Showing posts with label Share point 2013 Apps. Show all posts
Showing posts with label Share point 2013 Apps. Show all posts

Monday, April 22, 2013

Sharepoint 2013- app prompting for credentials

I have developed an app in app in office 365 site and every thing went well for app in office 365 site. I have developed same app for share point 2013, using visual studio office development tools. Before deploying app in share point server, we need to check the following list of things in share point server,

  • Create an App Domain-- Done
  • Run Shared Service Instances-- Done
  • Check App Service and SharePoint Subscription services are running in the server-- Done
  • Create Subscription Settings Service Application, Subscription Settings Service Application Proxy through Power shell-- Done
  • Create App Management Service, App Management Service Proxy-- Done
  • Add App prefix-- Done
  • Add App Domain to the List of Intranet Sites in Internet Options-- Done 

Deployed the app in share point site, while accessing the app through share point site, it is prompting for credentials. I have tried many times with different credentials, Redeployed app to share point site and restarted my machine, No luck.. :(

I have googled for the same issue and in Microsoft forums i got some clue on the issue. The issue here is we need set the value for DisableLoopbackCheck registry key.

What is Loop Back Check
From Server 2003 SP1, There is feature called Loop back check related to security. It will makes server can't call by itself through the host name, that share point does. So that share point will prompts us to enter credentials.

i have followed following steps to fix this error,

Go to Registry Editor (Run-->regedit)




Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa




Right-click Lsa--> New--> DWORD Value.



Type DisableLoopbackCheck, and then press ENTER.



Right click on DisableLoopbackCheck--> Modify,




Change value form 0 to 1 and click on OK.



Quit Registry editor and restart computer.

That's it. My issue got fixed and i am able to see my custom app. Hope this help you.

Thursday, March 28, 2013

Share Point 2013 - App Permissions, Authentication, Authorization

An App in Share Point gets the permissions that it need while installing the app, from the user who installing app. App permissions are granted through the Appmanifest.xml file during development of an app. User who installing the app may grant all the permissions which he is having or may not grant the permissions. So permissions from the user to an app is all the permissions of the user or no permissions.

Generally App contains the following information,

  • Display Name,
  • Client Id of the app
  • app domain.

Generally Windows Azure Access Control Service (ACS) will store all the basic information of app like display name, APP URL. When Share point User install the app, SharePoint 2013 gets the information from ACS and store it in App management service. Later on the Content DB service and user profile service gets the information from App management shared service.

In Share point 2013 apps has their own identity called App Principle  Unlike Users and groups in share point app principle has permissions and rights. The App principle requests the share point to host the apps web, because it is having full permissions.

Permissions Scopes:
In SharePoint we have different permission scopes, like Site, Web site, List, Library and Tenancy  Here site indicates site level, web sites indicates web site level and list/library indicates the list/library level scope. All the permissions will apply to the child scope like if scope is site, the permissions will be inherit to the entire site level. Permissions will apply all the children in that site. 

Permission Rights:
SharePoint 2013 apps will support four kinds of permissions levels. Read, Write, Manage, Full Control. All these permissions will same as regular share point Reader, Contributor, Designer and Full control. Here to avoid confusion between rights they made right names as unique expect Full Control. Because full control permission level will not be customized.Read, Write, Manage, Full Control permissions are only permissions rights entire share point  For search there is one permission called "Query right". For project server "Submit Right" and "elevate right" are available. For Taxonomy we are having only Read and Write permissions.

Permissions that not aware of SharePoint 2013 are avoided. Suppose, a permission mentioned in the AppManifest file of app that is not recognized by share point 2013, app installed will return an error message. App installer don't have sufficient permissions to install app, in that case also an error message will be shown.

We can supply the permission access for an app through AppManifest.xml file shown read access for list and write access for the web.

<?xml version="1.0" encoding="utf-8" ?>
<App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
     ProductID="{5b0dfe5f-715b-34b6-c497-e7c533b2272a}"
     Version="1.0.0.0"
     SharePointMinVersion="15.0.0.0"
     Name="Sample App Developement">
  <Properties>
    <Title>Sample App Developement</Title>
    <StartPage>~remoteAppUrl/Home.aspx?{StandardTokens}</StartPage>
  </Properties>

  <AppPrincipal>

    <RemoteWebApplication ClientId="7acdfebb-4265-5214-b8d6-657645312987" />
  </AppPrincipal>

  <AppPermissionRequests>

    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Wrire"/>
  </AppPermissionRequests>
</App>


As discussed above all the share point sites and list have the four rights. In Some other cases like BCS and Project server, Search , Taxonomy permissions will be changed. 

App Permissions - When and How: 
App permissions will grated when an app is installed by  website administrator, granted permissions explicitly and when an app got removed.

App permissions will be stored in content database under App Id. Each Content database will register the app details. App got permissions or deleted, In content database also app permissions will be granted or deleted.

App Authentication and Authorization:
App authentication will process several ways. If the authentication call is not OAuth call, that should be allowed on the basis of share point principle associated to the app web. If it is OAuth call then, share point uses Windows Azure Access Control service (ACS).

App authorization will have three policies, User-only policy, User-App policy, app-only policy depending on the authentication identity. 
User-only policy is used in share point 2010. Here authorization takes only user account.
User-App policy authorization takes both user and app identity.
App-only policy takes only app-identity. For example if there are four people (A,B,C,D) are working in a site. But A wants to App. In that case App-only permissions will apply to the user-A as elevated permissions. Remaining people will not be used the App.