Make sure you have the following components.
Local SharePoint 20 13 development environment. See how to: set up a local development environment for SharePoint applications.
Office 365 SharePoint site. If you don't have such a website, and want to set up the development environment quickly, you can register for the Office 365 developer subscription, set up your tools and environment, and start deploying applications.
Visual Studio 20 12 is installed remotely or on the computer of SharePoint 20 13.
Visual Studio 20 12 Office developer tools.
The computer with SharePoint 20 13 installed has the 64-bit version of Microsoft Online Services Login Assistant installed.
The Microsoft online services module for windows powershell is installed on the computer with SharePoint 20 13(64-bit).
Create a certificate and make it a locally installed Security Token Service (STS) certificate in SharePoint 20 13.
You need to replace the default security token service (STS) certificate installed locally in SharePoint 20 13 with your own certificate. This article provides an example of creating and exporting a test certificate using the Create Self-signed Certificate option in IIS. You can also use a commercial certificate issued by a certification authority.
First create a test. Pfx certificate file, and then create the corresponding test. Cer file.
You can also use the MakeCert test program to generate a test X.509 certificate.
Create a test. Pfx certificate file
In IIS Manager, select the ServerName node in the tree view on the left.
Select "server certificate", as shown in figure 1.
Figure 1. Server certificate option in IIS
Click the "Create Self-signed Certificate" link in the link set on the right, as shown in Figure 2.
Figure 2. Create a self-signed certificate link
Name the certificate SampleCert, and then select OK.
Right-click the certificate and select Export, as shown in Figure 3.
Figure 3. Export test certificate
To annotate ...
The document about using SharePoint Server 20 13 and Office 365 to configure one-way mixed environment (downloadable from SharePoint 20 13 mixed resources page) details how to replace the default STS certificate of the local server farm with a certificate from a well-known certificate authority or a self-signed certificate.
Configure the local installation of SharePoint 20 13 to use ACS.
Figure 4 shows the four steps to realize the required connection in the overall architecture of a provider-hosted application running on a local website. It also shows the OAuth token flow when the application is running.
Figure 4. Use the Office 365 SharePoint website to install SharePoint locally through ACS.
Create an ACS agent in the local SharePoint 20 13 server farm.
Install the signing certificate of the local server to the Office 365 tenant.
Add the fully qualified domain name of the site on the SharePoint 20 13 server farm where the application is running to the service principal name collection of the Office 365 lease.
Create an application management agent in SharePoint 20 13 farm.
The following functions can perform all tasks of configuring the local SharePoint 20 13 website to use ACS. If you need to delete the previous configuration, you can also use this function to perform some cleaning tasks. There are several ways to run this feature in PowerShell. One method is listed below:
In the local SharePoint server, copy the code in the function to a text file and save it in any of the following folders with the name mysharepointfunctions.psm1(don't save it in both folders at the same time). If it contains a folder that doesn't exist yet, you may need to create a partial path. Note that in both cases, the lowest folder in the path must have the same name as the file.
point out
The file must be saved in ANSI format, not UTF-8. PowerShell may report syntax errors when loading files in non-ANSI formats. By default, Windows Notepad saves it as ANSI. If you use any other editor to save the file, make sure to save it as ANSI.
C: \ users \ username \ documents \ windowspowershell \ modules \ mysharepointfunctions, where username is the farm administrator of the file to be executed.
c:\ windows \ system32 \ windows powershell \ v 1.0 \ modules \ MySharePointFunctions
Open the SharePoint Management Shell as an administrator and run the following cmdlet to verify that the MySharePointFunctions module is listed.
Windows PowerShell
Get Module-List Available
Run the following cmdlet to import the module.
Windows PowerShell
Import module MySharePointFunctions
Run the following cmdlet to verify that the Connect-spfarmtoad function is listed as part of the module:
Windows PowerShell
get-Command-module MySharePointFunctions
Run the following cmdlet to verify that the Connect-spfarmtoad function is loaded.
Windows PowerShell
Ls function: \ | where {$_. name-eq " Connect-spfarmtoad " }
Use this switch if you want to replace the existing connection with Microsoft Azure Active Directory. If you create an ACS agent in the farm, it will delete the existing agent.
-RemoveExistingSTS (optional)
Use this switch if you want to replace the existing connection with Microsoft Azure Active Directory. It will delete the existing trusted security token issuer left by the previous ACS connection.
-removeexistingsboroxy (optional)
Use this switch if you want to replace the existing connection with Microsoft Azure Active Directory. If you create an application management agent in the server farm, it will delete the existing agent.
