Planning the Infrastructure Required for the new App Model in SharePoint 2013

SharePoint 2013 brings with it a brand new application model, which we euphemistically refer to as the “app model” or “cloud app model”. While it brings a whole new set of opportunities from a development perspective, it also carries with it infrastructure requirements that you need to plan and build to support them. When I think about the app model in fact there are really three big pieces that I look at:

  1. The development model – this all about the how I’m going to develop my application, what new features am I going to take advantage of, etc. This is primarily a developer activity.
  2. The security model – the security model for these new applications is an interesting combination of “stuff”. You have the new concept of an app-principal, which is how you define rights for your applications. There’s the OAuth model which defines what content you can get at, as well as a mechanism for presenting SharePoint with a token that describes who you are – it’s very much like claims for applications. The security model and means by which these tokens are created and presented varies significantly depending on whether your application is hosted in SharePoint or somewhere else, and whether you’re using Access Control Services (ACS) as a trust broker or not. Lots of stuff there, and not something I’ll be covering in this blog post, but it’s something that is both a developer and an IT Pro activity.
  3. The infrastructure – here we’re talking about all of the “goo” that makes applications work within an organization. It includes the service applications, application domain and prefix, DNS, SSL, and web application configurations. It is primarily an IT Pro activity and is the basis of this blog post. This posting is also going to be focused on applications that are hosted in SharePoint itself, versus an application that is hosted externally in another site or cloud like Windows Azure. When you install an application hosted in SharePoint, a new SPWeb is created for it. That way each application gets its own set of data and it cannot write over the data for another application. It also provides a layer of security so that someone who has rights to one application cannot have malicious code that uses the rights of the current user to access data in another site in the farm. This is an important basic principal of applications based on the new app model to remember – when they are hosted in SharePoint, one app = one SPWeb.

Now let’s start working through the list of these different infrastructure components. First and foremost, you need to make sure that you have an instance of the App Management and Subscription Settings service applications created and running in the farm. The App Management service is used for things like keeping track of applications and deployments, licensing, etc. The Subscription Settings service is the same service application that is used for multi-tenant deployments, and it is also used by the app model to create the unique Urls that are used by applications.

So how are these Urls created? Well it starts with the Apps configuration that you do in Central Admin. When you go into Central Admin you will find a new section called Apps. If you click on it you will see an option to Configure App Urls. In there you will find two values that are used to create an application Url – the App Domain and App Prefix. The App Domain is analogous to the host name that is going to be used for all applications in the farm. Here are three things to consider when you plan for this name:

  1. Because it is used for the whole farm it should get the same level of planning and thought as you use for your other web applications.
  2. In addition to that it needs to be a fully-qualified domain name – you will find trying to use a NetBIOS style name for this doesn’t work well for name resolution.
  3. Finally, it should NOT be a child domain of your web applications.

So let’s look at a specific example. Suppose your web applications are something like team.contoso.com, my.contoso.com and portal.contoso.com. First of all, you probably don’t want to use just “contoso.com” for your App Domain, because doing so will require you to create a wildcard DNS entry for ALL of contoso.com that points to your apps endpoint (more on that in a minute). Also you don’t want to use something like “apps.contoso.com” because that is a child domain to what you are using for your web applications (which are all rooted in “contoso.com”). So a better choice based on these rules would be something like “contosoapps.com”.

The App Prefix value can be anything you want – it’s plugged into the first part of the application Url, which we’ll talk through next.

I mentioned using a wildcard DNS entry above, and that’s the next part to cover. When an application is installed and that application is hosted in SharePoint it will have a Url that is something like this: The elements of the Url break down like this:

  • “apps” – this is the App Prefix value I mentioned above that you entered in central admin.
  • “87e90ada14c175” – this is a unique value that is provided by the Subscription Settings service application
  • “contosoapps.com” – this is the App Domain that you entered in central admin.
  • “myapp” – this is the name of the application that has been installed. The rest of the Url – pages/default.aspx – is what is contained in the SPWeb where the application is installed.

As you look at the Url and how it’s formed, hopefully you understand why you will want to use a wildcard DNS entry. Because the first part of the Url is going to be different for every single application instance that is installed – even if the same application is installed in multiple site collections – it is not feasible to continually update your DNS for every single instance. You’re certainly welcome to do so if you really want to, but I would not recommend it. So that being said, that means for DNS for the scenario I’ve described here, you are going to want a wildcard DNS entry for *.contosoapps.com. Now the IP address that it points to is something we’ll discuss in just a bit.

