Sharing AppDomains between web applications in SharePoint 2013

Well , sharing an AppDomain between web application is a gray-out area so i decided to create an article for this.

Scope Note :

  • This article does not contains “how to create and configure apps for SharePoint 2013”. You may find more information at the end of the article (Resources Section)
  • This article does not cover SSL configurations.

In SharePoint 2013 , Sharing an “AppDomain” (exp: ContosoApps.com) between different web applications is possible but there are some limitations

1) Apps domains can be shared across web applications if the zone, application pool identity, and authentication schemes match. For example suppose that webappA is configured to use the Default zoneH and webappB is also configured to use the Default zone. In addition, both web applications use the same Application pool identity, and both web applications use NTLM. In this scenario, the web applications can share a single app domain.

2) You can share only one AppDomain allowed between different web applications. (Yes , with March PU you can use multiple AppDomains but it does not mean that you can share it directly )
Which is defined in CA-> Apps -> Configure Apps Url

AppDomain1

Or via Powershell

Set-SPAppDomain <appDomain>
Set-SPAppSiteSubscriptionName -Name "app" -Confirm:$false

* As you can see , SharePoint only allows one global AppDomain by Set-SPAppDomain cmdlet .

Lets have a look an example ; I assume that you have already created Forward DNS Lookup Zone and set CNAME for “ContosoApps.com” alias.

ContosoApps

For Detailed configuration please read the following TechNet article (As i said it is out of scope)
->Configure an environment for apps for SharePoint (SharePoint 2013)
https://technet.microsoft.com/en-us/library/fp161236.aspx

We want to share “ContosoApps.com” AppDomain via 3 different web applications

Web Application 1: Jüpiter

URL : http://jupiter
Bindings: HTTP:jupiter:80
Zone:Default
Application Pool : JupiterAppPool
Identity : Contoso\spfarm

Web Application 2: Neptün
URL : http://neptun
Bindings HTTP:neptun:80
Zone:Default
Application Pool : NeptunAppPool
Identity : Contoso\spfarm

Web Application 3: Uranüs
URL : http://uranus
Bindings HTTP:uranus:80
Zone:Default
Application Pool : UranusAppPool
Identity : Contoso\spfarm

(*If you want also you can use same Application pool for all)

Well all these 3 web Application has a host header , thats why we need another IIS Site (not required a SharePoint Web Application but you may also create as a SharePoint Web Application)
This is a dummy web application with no site collection inside. We are just using this for binding.  Bindings  http::80:*  (wildcard) and should except all 80 Why becuase any request like
http://apps-85f5fc12a6a559.contosoapps.com must able to land a IIS Site so “http::80:* ” binding handles this kind of request.  And have to be same application pool identity (Contoso\spfarm).

AppHost Web Application : Name -> AppHost
Url : (N/A)
Bindings :HTTP::80:*
Application Pool : AppHostPool
Identity : Contoso\spfarm

Check for more info if you want to get more details the “Routing Web Application” section http://blogs.technet.com/b/mspfe/archive/2013/01/31/configuring-sharepoint-on-premise-deployments-for-apps.aspx

So far so good , as you notices we dont enabled “SupportMultipleAppDomains” feature which is added to SharePoint 2013 via March PU.

There is a SSL version configuration by Steve,
http://blogs.technet.com/b/speschka/archive/2012/09/03/planning-the-infrastructure-required-for-the-new-app-model-in-sharepoint-2013.aspx

Now it is time to test. I used the Yammer App from SharePoint App Store .

After Installing Yammer App ;

Result in Browser :
yammerjupiter

yammerneptun

Note: Do not use “System Account” when you are adding Apps !

Each instance of an app for SharePoint that is installed has its own URL. Therefore, if you only have one app for SharePoint in your environment, but the app is installed on six different sites, then you will have six different app URLs. As you can see above pictures the AppID has changing.

What about enabling Multiple AppDomains feature ?

