Field experiance on SharePoint Onprem Apps configurations for SharePoint 2016

Well, It is really hard to configure apps if you have challenging environment so i would like to give some advices and suggestions.

For ADFS 3.0 or Higher

  • Avoid using multiple Relaying Party or IDP. Instead use a single relaying party with single URN and multiple endpoints if you have more than one site url and apps wildcard urls. To able to work with multiple endpoints you need to enable SPTrustedLoginProvider.UseWReplyParameter. https://docs.microsoft.com/en-us/dotnet/api/microsoft.sharepoint.administration.claims.sptrustedloginprovider.usewreplyparameter?view=sharepoint-server
    Example Configuration in ADFS Relaying party:
    Identity :  urn:sharepoint:sts
    Endpoints:
    https://web1.contoso.com/_trust/
    https://web2.contoso.com/_trust/
    https://*.contosoapps.com/_trust/
    https://plan.fabrikam.com/_trust/
    https://*.fabrikamapps.com/_trust/
  • If you have Host Named Site Collection (HNSC) do not use any “extended” zone. Instead use “default” zone with multiple authentication if required. Like NTLM + ADFS.(You can use bypasslogin solution to get rid of authentication selection page)
    Otherwise you may face SiteLookUp failure with sub site collections if you are using SAML authentication with apps url redirection.
  • For Path Based Site Collections (PBSC) (you can use mutiple zones) enable and use Multiple App Domain feature via New-SPWebApplicationAppDomain.
  • Do not use same appdomain name defined in Central Admin -> Apps-> Configure Apps URL if you are using Multiple App Domain feature via New-SPWebApplicationAppDomain.
  • Try to use combined certificates as much as possible. That make possible to use single 443 port both your apps and site urls. (Don’t forget your apps configuration need a wildcard certificate if you want to use SSL)
    (Yes I know our article says you need a different port but it works)
  • Avoid any hostname binding in IIS if you have HNSC.
  • Avoid using SNI for HNSC or Mixed webapplications instead use IP address isolation in bindings for IIS if you have multiple certificates.
  • If you have HNSC web application and wants to create another HSNC web application but you want to use different appdomains. It is possible that may doesn’t work.
  • Multiple PBSC and one HNSC senarios, Only use CA global apps domain for HNSC web application and configure appdomains via multiple app feature for all PBSC.
  • Always test the configuration with a realible app which you know it is working .
  • Double Check DNS configurations and don’t forget to clear DNS cache on your clients and servers if you make any change.
  • For troubleshooting suggestion: Check always where is your request is landing in IIS  and verify the Certificate is correct.
  • LDAPCP doesn’t work with mutliple Trusted Identity Provider.
  • I would suggest use single Trusted Identity Provider.But If you have to using multiple Trusted Identity Provider, you posibble hit “URN” mismatch issue with apps redirection urls. (You can use URL Rewrite to workaround it for related web application)