question

StefanRo-4624 avatar image
0 Votes"
StefanRo-4624 asked StefanRo-4624 answered

Get App-Only Access Token in SharePoint 2016

I am trying to get a c# console application running, that is synchronizing the global termstore from an xml on a regular basis. This is gonna be supposed a timerjob, that will run in the windows schedueler.
The target ist a SharePoint 2016 environment.

Since we dont wanna use a service account for that purpose, we want to use the app-only mode based on this https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

If I understood the tutorial correctly, the same approach should also work for an on-premise environment?

SharePoint App-Only is the older, but still very relevant, model of setting up app-principals. This model works for both SharePoint Online and SharePoint 2013/2016/2019 on-premises and is ideal to prepare your applications for migration from SharePoint on-premises to SharePoint Online.

I could successfully get this whole console application running against our sharepoint online dev-tenant using the following code.

But now when I try to get this running in the SharePoint 2016 environment, it keeps failing.

I did the exact same thing as I did for the SharePoint Online. I created an app (via appnewreg.aspx), granted the same permissions (via appinv.aspx) and exchanged the siteUrl, clientId and clientSecret accordingly.

 string siteUrl = "MySiteUrl";
                 string clientId = "ClientId";
                 string clientSecret = "ClientSecret";
                 using (var clientContext = new AuthenticationManager().GetACSAppOnlyContext(siteUrl, clientId, clientSecret))
                 {
                     var web = clientContext.Web;
                     clientContext.Load(web, w => w.Title);
                     clientContext.ExecuteQuery();
                     Console.WriteLine(web.Title);
                 };


Yet I cant get the console application running.
Receiving the following error:

The remote server returned an error: (400) Bad Request. - {"error":"invalid_request","error_description":"AADSTS90002: Tenant '8a450d28-f099-4c54-bcb9-ddced3a8c499' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.\

So my question is, how can I authenticate within a C# console application with the app-only model? Or is that not possible for SharePoint 2016?

From my understanding, I dont need a provider hosted app for my usecase neither do I need high trust or low trust? Is that correct?



sharepoint-dev
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobWindsor-4651 avatar image
0 Votes"
RobWindsor-4651 answered RobWindsor-4651 edited

While the article you linked is correct that the "model works for both SharePoint Online and SharePoint 2013/2016/2019 on-premises...", the setup shown in the article will only work with SharePoint Online. More setup is required to use Azure Access Control Service (ACS) in an on-premises environment. Please see Use ACS to authorize low-trust provider-hosted add-ins on an on-premises SharePoint site for more information. Also, please note that to do this setup you need to have a SharePoint Online tenant.

Your other option is to use high-trust. For more information on the setup for high-trust, please see Create high-trust SharePoint Add-ins.

On-premises provider-hosted trust with ACS



image.png (141.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StefanRo-4624 avatar image
0 Votes"
StefanRo-4624 answered RobWindsor-4651 commented

Hello Rob,

and thank you for your quick reply.

Just for my understanding: so I definitely need to create a provider-hosted add-in and configure a high-trust to be able to get the console-application running? I mean I dont really need a remote web application since there is not any user interaction required for that timer job (since it's only supposed to synchronize the termstore from an xml).

My first instinct is, that's too much overhead for what i m trying to achieve. But if this is the only possibility, i have to walk that road. ;)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@StefanRo-4624 You don't need to create the add-in, you just need to go through the app registration process you would use when creating a provider-hosted add-in. In terms of the trust model, you can use either high-trust or low-trust, I provided links describing how to setup both.

The other option is to authenticate with the username and password of a service account in your Console app. I know you said you would rather not do that, but considering the overhead required for the alternatives, you may want to reconsider.

1 Vote 1 ·
StefanRo-4624 avatar image
0 Votes"
StefanRo-4624 answered

Okay, this project has been postponed for a bit due to other reasons but is now about to face a decision. Right now, we have both ways ready but prefer the way of using a group managed service account for that matter.
We now just need to convince the customer in that matter with a pro/contra list of the two methods (app authentication vs. service account (gmsa)).

One big advantage of gmsa over app authentication is that there is way less overhead for the initial setup.
Does anyone know if there are any key advantages that will convince the customer to stick with that approach? Security wise: is one method more safe than the other? How about future actions? From my understanding when using app auth, u regularly need to update the client secret? Is this still the case? How about gmsa? Do they ever expire?

Thank you in advanced :)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.