TechEd - Application Hosting Models in SharePoint 2013

Shyam Narayan (@dotnetbounce), a Microsoft Premier Field Engineer took us through the approaches to application hosting in SharePoint 2013.

Application Identity models in SP2013

  • SP2010 provided two models for custom code – Full Trust and Sandboxed
  • Apps in SP2013 now have their own identity
  • Fine grained permissions can now be configured – analogy of the app on your smartphone asking for specific permissions


  • Site Collection – I want Full Control
  • User Profiles – I need Read access to this
  • Taxonomy – I want Write access to this

App Hosting Models

  • SharePoint Hosted
  • Auto Hosted
  • S2S
**SharePoint Hosted Apps**
  • Custom code or solutions you’ve built that get provisioned and hosted out of SharePoint.
  • Completely hosted within SharePoint or iFramed in
  • Only client side scripting supported –** no server side code**
  • Isolated web created to host the app
  • SharePoint artefact provisioning supported via CAML
  • Data storage location – Content Database
  • Supported in On-Premise and SharePoint online
  • Cannot write feature receivers in this model
  • Remote event receivers are the new way for doing this – a callout to a remote web server

Client Side code – the object model (CSOM) is now RESTful and includes **full server side API **access. You can access all these services:

  • User Profiles
  • Search
  • Taxonomy
  • Feeds
  • Publishing
  • Sharing
  • Workflow
  • E-Discovey
  • IRM
  • Analytics
  • and more…

Then there was a Visual Studio 2012 based demo.

  • You can now write code off a SharePoint box (round of applause from the room), no longer need to be writing code on a SharePoint server itself.
  • AppManifest.xml is where you manage permissions requirements for your app.
  • Consists of Scope, Permission, Properties – see
  • You can still provision lists and libraries declaratively
  • App deployment is essentially XML files being provision to SharePoint
  • Even external content types can be deployed declaratively – the example was a data source from Netflix
  • Need to configure the farm in Central Admin to support app provisioning
  • New service application – the App Management Service, also need the SharePoint Foundation Subscription Settings Service (enables multi-tenancy).
  • Also need to ensure the Settings Service Application has been provisioned
  • Apps get a DNS style prefix – needs DNS wildcard configuration for the main domain and then SharePoint will resolve the requests for the app name.
  • For example

Auto Hosted Apps

  • The Office365 app hosting model – not available in on-premise
  • Leverages integration between Office365 and Windows Azure
  • Leverages Azure Web roles and SQL Azure
  • Auto Provisioning of Azure components
  • Really easy to build locally and then deploy to the cloud – all the configuration settings are handled for you behind the scenes
  • Leverages ACS (Access Control Services) as the app identity broker. Think of it as ADFS in the cloud
  • Visual Studio F5 deployment to the cloud

OAuth – Interaction

  • Request comes from Browser to SharePoint

  • Gets bounced off to ACS

  • ACS returns a context token to SharePoint, which is returned to the Browser

  • Gets routed via

  • 3 key tokens

  • Context Token

  • Access Token

  • Refresh Token

  • This is only for the App authentication, not authentication of the user


  • For on-premise development
  • High trust applications behind the firewall
  • Can assert any user’s identity
  • Requires configuration to establish trust between SharePoint farm and S2S app
  • Needs to be done for every app you run / deploy

Configure S2S – challenging to get right.

  • App Isolation needs to be configured
  • Disable App Pool Principal check (set value to 0)
  • Generate Public / Private certificate pair
  • Generate Client Id
  • Set up Security Token Issuer
  • Register App Principal
  • Update Web.Config and ensure user profiles exist

At this point in the session I am feeling that the new way forward for app development in SharePoint is looking mighty complicated. They’ve obviously done a lot of work to make the cloud stuff smooth, but for on-premise stuff it seems pretty clunky and complex. And looks nothing like what came before it in SP2010. Hopefully I’m just having a brain fade and it’s not that hard – but coming right after the responsive web apps session this SharePoint content seemed pretty jarring.