“One of the feature updates of the March 2013 Public Update for SharePoint 2013 enables you to use multiple app domains in SharePoint 2013 environments with alternate access mapping or host-header web application configurations. Before the Public Update, you could only host one app domain and it had to be in the Default zone. You could not use the app domain on alternate access mappings or host-header web application configurations. The Public Update enables you to configure an app domain for each web application zone and use alternate access mapping and host-header web application configuration
https://technet.microsoft.com/en-us/library/dn144963.aspx

In SharePoint 2013 , you can use more than one AppDomain for one WebApplication but you can not share that specified appdomain between zones or different applications with that feature .This feature has been added after March PU . The new feature extends sharepoint powershell cmdlets with
New-SPWebApplicationAppDomain
Get-SPWebApplicationAppDomain
Remove-SPWebApplicationAppDomain
These cmdlets basically provide Isolation not for Sharing !

Example:
Adding another web application (4th one)  to farm and this scenario we don’t want to use Shared AppDomain (ContosoApps.com) we want to assign a diffrent AppDomain (FabrikamApps.com) for this Web Application.

Web Application 4: Titan
Url : http://titan.fabrikam.com
Bindings :
HTTP:titan.fabrikam.com:80
HTTP::81:* (Why a second binding for a different port ? Because appdomain requires wildcard bindings)
Application Pool : TitanAppPool
Identity : Contoso\SPWeb

We need to enable Multiple App Domain Feature ; After we enabled the feature ( $contentService.SupportMultipleAppDomains = $true )  we can assign this web application a different AppDomain . (For more info Please read  https://technet.microsoft.com/en-us/library/dn144963.aspx )

Created another Fwd Lookup Zone in DNS for another AppDomain . Exp : FabrikamApps.com
FabrikamApps

And then we can assign this AppDomain to 4th web application.

New-SPWebApplicationAppDomain –AppDomain “FabrikamApps.com” –port 81 –WebApplication http://titan.fabrikam.com

And test with a app (Again I use Yammer App)
AppDomainFabrikam

I will continue the scenario adding another web application like

Web Application 5
URL: http://europa.fabrikam.com
Bindings HTTP:europa.fabrikam.com:80
HTTP::82 :*
Application Pool:  EuropaPool
Identity : Contoso\SPWeb

If we try to assing same AppDomain (FabrikamApps.com)  for the 5th site , by design we face following error !.
Because only one AppDomain globally (well we can say the old way) can be shared in a Farm which is “ContosoApps.com”

PS C:\Users\spfarm> New-SPWebApplicationAppDomain -AppDomain “FabrikamApps.com” -Port 82 -WebApplication http://europa

“New-SPWebApplicationAppDomain : We can’t set this app domain because it’s
already being used by a different web application or for a different zone.”

* Using Multiple AppDomains feature we can extend one of the web Application for a different zone(like Internet) for example “Jüpiter” -> (jupiter.fabrikam.com) and assign a different AppDomain but we could not use or share another AppDomain if assigned to another web Application or same web Application in different zone !

What you can do;

Well what you can do ; you can share it by adding subdomain before the second appdomain like
TitanApps.FabrikamApps.com
EuropaApps.FabrikamApps.com

Configuration looks like this;
(if you set an appdomain for europa or titan webapplication before you have to remove the appdomain first)

New-SPWebApplicationAppDomain –AppDomain TitanApps.FabrikamApps.com –Zone Default –WebApplication http://titan –port 81 (according to configuration you may need to add  free port binding  (like HTTP::81:*) to same IIS site which is not used by SharePoint or any application)

New-SPWebApplicationAppDomain –AppDomain EuropaApps.FabrikamApps.com –Zone Default –WebApplication http://europa –port 82 (according to configuration you may need to add  free port binding  (like HTTP::82:*) to same IIS site which is not used by SharePoint or any Application)

(Don’t forget to make an IISRESET after use the cmdlets)

After that when you add YammerApp to both sites you will see the app url as below:

apps-da8447c0b8f71e.TitanApps.FabrikamApps.com for http://titan
apps-zd4847s0b5f63d.EuropaApps.FabrikamApps.com for http://europa

