Publishing SharePoint 2016 and Office Online Server with Azure AD Application Proxy

September 16, 2016: Updated information on authentication for OOS. Pre-authentication is not supported and passthrough must be used

A common customer request is publishing an on-premises SharePoint site over the internet so that users can access it without being on the corporate network. In the past this involved deploying reverse proxies and lengthy conversations with the networking team. One excellent option  now available is the Azure AD Application Proxy. That team has an excellent walkthrough on configuring SharePoint 2013 and Azure AD App Proxy to work together, these same steps also work for SharePoint 2016. You can visit their blog for details but the basic steps are:

  1. Ensure SharePoint web application pools are running under a service account (any production SharePoint farm should already be configured this way)
  2. Configure SharePoint for Kerberos authentication
  3. Create SPNs and configure Kerberos Constrained Delegation (KCD)
  4. Publish SharePoint through Azure AD App Proxy
  5. Configure AAMs in SharePoint for the external URL
  6. Assign users to the Azure AD App Proxy

With the above guidance I was able to publish Sharepoint externally in <30 minutes. However, there are a few scenarios that the above blog above does not cover, three of these will be the focus for this post:

  1. A SharePoint 2016 farm using host header site collections
  2. Office Online Server
  3. Using the same URL internally and externally for SharePoint

This post will not cover the core configuration for Azure AD Application Proxy for SharePoint as that is already covered here.

Host Named Site Collections

First let's see how site collections in my farm are addressed:

 Get-SPSite | FT URL, HostHeaderIsSiteName -AutoSize


Each site where HostHeaderIsSiteName = True is configured as a HHSC

For this demo, I am going to publish sites which have the host name In a traditional path based environment we would use alternate access mappings, but these will not work for HHSC. Fortunately we have similar functionality available to use by using Set-SPSiteurl

The documentation for Set-SPSiteUrl has an important note:
The Set-SPSiteUrl cmdlet only applies to the root site collection for a host name that is, . This cmdlet cannot be directly run against a managed path site collection underneath the root that is, .

What does this mean? In my example where I want to publish three sites, I only have to run Set-SPSiteUrl against one site collection.

Set alternate URLs for SharePoint host header site collections

PS: Get-SPSite | Set-SPSiteURL -Zone Extranet -url

This will set the alternate URL for all site collection that share the hostname

 Get-SPSite | ?{$_.url -like "*"} | Get-SPSiteURL | FT -AutoSize


Test access

I can now access the site over the internet using the default App Proxy URL:


Office Online Server (OOS)

Note: OOS is the new version of Office Web Apps (WAC)

What if I want to edit a document in the browser using Office Online Server? Unfortunately when I attempt to open a word document in the browser, I get an error:


Taking a look at the page source we can see why. Office Online server renders in an iframe which is pointing back to a URL that I have not published:

 <form target="WebApplicationFrame" action="" id="canvas_form" method="post">

A couple notes about Office Online Server

  1. OOS can be configured with both an internal and external URL
  2. SharePoint can only be bound to one URL for OOS. I cannot set a different OOS URL for default and extranet zones.
  3. SharePoint users do not authenticate to OOS using Windows integrated authentication. Instead an authorization token is included in the request to the OOS server. This means that we do not need to configure Kerberos Constrained Delegation (KCD) when publishing OOS

Give the above conditions I must publish OOS using the same URL that I do internally. Because we use an authorization token, some of the publishing settings will be different than for SharePoint using Windows authentication.

First, I can check which URL is being used for OOS by running Get-SPWOPIBinding from my SharePoint farm: clip_image005

Second, Offline Online Server does not support pre-authentication, so it must be configured for passthrough authentication. image

Note: Since passthrough authentication is being used, it is important to lock down host domains for which Office Online Server will allow file operations.This will prevent a SharePoint farm, or other servers, from unauthorized domains from binding to this farm.


Third, set the external URL to be the same as the internal URL for the application (and make sure your external DNS has a CNAME set as instructed in the portal): clip_image007 clip_image008

Fourth, upload a SSL certificate for the URL specified. This certificate must be trusted by any machine that will be accessing SharePoint. OOS does not play well with untrusted certificates. clip_image009

For this example I'm using a wildcard certificate but this is not a requirement. clip_image010

Fifth, configure the internal authentication for OOS to "none." Remember, this is handled by an authorization token passed as part of the request. clip_image011

Test Office Online Server

Now that this is configured I can access my SharePoint site over the internet and also use OOS


Publish a Friendly URL for SharePoint

The third change to cover is publishing SharePoint using the same URL that is used internally. This is very similar to configuring OOS.

First configure the Azure AD App Proxy to use the same URL that is used internally clip_image013

Second, create a public facing CNAME record clip_image014

Third, upload a certificate. Since I have wildcard certificate, I’m using the same one as I did for OOS clip_image010[1]

Test access

Now I can access my Sharepoint 2016 on-prem site over the internet using the same URL that I do internally



Next Steps

With the above information and the original Azure AD App Proxy blog for publishing SharePoint 2013 we can now access our SharePoint 2016 farm over the internet and all get full functionality of Office Online Server. Since this is being handled by Azure AD we can also add functionality such as multifactor authentication or allow users to self-assign access to this service through Azure AD.


Additional Resources

Azure AD Premium (AADP is also included with EMS)

How to provide secure remote access to on-premises applications

Enable Application Proxy in the Azure portal

Publish applications using Azure AD Application Proxy

Working with custom domains in Azure AD Application Proxy