Intranet Development on SharePoint and Office365 is Available

Thanks everyone who was able to attend my session at the SharePoint Saturday Chicago Suburbs 2016. It was a great to see familiar faces and old friends in a fairly attended session.

I had an amazing fun walking attendees lessons I have learned while developing Intranets on SharePoint and Office 365 last few years. It’s great to share some of the best practices I have compiled and how I would design intranet on these platforms in future.

Title: Best Practices of Intranet Development on SharePoint and Office 365 Platforms
Session Abstract – Development of successful Intranets on ever changing SharePoint and Office 365 platform requires understanding of available options and how to apply them. Nik Patel from Slalom Consulting has designed and built four different intranets in four years with various best practices each with unique flavors and customization options available at that time. Nik will take attendees through architecture options in past and future and provide pragmatic guidance for future Intranet development on SharePoint and Office 365 platform. This session is for both beginners and advanced level developers and architects.

As promised, here is my session deck available through Slide Share. Feel free to download and reach out to me if you have any questions.

I have recently posted few SharePoint development best practices articles. These can be used as additional sources along with Office 365 PnP to make decision in tricky architectural trade-offs.


Posted in Office 365, SharePoint 2013, SharePoint 2016, SharePoint Apps, Speaking | Leave a comment

Cheat Sheet to Troubleshoot SharePoint Provider hosted High-Trust Add-ins – 401, 403, 404, and Misc Errors

Anyone who has worked on provider hosted high-trust add-ins for SharePoint 2013 on-premises environment knows if environment works, it works like a charm. If it fails, it’s worst thing as IT Pro you may encounter. Most of the errors while troubleshooting provider hosted high-trust configuration are mostly related to authentication and add-ins & SharePoint communication. Many of these errors are so generic like 401, 403, and 404 errors that it can easily raise the frustration level along with waste of hundreds of hours.

With this cheat sheet, I am planning to share my usual suspects and hoping to keep it updated as I encounter more weird errors in SharePoint provider-hosted high-trust add-ins configuration.

Microsoft Resources for Troubleshooting Apps

Usual Suspect Areas to look at

  • Expired certs on IIS, local windows cert store, and SharePoint trust store (including all the chain certs)
  • Invalid Get-SPTrustedSecurityTokenIssuer
  • Invalid Get-SPTrustedRootAuthority
  • Invalid Cert Serial Number or Certs information in web.config
  • Invalid Alternate Access mapping
  • Invalid HTTP or HTTPS binding in IIS
  • Missing DNS entries
  • Depending on your needs, you would need to set App permission in App Manifest
  • Validate Provider Hosted App IIS site – Enable windows auth, NTLM as preferred provider, App pool runs under 4.0 and ApplicationPoolIdentity

Myths – Invalid Causes called out in blogosphere

  • Certs Chain must be installed and imported in both local Cert store and IIS on both SharePoint and Provider Hosted Apps servers.
    • Removing RootCA & High Trust cert from SharePoint trust store (accessible from central admin) not affecting how Provider hosted apps works, it works regardless.
    • According to API cert expert, Brian… IIS should have only lowest level cert what’s needed for binding, all parent chain certs shouldn’t be in IIS.
  • No Routing Web App on SharePoint Servers – This throws 404 error for SharePoint hosted and Store hosted apps but works fine for Provider hosted apps, routing web app is required for SharePoint hosted app.
  • You need to disable Anonymous Authentication on Provider hosted app IIS web site – no reason to do this unless you want to do this as best practice.
  • NTLM has to be preferred provider (above kerbros) for windows Auth on Provider hosted app IIS web site – no reason to do this unless you want to do this as best practice.
  • To get the title of the web site, you would need to set App permission in App Manifest Depending – No need for this for title info.
  • SharePoint and App hosting servers should be on same time zone. No need for this either.

Error – An Unexpected error has occurred while installing app

  • This may happen if App was already installed with upper version and you are redeploying app using lower version to same site. e.g. I had a site collection where I deployed app with version. I uninstalled app and repackaed with version and deployed to the App Catalog. This caused an error while installing app to the same site collection again. New version app would work fine with new site collection where this app never been installed earliar.
  • Myth – Many blogs and forum says – cleanup App Catalog recycle bin and that didn’t fixed my issue.

