ImageVault SharePoint Connect with High-trust

When using a High-trust installation, the Provider Web which serves content and functionality to Add-in pages will be hosted locally in your own environment. User authentication when visiting the Add-in is handled by registering the Provider Web as a security token issuer in SharePoint.

Please be aware that SharePoint will trust all tokens issued by the Provider Web. It should therefore be set up with Windows authentication in IIS.

Since the Provider Web is hosted locally, you will have to install updates manually as they become available.

Requirements

  • SharePoint 2013 On-premise.
  • A configured App Environment in SharePoint.
  • A web server with IIS 7.0 and ASP.NET 4.5 for the Provider Web. The server should have network connectivity to both the front-end SharePoint web server, and to user clients, via the same protocol and port as SharePoint.
  • A hostname for the Provider Web.
  • (Optional) SQL Server to store configuration data from the Provider Web.

Installation package

The installation package for High-trust contains the following:

  • ImageVault SharePoint Connect Add-in (see note below).
  • Provider Web application.
  • Certificates for High-trust.
  • PowerShell script for configuration of the High-trust certificates.
  • (Optional) SQL script with a configuration database schema for the Provider Web.
  • (Optional) Javascript file with hostweb functionality.
Note

In order to support ribbon custom actions in SharePoint, the Add-in will be specifically published according to the hostname you decide for the locally hosted Provider Web. Please forward the chosen hostname to your ImageVault contact and you will receive the published Add-in.

Installing the Add-in

Provider Web

The Provider Web serves HTML content to the Add-in, and acts as a proxy for communication over the SharePoint Client API.

The Provider Web is an ASP.NET application and requires a web server with the following:

  • IIS 7.0 or higher.
  • Application pool with ASP.NET 4.5 or higher.
  • Windows-authentication connected to the same domain as SharePoint.
  • TCP access to the frontend SharePoint web server or port 80/443.
  • (Optional) SQL Server to store configuration data.

Important! By enabling High-trust, SharePoint will grant all authentication attempts made by the Provider Web. It is therefore vital that Windows-authentication is properly configured on the Provider Web itself.

Deploy the Provider Web application to a server that meets the above requirements.

Certificates for Provider Web

Open the Certificate Store for the local computer account on the server hosting the Provider Web. One way to do this is to run MMC.exe and add the snap-in for certificates.

Import the ImageVaultConnectForSharePoint.pfx certificate to Personal.

Import the ImageVaultDefaultRootCA.cer certificate to Third-Party Root Certification Authorities.

The certificate password is: iv

Give the Provider Web application pool identity read access to the private key of the personal certificate.

Note

The Provider Web does not need to use the High-trust certificate for enabling SSL in IIS. A custom certificate works fine there.

Certificates for SharePoint

Every certificate in the chain must be registered in SharePoint as a Trusted Root Authority. In addition, the Provider Web should be set to a Security Token Issuer using the personal certificate.

The easiest way to register the certificates is to run the supplied helper script from the installation folder:

Scripts\PS_HighTrust_Register.ps1

Run the script using the SharePoint Management Shell with a farm administrator account on the server hosting the frontend SharePoint web application.

To register the certificates manually, please use the following CMD-lets:

New-SPTrustedRootAuthority

New-SPTrustedSecurityTokenIssuer

An IIS restart, or letting the application pools recycle, might be required after the certificates have been registered successfully before they are recognised by SharePoint.

Configuring the App Environment

Please follow the instructions in the follow link in order to configure an App Environment.

https://technet.microsoft.com/en-us/library/fp161236.aspx

Registering the SharePoint Add-in

The Add-in should be registered in SharePoint before it is added to any sites. Visit the add-in registration page at the below address:

https://[My SharePoint Address]/_layout/15/appregnew.aspx

Enter the following values to complete the registration:

  • Client Id: f86d1d91-b945-43d6-8cc9-86c947e0bc0c
  • Client Secret: [Press Generate to create a new value. This value will not be used but is required for the form.]
  • Title: ImageVault Connect
  • App Domain: [Your Provider Web hostname]
  • Redirect URI: https://[Your Provider Web hostname]/Pages/Index.aspx

Uploading the SharePoint Add-in

SharePoint stores add-in packages in an Add-in Catalog. The add-ins are available to all organisational sites when uploaded and published to the catalog.

Updates to the Add-in are uploaded in the same way and can then be used to upgrade installed instances on individual SharePoint sites.

Visit the Add-in Catalog and upload the ImageVault SharePoint Connect Add-in which has been provided to you.

Finding your Add-in Catalog in SharePoint on-premise

Please follow the instructions in the following link in order to create a new Add-in Catalog:

https://msdn.microsoft.com/en-us/library/office/fp123530.aspx

Finished

ImageVault SharePoint Connect High-trust should now be configured.

(Optional) Installing configuration database

The Provider Web supports using an SQL Server database to store configuration data. This allows all subsites in a single domain to share the same configuration settings.

Create an SQL Server database using the supplied helper script from the installation folder:

Scripts\SQL_Configuration_DB.sql

Then open the Web.config file in the Provider Web's root catalog and set the following values:

  • Point the connection string to your new database.
  • Set the AppSetting value EnableDatabase to true.
  • Set the AppSetting value EnablePersistentConfig to true.

(Optional) Installing Hostweb scripts

The Add-in supports enhanced functionality for inserting media into rich text fields, and interacting with App-parts, by including a Javascript file to your SharePoint host web.

The hostweb scripts enables the following:

  • Inserting ImageVault media in rich text fields.
  • Editing ImageVault media in rich text fields.
  • Inserting ImageVault media in publishing templates.
  • Editing ImageVault media in publishing templates.
  • Displaying a media viewer when a user clicks on media in Gallery App-parts.

Install the script by including it to any page layout or masterpage in SharePoint where the functionality is required.