 

Resources:
Configure an environment for apps for SharePoint (SharePoint 2013)
https://technet.microsoft.com/en-us/library/fp161236.aspx
Enable apps in AAM or host-header environments for SharePoint 2013
https://technet.microsoft.com/en-us/library/dn144963.aspx
http://blogs.technet.com/b/mspfe/archive/2013/01/31/configuring-sharepoint-on-premise-deployments-for-apps.aspx
http://sharepointchick.com/archive/2012/07/29/setting-up-your-app-domain-for-sharepoint-2013.aspx
http://blogs.technet.com/b/speschka/archive/2012/09/03/planning-the-infrastructure-required-for-the-new-app-model-in-sharepoint-2013.aspx

 

Clean up – Search Service Application in SharePoint 2013

Well you faced something went wrong and looks that you could not able to delete search service Application correctly. In this article’s purpose  demonstrate which components we have using for a Search Service Application

Ok Lets break our Search Service Application .Well don’t try this on a production 🙂 I assume that you have a completely running Search Service Application and will break it to test purpose
Open a sharepoint powershell console and type

$SSA = Get-SPEnterpriseSearchServiceApplication
(if you have more than one SSA you need to change parameters to get the correct one)
CleanSSA1

So lets create a scenario that someone we assume has deleted our good SSA like

$SSA.Delete()

CleanSSA2

+Upps In this condition you have a big problem. Because deleting the object of the service app itself is not a correct action . It clears the Service Application Object but Search Service Application have many other components (IIS Web Service,Timer Jobs ,DBs etc)  and they are still remains. Unfortunately there is no warning when you did it.
If you really want to remove a Service Application , you have to use Remove-SPServiceApplication cmdlet, not call the related object’s delete method.

So define what is remaining we have to know what components are we installing when you provision a Search Service Application

-We have creating a IIS Web Site under SharePoint Web Services Site.
-We have creating 8 Timer jobs for every SSA.

  • “Search Custom Dictionaries Update for Search Application <guid of SSA>”
  • “Crawl Log Cleanup for Search Application <guid of SSA>”
  • “Rebalance crawl store partitions for <guid of SSA>”
  • “Usage Analytics Timer Job for Search Application <guid of SSA>”
  • “Spelling Customizations Upgrade for Search Application <guid of SSA>”
  • “Spelling Dictionary Update for Search Application <guid of SSA>”
  • “Analytics Timer Job for Search Service Application <guid of SSA>”
  • “Query Classification Dictionary Update for Search Application <guid of SSA>”

-In a usual way we have creating a Search Service Application Proxy
-And that Proxy consumed by several Web Applications .
-And a Search Administration Web Service (We are using this for Crawl operation, Crawl component is not a FAST Search related part and not runs under noderunner.exe process .

Actions:
Well the supported action for this scenario is return from Backup by Microsoft!
But if you want to get a clean state on a test env you may try this;

1) Remove the Search Service DB’s
CleanSSA3
2) Open IIS and find Search Service Related web sites under SharePoint Web Services , locate and delete only the related search service site.
CleanSSA6
3) Clean up all SSA Connections on Web Application level.
-Open the Central Administration -> Manage Web Application -> Select Web Application -> Click to Service Connections on the ribbon
CleanSSA5
4) Remove if SSA Proxy still available
CleanSSA4
5) Remove Search Administration Web Service Application if exists

6) Clear the timer jobs belong to deleted SSA .(Otherwise they will make a log noise with critical exceptions )
(I accept this can create some concequences and you may not able to delete some remaining timer-jobs very easily in some scenarios but at least you can disable them.)
Well totally clear it , you may need to open a case to Microsoft.

Even so there are many objects still remains in SharePoint_Config database. Directly deleting from database is an unsupported operation!