Error – Blank Page while accessing installed app

Error – 401 Error – Unauthorized while accessing installed app


  • Possible Causes:
    • No Windows Auth is enabled on the Provider Hosted App IIS web site.

Error – 401 Error – Unauthorized while running app, SharePoint-App communication issue

401-Unauthorized 2.PNG

  • Possible Causes:
    • Issuer ID is invalid or has uppercase letters or Issuer ID has space in Appweb web.config file.

Error – 403 Error – Forbidden while accessing installed app, SharePoint-App communication issue


  • Possible Causes:
    • Client ID is invalid or Client ID has space in Appweb web.config file.
    • Get-SPSecurityTokenServiceConfig AllowOAuthOverHttp setting is invalid. It must be true if one of the SharePoint web application or Provider hosted App IIS web site have HTTP binding. If both SharePoint and Add-ins using SSL, it should be false. In many cases, if you have HTTP binding on SharePoint in addition to SSL and if Add-ins using SSL with AllowOAuthOverHttp=false, may cause an error.

Error – 404 Error – While accessing installed app


404 2

  • Possible Causes:
    • DNS Entry Issue – Either Wrong or NO DNS entries – Try to ping the app URL to see if it reaches to correct server IP or F5 App Pool IP.

Error – An error occurred while processing your request – while accessing installed app

  • Background Note – This error gets generated by Visual Studio boiler plate code for SharePoint Context and TokenHelper.
  • Possible Causes:
    • Certificate Serial Number is invalid in Appweb web.config file.

Error – Keyset does not exist – while accessing installed app

Background Note – This error is related to SharePoint app running in IIS can’t access High Trust configured on Provider hosted cert store to initiate communication to SharePoint.

Possible Cause – If IIS_IUSERs don’t have permission to high trust on local cert store, it will throw Keyset doesn’t exists eroor –http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html. For the separate IIS server hosting Add-ins, configure BUILTIN\IIS_IUSRS users to the full control permission to cert. This allows apps running on IIS to access cert for high-trust SharePoint communication. On Windows Server 2012 R2, Use command line tool – Windows HTTP Services Certificate Configuration Tool – WinHttpCertCfg.exe. On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS.

Error – Sorry, Something went wrong – while adding/installing an app to the site – App differs from another App with the same version and product ID

Sorry something wrong

This is worst kind of error where it’s really hard to troubleshoot. In most cases – you have to look into ULS logs to troubleshoot as this isn’t an obvious error. Luckily, this errror does provide you ULS correlation ID which you can use to troubleshoot.

In my case – I had came across this error in ULS log.

Issue – 11/03/2015 14:44:28.00   w3wp.exe (0x1C28)                       0x0548  SharePoint Foundation                 General                                       ajlz0       High       Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type ‘System.Web.HttpUnhandledException’ was thrown. —> System.InvalidOperationException: The provided App differs from another App with the same version and product ID.     at Microsoft.SharePoint.Lifecycle.SprocWrappers.CreateApp(SqlSession dbSessionWrapper, Byte[] fingerprint, Guid siteId, Guid productId, Version version, String title, String contentMarket, String assetId, SPAppSource source, String tempIconUrl)     at Microsoft.SharePoint.Administration.SPApp.CreateAppAndCommitPackage(SqlSession session, Byte[] fingerprint, String path, Guid siteId, String assetId, String contentMarket, SPAppSource source)     at Microsoft.SharePoint.Administration.SPApp.CreateAppUsingPackageMetadata(Stre… 4d143e9d-3578-6086-1f97-858d6df686c1

There are various online articles and places this error has been discussed and folks have solved many different ways –

Have you came across any other scenarios not discussed here? Plan plan to post in the comments section to increase awareness of your specific situation. You never know – it may help someone out there.


Posted in SharePoint 2013, SharePoint Apps | 1 Comment

Step by Step Installation Guide – SharePoint 2013 On-Premises Provider Hosted High Trust Configuration

Last December, I had a privilege to walk through SharePoint Fest Chicago attendees detailed step by step process of building end-to-end SharePoint High-Trust Provider Hosted Add-ins environment.

