Field experiance on SharePoint Onprem Apps configurations for SharePoint 2016

03/04/2019

Well, It is really hard to configure apps if you have challenging environment so i would like to give some advices and suggestions.

For ADFS 3.0 or Higher

  • Avoid using multiple Relaying Party or IDP. Instead use a single relaying party with single URN and multiple endpoints if you have more than one site url and apps wildcard urls. To able to work with multiple endpoints you need to enable SPTrustedLoginProvider.UseWReplyParameter. https://docs.microsoft.com/en-us/dotnet/api/microsoft.sharepoint.administration.claims.sptrustedloginprovider.usewreplyparameter?view=sharepoint-server
    Example Configuration in ADFS Relaying party:
    Identity :  urn:sharepoint:sts
    Endpoints:
    https://web1.contoso.com/_trust/
    https://web2.contoso.com/_trust/
    https://*.contosoapps.com/_trust/
    https://plan.fabrikam.com/_trust/
    https://*.fabrikamapps.com/_trust/
  • If you have Host Named Site Collection (HNSC) do not use any “extended” zone. Instead use “default” zone with multiple authentication if required. Like NTLM + ADFS.(You can use bypasslogin solution to get rid of authentication selection page)
    Otherwise you may face SiteLookUp failure with sub site collections if you are using SAML authentication with apps url redirection.
  • For Path Based Site Collections (PBSC) (you can use mutiple zones) enable and use Multiple App Domain feature via New-SPWebApplicationAppDomain.
  • Do not use same appdomain name defined in Central Admin -> Apps-> Configure Apps URL if you are using Multiple App Domain feature via New-SPWebApplicationAppDomain.
  • Try to use combined certificates as much as possible. That make possible to use single 443 port both your apps and site urls. (Don’t forget your apps configuration need a wildcard certificate if you want to use SSL)
    (Yes I know our article says you need a different port but it works)
  • Avoid any hostname binding in IIS if you have HNSC.
  • Avoid using SNI for HNSC or Mixed webapplications instead use IP address isolation in bindings for IIS if you have multiple certificates.
  • If you have HNSC web application and wants to create another HSNC web application but you want to use different appdomains. It is possible that may doesn’t work.
  • Multiple PBSC and one HNSC senarios, Only use CA global apps domain for HNSC web application and configure appdomains via multiple app feature for all PBSC.
  • Always test the configuration with a realible app which you know it is working .
  • Double Check DNS configurations and don’t forget to clear DNS cache on your clients and servers if you make any change.
  • For troubleshooting suggestion: Check always where is your request is landing in IIS  and verify the Certificate is correct.
  • LDAPCP doesn’t work with mutliple Trusted Identity Provider.
  • I would suggest use single Trusted Identity Provider.But If you have to using multiple Trusted Identity Provider, you posibble hit “URN” mismatch issue with apps redirection urls. (You can use URL Rewrite to workaround it for related web application)
Advertisement

Filed under SharePoint 2016 Tagged with , , , , , , , , ,

Open in Explorer view problem for SharePoint 2013 SSL with SNI

03/10/2014 Leave a comment

Using with SNI with SharePoint 2013 is supported  but wehn you try to use “Open In Explorer View” is not working.
Unfortunately this problem is not related with SharePoint 2013 nor IIS SNI configuration,

It is related with OS WebClient Service do not support SNI on Win7 and Win8.1.

For a Workaround you may try;
http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx

 

 

Filed under SharePoint 2013 Tagged with , , ,