 

PeoplePicker – Double Users and Diacritic issue

Well, it is an another well know issue by Microsoft.
Here you can find some definitions:

* Experiencing inconsistencies with some user profiles where the user Account name attribute is observed to vary between e.g. Domain\aloş and Domain\alos . This is observed in SharePoint Central Administration > User Profile Service Application > Manage User Profiles and Edit User Profile sections and therefore impacting approval workflows where they are using InfoPath Forms .

*Connecting local domain to Sharepoint server, in domain are login with diacritics, in sharepoint there are login of users with diacritics – wrongly displayed .Also when search for the user in people picker we get two users account one with account name with diacritics and second without it.
In UPA profile contains correct account name (without diacritics)

Issue Reproduce:
Add a user in Active Directory. In example we are adding TESTMOSS2010T\Berkc user.

Diacritic1

For first time login the SharePoint as a Site collection administrator (which should be different that our test account)
And try to grant permission the user but use diacritic as berkç (use ‘ç’ instead of ‘c’)

Diacritics2

When you check and verify the user, move and keep Mouse over the validated user text , that will Show us the account
As you can see it is “TESTMOSS2010T\berkç” . Well so far so good . SharePoint accept it without any problem when you click the OK.

Diacritics3

If you search from user it will Show you just one with “berkç”

Diacritics4

If we try without diacritics like “berkc” it is also accepted .

Diacritics5

But wait a minute , If you keep Mouse over the validated user text , that still show us the account as
“TESTMOSS2010T\berkç” .
Diacritics3
Hmm , thats looks strange . (Well actually SharePoint has already saved the data in UserInfo table & UserInformation List as ‘berkç’) and SharePoint is clever enough to understand this is same user.
(because they have same SID) PS: If the SIDs are different well it is tottally different problem and out of scope for this article 🙂

Diacritics6

You can see in UserInfo table

Diacritics7

And User Information List

Diacritics8

Well , I dont want to use it like this. This user should be “TESTMOSS2010T\berkc” so how can i change it .
Move-SPUser will helps here.

Diacritics9

$user = get-spuser -Identity “TESTMOSS2010T\berkç” – web <web Url>
Move-SPUser -identity $user -NewAlias “TESTMOSS2010T\berkc” -IgnoreSID
(In some scenarios it doesn’t work , so in that condition you may need to delete user from SharePoint and add again )
After i changed that user account , hmm i can see now 2 account if i search from people-picker .

Diacritics10

Why ? The reason is LSA cache . Because very first time we make a query to AD as “berkç” and AD accepted it (Well the configuration of AD user resolution for diacritics is a different issue so i don’t mention here) and Server LSA cache has stored as “berkç” . So PeoplePicker has uses both SharePoint DBs and AD Resources to Show results . In that condition SharePoint DB (User Information List) returns “berkc” and AD query bypassed by LSA – Show us “berkç

The LSA maintains a SID cache on domain member computers. This cache stores mappings between SIDs and user names. If the SID information exists in the local cache, the LSA returns the cached user name information instead of checking whether the user name has changed.
The local SID cache helps reduce domain controller workload and network traffic. However, inconsistency may occur between the local cache and the domain controllers.

If you want to get rid-off this behavour ; disable LSA cache: http://support.microsoft.com/kb/946358.

To work around this issue, disable the local SID cache on the domain member computer. To do this, follow these steps:

  1. Open Registry Editor.To do this in Windows XP or in Windows Server 2003, click Start, click Run, type regedit, and then click OK.

    To do this in Windows Vista and newer, Click Start, type regedit in the Start Search box, and then press ENTER.

  2. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Point to New, and then click DWORD Value.
  4. Type LsaLookupCacheMaxSize, and then press ENTER.
  5. Right-click LsaLookupCacheMaxSize, and then click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Exit Registry Editor.

Note The LsaLookupCacheMaxSize registry entry sets the maximum number of cached mappings that can be saved in the local SID cache. The default maximum number is 128. When the LsaLookupCacheMaxSize registry entry is set to 0, the local SID cache is disabled.

Unfortunately there is no other resolution for this design.