Information I had presented has been scattered around on web or MSDN or on Office 365 PnP but I am yet to see full detailed end-to-end guidance on add-ins configuration even though add-ins model has been released since July 2012. One of the main reasons why SharePoint provider hosted add-ins isn’t popular because it takes lots of skills to stand up add-ins development environment.  This guide is intended to walk you through key steps requires to design SharePoint 2013 high trust provider hosted add-in environment.

As an overview, my SharePoint Lab consists of 2 VMs for SharePoint 2013 on-premises environment – All-up SharePoint 2013 VM with AD and SQL & Provider Hosted Add-ins VM. Some of the key goals I have with this article are:

  • Provide pragmatic guidance to build real world environment. Even though I don’t have load-balanced environment, you can repeat most of the configuration to configure load-balanced environment. Configuration of load-balancers and DNS routing are out of the scope for this article.
  • Provide secured SSL communication between SharePoint and Add-ins environment. This article still applies to non-SSL environment and various steps for non-SSL has been called out in article.
  • Support for SharePoint hosted-addins in addition to high trust provider hosted add-ins. This is my personal preference. There is complexity in infrastructure configuration due to SharePoint hosted-addins. If you are planning to support only provider-hosted add-ins, you will able to find steps which you can ignore.

Provider hosted add-ins

Here are high level steps one needs to take to configure SharePoint high-trust provider hosted add-ins in SharePoint on-premises environment.