Related to the wildcard DNS entry is a wildcard SSL entry. Just so we’re perfectly clear on this point – if you’re using apps, you should be using SSL. The app model involves passing around OAuth access tokens, which describe who the current user and application are. Just like if you were passing around SAML tokens for a user, you want to encrypt the channel that these tokens flow over to prevent any kind replay style attack that would grant access to content by someone who might be out there sniffing your network traffic. Using SSL prevents those scenarios from happening, and since you’ve seen the Urls for these applications are going to be different for every installed instance, it also means that in order to be manageable you will need a wildcard SSL certificate. Again, in our scenario, we would get a wildcard SSL certificate for *.contosoapps.com.

Okay, so far we’ve talked about the service applications that are required, the configuration that is required for the App Domain and Prefix, how the Urls are formed, and the DNS and SSL entries that are needed. Now to tie everything off we need to talk about how application requests get routed. Generally speaking, you will need a separate SharePoint web application just to do the routing of application requests. Let’s take a look at why that is. Suppose again that you have three web applications that are defined as follows; they are all using SSL so we are using unique IP addresses for each one:

  • team.contoso.com – 192.168.1.10
  • my.contoso.com – 192.168.1.11
  • portal.contoso.com – 192.168.1.12

Now as described above you can only have one App Domain in the farm, and it should not be a child domain. This opens up two very real problems with the applications above:

  • If we install applications in each of these web apps, how do we get the right application request routed to the right web app? We only have one App Domain but three web apps.
  • If we try and route an application request to one of these existing web apps, then SSL will break. Why? Because since we are using SSL on all our web apps (since we’re using Apps), then they all have an SSL certificate that is something like *.contoso.com. So we can’t route application requests to them anyways, because you can’t get an SSL wildcard that works on both *.contoso.com and *.contosoapps.com, which is what our apps are going to be using.

The solution then is to create a fourth web application. You can create it without a host header name and assign it a shared IP of 192.168.1.13. In DNS then your wildcard entry for *.contosoapps.com will point to 192.168.1.13. What ends up happening is that your apps web application “listens” on that IP address and the SharePoint http module that is responsible for routing will pick up the request for the application. It will then use the App Management service application to determine what web application is actually hosting that application and reroute the request to it. The request is then served from that web application, site collection, and SPWeb where the app itself lives, so all of the security and authentication settings for them will be correctly applied.

Now our farm configuration looks like this:

  • Apps Configuration
  • App Domain – contosoapps.com
  • App Prefix – apps
  • Web Applications
  • team.contoso.com
  • IP Address: 192.168.1.10
  • SSL Certificate: *.contoso.com
  • my.contoso.com
  • IP Address: 192.168.1.11
  • SSL Certificate: *.contoso.com
  • portal.contoso.com
  • IP Address: 192.168.1.12
  • SSL Certificate: *.contoso.com
  • (no host header, or you could use something like contosoapps, etc. – it doesn’t really matter since we aren’t routing based on host header, we’re routing based on IP address)
  • IP Address: 192.168.1.13
  • SSL Certificate: *.contosoapps.com
  • DNS
  • team.contoso.com – 192.168.1.10
  • my.contoso.com – 192.168.1.11
  • portal.contoso.com – 192.168.1.12
  • *.contosoapps.com – 192.168.1.13

Now, that we have all of the infrastructure configuration aspects of apps covered, there are a couple of other considerations you need to remember when planning for the rollout of new apps for SharePoint 2013:

  • SharePoint Apps do not work on web applications that use SAML. If you are using SAML authentication then you will not be able to use SharePoint Apps on those web applications. This will hopefully be resolved in a future service pack or some other type of patch, but this is a limitation for SharePoint 2013 RTM.
  • SharePoint Apps do not support multiple zones (i.e. AAM); all requests are served out of the default zone. If you are using AAM to support multiple zones then you will likely not be able to use SharePoint apps. All apps get served out of the default zone, so in theory if you had the default zone exposed so that everyone could reach it, and you were using the same exact authentication mechanism on every zone (with some possible limitations that are too detailed to go into here and now), then it’s possible that it would work. But then again, if you are using zones it’s usually because you either a) don’t want every endpoint exposed to everyone or b) you DO want to use different authentication methods. Again, this is something that may change in the future, but for now this what is available for SharePoint 2013 RTM.

So there you have it – SharePoint Apps are a big part of SharePoint 2013, but they require some planning and design work up front to ensure the infrastructure is in place to support them.