-removeexistinggadcredentials (optional)
Use this switch if you want to replace the Office 365 SharePoint site.
set-SPAuthenticationRealm-service context$SharePoint web-Realm$AADRealmId
$ LocalSTS = Get-SPSecurityTokenServiceConfig
$LocalSTS。 name identifier =“{ 0 } @ { 1 }”-f $ SP _ APPPRINCIPALID,$AADRealmId
$LocalSTS。 Update ()
# If the switch is specified, the connection via HTTP is allowed.
if ($AllowOverHttp。 is present-and $ AllowOverHttp-eq $ True){
$ service config = Get-SPSecurityTokenServiceConfig
$serviceConfig。 AllowOAuthOverHttp = $ true
$serviceConfig。 AllowMetadataOverHttp = $true
$serviceConfig。 Update ()
}
# Step 1: Set up ACS proxy in the SharePoint farm deployed internally. Delete an existing ACS agent
# If a switch is specified.
if ($RemoveExistingACS。 is present-and $ RemoveExistingACS-eq $ True){
Get-SPServiceApplicationProxy |? display NAME-EQ $ ACS _ app proxy _ NAME | Remove-SPServiceApplicationProxy-RemoveData-Confirm:$ false
}
if(-not(Get-SPServiceApplicationProxy |? display NAME-EQ $ ACS _ app proxy _ NAME)){
$ AzureACSProxy = New-SPAzureAccessControlServiceApplicationProxy-Name $ ACS _ app proxy _ Name-MetadataServiceEndpointUri $ ACSMetadataEndpoint-DefaultProxyGroup
}
# If the switch is specified, the existing security token service is deleted.
if ($RemoveExistingSTS。 I present){
get-SPTrustedSecurityTokenIssuer |? NAME-EQ $ ACS _ STS _ NAME | Remove-SPTrustedSecurityTokenIssuer-Confirm:$ false
}
if(-not(Get-SPTrustedSecurityTokenIssuer |? DisplayName -EQ $ACS_STS_NAME)) {
$ AzureACSSTS = New-SPTrustedSecurityTokenIssuer-Name $ ACS _ STS _ Name-is trust broker-metadata endpoint $ acsmetadata endpoint
}
# Update ACS proxy for OAuth authentication.
$ ACS proxy = Get-SPServiceApplicationProxy |? Name -EQ $ACS_APPPROXY_NAME
$ACSProxy。 discovery configuration . SecurityTokenServiceName = $ ACS _ APPPRINCIPALID
$ACSProxy。 Update ()
# Retrieve the local STS signing key from JSON metadata.
$ SP metadata = Invoke-rest method-Uri($ SP _ metadata EP _ FSTRING-f $ SharePoint web)
$ sp signing key = $ sp metadata . keys |? Usage -EQ "signature" |% keyValue
$CertValue = $SPSigningKey.value
# Connect to Office 365.
Connect-msol service-credential $ o365 credentials
# If the switch is specified, the existing connection to the Office 365 SharePoint site is deleted.
if($ RemoveExistingAADCredentials。 is present-and$RemoveExistingAADCredentials-eq$true){
$ MsolServicePrincipal = Get-MsolServicePrincipal-AppPrincipalId $ SP _ AppPrincipalId
[Guid[]]$ ExistingKeyIds = Get-MsolServicePrincipalCredential-ObjectId $ msolserviceprincipal。 ObjectId-return key values $ false | % { if($ _。 Type -ne "Other") {$_。 KeyId}}
remove-MsolServicePrincipalCredential-AppPrincipalId $ SP _ AppPrincipalId-KeyIds $ ExistingKeyIds
}
# Step 2: Upload the local STS signing certificate
New-msolserviceprincipal certification-appprincipal $ sp _ appprincipal-type asymmetric-value $ certvalue-usage verification
# Step 3: If necessary, add the service principal name of the local web application.
$indexHostName = $SharePointWeb。 IndexOf('://') + 3
$HostName = $SharePointWeb。 Substring ($indexHostName)
$ news pn = ' { 0 }/{ 1 } '-f $ SP _ APPPRINCIPALID,$HostName
$ SPAppPrincipal = Get-MsolServicePrincipal-AppPrincipalId $ SP _ AppPrincipalId
if ($SPAppPrincipal。 ServicePrincipalNames-not contains $ news pn){
$SPAppPrincipal。 ServicePrincipalNames . Add($ NewSPN)
set-MsolServicePrincipal-AppPrincipalId $ SPAppPrincipal。 AppPrincipalId-ServicePrincipalNames $ SPAppPrincipal。 ServicePrincipalNames
}
# If the switch is specified, the existing SharePoint Online agent is deleted.
if($ removeexistingsporoxy。 is present-and $ removeexistingsporoxy-eq $ True){
Get-SPServiceApplicationProxy |? display NAME-EQ $ SPO _ MANAGEMENT _ app proxy _ NAME | Remove-SPServiceApplicationProxy-RemoveData-Confirm:$ false
}
# Step 4: Add SharePoint Online Agent
if(-not(Get-SPServiceApplicationProxy |? display NAME-EQ $ SPO _ MANAGEMENT _ app proxy _ NAME)){
$ SPO proxy = New-SPOnlineApplicationPrincipalManagementServiceApplicationProxy-Name $ SPO _ MANAGEMENT _ app proxy _ Name-OnlineTenantUri $ sharepointonline URL-DefaultProxyGroup
}
}
Configure applications and SharePoint Web applications for the Office Store.
If you want users to be able to install applications hosted by providers using ACS from the Office Store, the farm administrator can perform an optional configuration step in the production environment. (Unless you plan to use ACS to install applications from storage in this environment, it is useless in a SharePoint development environment. ) The following cmdlet can achieve this goal. You can add this code to the function above.
Windows PowerShell
new-SPMarketplaceWebServiceApplicationProxy-Name " ApplicationIdentityDataWebServiceProxy "-ServiceEndpointUri " oauth . sellerdashboard . Microsoft . com/applicationidentitydatawebservice . SVC "-DefaultProxyGroup