Preparing Infrastructure for High-Trust Provider Hosted Add-ins

  • Prepare SharePoint On-Premises Environment
    • SharePoint Network Infrastructure – Make a note of SharePoint Domain (e.g. Niks.local), valid SharePoint DNS (e.g. intranet.niks.local), and Wildcard Cert (e.g. with friendly name – *.Niks.Local)
    • SharePoint Wildcard SSL certs are an optional but recommended.
    • Install SharePoint Environment – SP2013 RTM + Latest Service Pack + Latest CU
      Provision primary web application with SSL and NTLM authentication. SSL is optional for Add-ins configuration if your SharePoint environment isn’t on SSL but it is recommended.
    • Configure User Profile Service Application and Profiles Sync. This is required for Add-ins User Profile hydration for Auth Tokens.
  • Configure Add-ins Domain
    • Determine Add-ins Domain Strategy – You can have only one Add-in domain is used per farm..Determine the domain name to use – either unique domain (e.g. NiksApps.local) or Sub domain (e.g. Apps.Niks.local) – for security reasons, plan to have unique domain because cookies can be modified or read across different domains that are under the same domain.
    • Configure Add-ins Domain and an Wildcard DNS entries for SharePoint Add-ins – Wildcard DNS entry is not used by Provider hosted Add-ins. Wildcard DNS entry is required for SharePoint Add-ins if you are deploying. Add-ins as fully isolated App webs. Without this, you would need a new entry in DNS for every App instance, this would not scale and is not a feasible solution. There is also no way of determining what the App ID would be in advance of creating an App. I  would recommend to configure wild card DNS entries for SharePoint Add-ins as a pre-requisites for provider hosted add-ins. Plan to review Mirjam Van Olst’s classic article.
  • Request a Wildcard Certificate for SharePoint Add-ins
    • There are two things to remember about Add-ins SSL – One is SSL certificate is optional if you aren’t using secure communication and second is it’s not required for the Provider Hosted Add-ins.
    • Add-ins Wildcard certificate is required for the SharePoint Add-ins for SSL. Since recommendation here is we will be building provider hosted add-ins for both SSL and SharePoint hosted-apps, you will need a wildcard SSL certificate for your add-in domain.
    • A valid wildcard SSL ad-ins cert can be issued by public CA, corporate CA, or Self-SSL utilities. (e.g. *.apps.niks.local or *.niksapps.local)
    • Verify wildcard certificate for both SharePoint and Add-in URLs are added to SharePoint boxes. There are two places to check – Verify if certificate is available on both personal and certificate root authorities store using Manage Certificates utilities and verify these certificates are imported and available on the IIS
  • Configure Routing Web App for SharePoint Hosted Add-ins
    • It is important to note that this step is NOT required for the provider hosted add-ins. This is required for SharePoint Add-ins only if you have SharePoint web applications are using host headers.
    • Provision Add-ins Routing web app – Create New SharePoint Web App – Port-80, Non-SSL, NTLM, Application Pool – SP_farm, and Content Database – WSS_Content, provision root site collection based on team site template and make sure Routing web app don’t have any host header, idea here is catch all. Add HTTPS binding with Add-ins wildcard cert on the default web app, remove HTTP binding for SSL.
    • Routing web app is not required for the host header site collections.
    • Best Practice – Disable Default IIS website from the IIS manager and IIS RESET
    • Without this – You may encounter 404 error – Jereme Thake’s article
  • Configure Required Services and Service Proxies – App Management and Subscription Settings
    • Both App Management Service and Subscription Settings Service must be started.
    • The App Management service application is largely responsible for licensing information, for example its database is accessed each time an add-in is used to verify the validity of the request.
    • The Subscription Settings service application is historically only relevant for multi-tenancy scenarios, but it is a prerequisite when implementing Add-ins because it is used to generate and keep track of the App IDs.
    • One key thing to note is that both service applications must be in the same service application proxy group, otherwise the Add-ins infrastructure will fail to work.
    • How to configure?
      • Start App Management and Subscription Settings Services from Central Administration or Windows PowerShell.
      • Configure the App Management Service application by using Central Administration or Windows PowerShell.
      • Configure the Subscription Settings Service Application by using Windows PowerShell.
    • Required PowerShell script to automate some of the steps discussed in this section are available as part of presentation attached to this article.
  • Configure App Prefix, App Hosting Domain, and App Catalog
    • Create App host domain (e.g. apps.niks.local) and App URL prefix (e.g. app) using PowerShell or from Central Admin
    • Create App Catalog site collection from Central Admin site and configure permission – You can have one App Catalog per web application. You can’t add add-ins in consumer sites unless you have visitor access to this site collection. Configuring Store settings such as whether users can install Add-ins from the Office Marketplace.
    • Required PowerShell script to automate some of the steps discussed in this section are available as part of presentation attached to this article.
  • Prepare Provider Hosted Add-ins Servers
    • Prepare for IIS and Application hosting – Install/Configure Web Server Role and Application Server Role – .NET Framework 3.5.1 features, Windows Process Activation Feature, Web DEV, ASP.NET etc.
    • Prepare for .NET framework hosting mode – Install/Configure .NET Framework 4.5 and later, Note – Windows 2008 R2 installs only .NET Framework 3.5
    • Prepare for App Web Deployment using commnadline – Download and Install web deploy tool – http://www.iis.net/downloads/microsoft/web-deploy
      Web Deploy (msdeploy.exe) must be installed on the computer that runs the .cmd file for appsweb. For information about how to install Web Deploy, see the following URL: http://go.microsoft.com/?linkid=9278654
    • Add DNS entries to resolve provider hosted add-in URL – Import a High Trust certificate on Add-ins Host Servers, if you don’t have PFX and CER files from the external/internal CA, one way to obtain is exporting with private key (e.g. NiksHighTrustCert.pfx) and with public key (e.g. NiksHighTrustCert.cer) for all the certs including root CAs and other parent certs in chain (RootCAHighTrustCert.cer) from the SharePoint servers. CER format requires to register cert with SharePoint, PFX format requires for Add-ins. Usually, high trust certificate would be same as wildcard cert used for the SharePoint web applications if high trust Add-ins and SharePoint shares same domain.
    • Configure BUILTIN\IIS_IUSRS access to the High Trust cert – For the separate IIS server hosting Add-ins, configure BUILTIN\IIS_IUSRS users to the full control permission to cert. This allows apps running on IIS to access cert for high-trust SharePoint communication. On Windows Server 2012 R2, Use command line tool – Windows HTTP Services Certificate Configuration Tool – WinHttpCertCfg.exe. On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS
      If IIS_IUSERs don’t have permission, it will throw Keyset doesn’t exists eroor – http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html
  • Verification Steps
    • One of my best practices while configuring any kind of complex environment is break it down in chunks to help me troubleshoot or verify as needed. Once initial infrastructure is configured, this is best time to verify various pieces of configuration. Here are various areas you can verify.
    • Provider hosted Add-ins URL domain and DNS entries are requested. Ping to verify.
    • SharePoint Add-ins domain and wild card DNS entries are requested. Ping DNS entry to verify. e.g. anything.apps.niks.local.
    • Valid Wildcard Certificate is issued for SharePoint Add-ins and uploaded on the local certificate store and imported in IIS.
    • Add Management and Subscription Settings Services and Application Proxies are provisioned.
    • App domain is configured and App Prefix is created for SharePoint.
    • App Catalog site collection for App hosting web application is provisioned with appropriate permissions.

Configuring High-Trust for Provider Hosted Add-ins

  • Run this step from SharePoint Servers – Please note that these steps needs to be executed on SharePoint servers for high-trust setup between SharePoint and Add-in servers.
  • Remove existing SPTrustedSecurityTokenIssuer if exists
    • On the SP Server, Log in as Setup account to run PowerShell script and check if any previously registered SPTrustedSecurityTokenIssuer exists. If there is a mal-functioned one and if the –IsTrustBroker switch was used then the bad tokenissuer might be getting called. If this is the first time you are configuring the high trust add-in then you can skip this step.
    • Run Get-SPTrustedSecurityTokenIssuer. If no Azure workflow is configured then this command should return empty. If you get any issuer other than the workflow then run the Remove-SPTrustedSecurityTokenIssuer (pass the Id value from the above output) to delete it.
  • Configure the High Trust using Certificates
    • Run the PowerShell script from the SP Server to register cert with SharePoint by using public (cer) key to configure trust for your add-in. Please see attached PowerPoint presentation for detailed script.
    • Each certificate in the chain is added to SharePoint’s list of trusted root authorities with a call of the New-SPTrustedRootAuthority cmdlet.
    • It is important that IssuerID is needed each time you create add-ins in Visual Studio so put it somewhere safe (e.g. 9F0FF6C4-0DA6-429B-959A-07847DF6BF37)
    • Get the Serial Number from the App Cert – ‎6114c562000000000005 (here are the steps – https://msdn.microsoft.com/EN-US/library/office/jj860570.aspx#ConfigureRemote)
  • Configure valid settings for AllowOAuthOverHTTP if needed
    • Configure AllowOAuthOverHTTP to FALSE for SSL communication between SharePoint and Provider Hosted Add-ins.
    • If any of your IIS web (either SharePoint or Provider hosted web add-in) has HTTP bindings then you must have AllowOAuthOverHTTP to TRUE otherwise you will get 403 error

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false

High-Trust Provider Hosted Add-ins Deployment

  • High Level App Publishing and Deployment Process
    • On the DNS Servers – Make sure DNS entry is available for Add-ins URL, PING to verify.
    • On Provider Hosted Server – Create IIS Web Site and Virtual Directories to host Add-ins.
    • App Deployment
      • Develop Add-in using Visual Studio predefined templates
      • Register the High Trust Add-in in SharePoint farm using /_layouts/15/appregnew.aspx
      • Update the Web.Config file of App Web with new client Id
      • Publish the App web (remote web)
      • Use App in the SharePoint (App App to App Catalog, Install Add-in to a Site, Add App Part to the site)
  • Create Remote web to host Provider Add-in
    • Remote web can be deployed on IIS, make sure asp.net is included as features
      • Web Site Name (e.g. ProviderHostedProdApp) and local folder (e.g. C:\inetpub\wwwroot\phprodapp)
      • Add New DNS entry for remote web add-in (e.g. phprodapp.niks.local to server or load-balancer IP) and see if you can ping it
      • Bind this cert with SSL (e.g. *.niks.local), Host Header (e.g. phprodapp.niks.local), and IP (e.g.
      • Ensure .NET 4.0 framework is selected as target framework – Make sure Application Pool is using v4.0 otherwise you will get error while deploying code
    • Configure Authentication of the Remote Web on IIS
      • Disable Anonymous Authentication for the IIS site hosting Remote Web
      • Enable Windows Authentication for the IIS site hosting remote web and plan to have Provider NTLM is selected above Negotiate
    • Add Virtual Directories to host Add-ins
      • Alias (e.g. prodphapp), Path – (e.g. C:\inetpub\wwwroot\phprodapp\prodphapp)
  • Register the High Trust App in SharePoint farm using /_layouts/15/appregnew.aspx
  • Creating Provider Hosted App using VS Template
    • Visual Studio allows you to create provider hosted add-in projects using predefined templates.
  • Update Visual Studio Project to Publish App Package (Debug/Test)
    • Update the Web.Config file of App Web – VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This requires certificate downloaded and stored on the local file system.
    • Sample Web.config: <appSettings>
      <add key=”ClientId” value=”f5b99211-2f48-4747-8af0-bdfbbcf1b1b5″ />
      <add key=”ClientSigningCertificatePath” value=”C:\Certs\NiksHighTrustCert.pfx” />
      <add key=”ClientSigningCertificatePassword” value=”pass@word1″ />
      <add key=”IssuerId” value=”9f0ff6c4-0da6-429b-959a-07847df6bf37″ />
    • No changes in the Token Issuer file in VS project – Visual studio template for Provider hosted add-in contains code to create access token based on certificate location.
  • Update Visual Studio Project to Publish App Package (Release/Prod)
    • Update the Web.Config file of App Web – VS adds ClientSigningCertificatePath and ClientSigningCertificatePassword. This shouldn’t be used for production add-ins. Instead use ClientSigningCertificateSerialNumber. Find the ClientSigningCertificateSerialNumber from the cert binded to the provider hosted add-in (e.g. *.niks.local)
    • Sample Web.config: <appSettings>
      <add key=”ClientId” value=”f5b99211-2f48-4747-8af0-bdfbbcf1b1b5″ />
      <add key=”ClientSigningCertificateSerialNumber” value=”6114c562000000000005″ />
      <add key=”IssuerId” value=”9f0ff6c4-0da6-429b-959a-07847df6bf37″ />
    • Update Token Issuer file in VS project – Since you are using on Serial Number instead of cert path and password for authorization, you need to update code to retrieve cert based on serial number – See Token Issuer section here – https://msdn.microsoft.com/en-us/library/office/jj860570.aspx
  • Publish the App web and App Packages
    • Provider Hosted Add-ins are consists of two projects in Visual Studio
    • Publishing App Web Package
      • Publishing App web copies files are remote web server and deployed on IIS
      • Create AppWeb package from the Visual Studio using publish approach
        • Create Profile (e.g. NiksRemote)
        • Connection – Publish Method – Web deploy package
        • Package Location (e.g. C:\Deploy\ProdProviderHostedAppWeb\ProdProviderHostedAppWeb.zip)
        • Remote IIS Web Site Name (e.g. ProviderHostedProdApp/prodphapp)
        • Click Next – Release and Publish Package
    • Publishing Add-ins Package
      • Publishing App produces App file (.app extension) and that needs to be uploaded on App Catalog site to make it available for SharePoint sites
      • Create App package from the Visual Studio using publish approach
  • Deploy the App web and App Packages
    • Deploying App Web Package
      • Copy the Package to the Remote Add-ins server, make sure webdeploy is installed on the additional server
      • Open cmd file and run Appweb deployment command (e.g. C:\Deploy\ProdProviderHostedAppWeb>ProdProviderHostedAppWeb.deploy.cmd /y)
      • Verify all the contents are getting published on the IIS virtual directory
    • Deploy App Package to App Catalog
      • Navigate to App Catalog and select New App and upload .app file
      • Make sure uploaded App package is valid.
  • Use App in the SharePoint
    • Add an App to a Site – Navigate to Add App page and add App to the site – trust the add-in
    • Add App Part to the site – App client web part to App project, this should add page to the AppWeb project, upgrade Add-ins and redeploy it to the site, and you should see the App parts

Hopefully you would be able to navigate steps mentioned in this article. For more detailed step by step guidance, please review my SharePoint Fest presentation.



Posted in SharePoint 2013, SharePoint Apps, VM Scripts | Leave a comment