Share-n-dipity

SharePoint serendipity is the effect by which one accidentally discovers something fortunate, especially while looking for something else entirely. In this case, it is the occassional musings, observations, and Ouija board readings about the phabulously

Configuring Office Web Apps in SharePoint 2013

Configuring Office Web Apps in SharePoint 2013

  • Comments 22
  • Likes

As you know or will soon learn, Office Web Apps in SharePoint 2013 is no longer a service application that is part of your SharePoint farm.  Instead it is installed as a separate farm, which provides a number of advantages, such as reuse between multiple SharePoint and Exchange farms, a separate patching schedule, etc.  It can be a little confusing at first though, to figure out how to connect an Office Web Apps farm to a SharePoint farm.  What follows here are the installation pre-requisites for Office Web Apps and information about how to connect these farms together.

Prerequisites

 

Office Web Apps does not have a prerequisites installer like SharePoint 2013 does so you may need to install these components separately before you starting installing.

 

  1. Install PowerShell 3.0 (RC1 is the latest version at this time: http://www.microsoft.com/en-us/download/details.aspx?Id=29939)
  2. Install .NET 4.5 (RC is the latest version at this time: http://www.microsoft.com/visualstudio/11/en-us/downloads#net-45). IMPORTANT: If the installer shuts down any of the .NET listeners during installation, you MUST reboot the server prior to installing WAC. Otherwise you will find numerous errors about endpoint not found, not listening, or connection refused in the Office Web Apps application node in the Event Viewer and you will not be able to render any documents.
  3. Install this hotfix: http://www.microsoft.com/download/en/details.aspx?id=27928

 

UPDATE:  I wanted to update with some additional information on this for RTM and Windows Server 2012.  Part of the difficulty in providing this guidance before we ship is that things change.  Here's the latest experiences when using RTM builds on Windows Server 2012:

  1. You don't need to do any of the three steps above.
  2. You need to start PowerShell as an administrator.
  3. You need to add the WAC admin module as follows:  import-module "C:\Program Files\Microsoft Office Web Apps\AdminModule\OfficeWebApps\OfficeWebApps.psd1"

 

You will need to jump through a couple of hoops on Server 2012 to get all the pre-reqs in place.  You need to:

  1. Install the IIS, .NET 4.x, and the Ink and Handwriting Services (no idea why on that last one)
  2. After all that's finished you have to go back add additional features to that service: 
    1. "ASP.NET 4.5" 
    2. ".NET Extensibility 4.5"
    3. "ISAPI Extensions"
    4. "ISAPI Filters"
    5. "Server Side Includes"

You can now install Office Web Apps.  Once it’s installed, you need to either create a new Office Web Apps farm, or join your server to an existing farm.  In this case I’m just going to describe how to create a new farm; to get the PowerShell to add a server to a farm just do a get-command *office* in PowerShell.  To create the farm do the following:

 

  1. Open PowerShell by going to Start…Run and typing powershell.
  2. To use HTTPS with WAC (recommended):
    1. Create an SSL certificate that will be used with the fully qualified domain name of the server; make note of the friendly name you use when you create the certificate. You should use IIS to request the certificate to ensure that it gets created in the correct certificate store.
    2. Provision the WAC farm with this PowerShell command: New-OfficeWebAppsFarm -Verbose -InternalUrl https://<machinename> -ExternalUrl https://<fully.qualified.machine.name> -CertificateName <FriendlyNameOfCertificateFromPreviousStep> -ClipartEnabled -TranslationEnable
  3. To use HTTP with WAC (not recommended):
    1. Provision the WAC farm on the WAC server with this PowerShell command: New-OfficeWebAppsFarm -Verbose -InternalURL http://<machinename> -ExternalUrl http://<fully.qualified.machine.name> -AllowHttp -ClipartEnabled –TranslationEnabled

 

Now that your Office Web Apps farm is up and running, you can connect your SharePoint farm.  To do that, login to any server in your SharePoint farm and open the SharePoint PowerShell command window.  Use the following command to connect to the Office Web Apps farm:

 

  1. To use HTTPS with WAC (recommended):
    1. Create the connection to WAC with this PowerShell command: New-SPWOPIBinding -ServerName <fully.qualified.machine.name of WAC server>
  2. To use HTTP with WAC (not recommended; Note – will not work if you did not configure Office Web Apps to support HTTP):
    1. Create the connection from the SharePoint farm to the WAC farm with this PowerShell command: New-SPWOPIBinding -ServerName <NameOfWacServer> -AllowHTTP
    2. Run the following command on the SharePoint server (note there's no "s" at the end): Set-SPWopiZone internal-http

 

Generally speaking, you should configure Office Web Apps to use HTTPS. The reason for that is that you can only have one WopiZone binding per SharePoint farm, HTTP or HTTPS. If you ever have both HTTP and HTTPS web apps zones, you will need Office Web Apps to be HTTPS. If it's HTTP only, you will get mixed content warnings when you are in an HTTPS site and you try and render HTTP Office Web Apps. However if you try to render HTTPS Office Web Apps in an HTTP web app zone you will not get any warnings. In addition, since the access token is passed between SharePoint and the Office Web Apps servers it is safer to have the traffic encrypted with SSL so that it cannot be sniffed out and replayed.

UPDATE:  One final note worth making here.  When you create the New-SPWopiBinding to the web apps farm, it will use the server name you provide and expect it to be HTTPS.  That means if you say your ServerName is wac.foo.com, then it will try and contact it at https://wac.foo.com.  If you do not have an SSL certificate with a common name of wac.foo.com bound to the IIS server that the web apps is using, then the New-SPWopiBinding will fail and tell you that it can't find the server.  There other thing to note is that THIS IS NOT NECESSARILY THE SERVER NAME SHAREPOINT WILL USE TO REQUEST WAC CONTENT!!  The server name it will use is actually contained in a discovery document on the web apps server.  If you navigate to https://wac.foo.com/hosting/discovery then you should get the XML document it uses, and it will show the names it is using for both the internal and external zone (web apps only have two zones, it is not like SharePoint). 

 

The reason I bring this up is because what I found is that after I run the New-SPWopiBinding cmdlet on SharePoint, by default it is setting the current WOPI zone as internal-https.  However, I use a fully qualified domain name for my WAC endpoint.  So instead of SharePoint requesting web apps at https://wac.foo.com, it makes the request to https://wac.  The problem then is that your SSL certificate on the web apps servers does not match the request coming from SharePoint, so you will get a random and varying assortment of errors.  The solution to this is to change your WOPI zone in SharePoint with the Set-SPWopiZone cmdlet, i.e. Set-SPWopiZone external-https.  That will make SharePoint use the external name in the discovery document, which should be https://wac.foo.com.  Many thanks to Yanlin for helping me track this down!

 

 

Comments
  • perfect timing on this one steve. thanks! :)

  • Great article.  And the only place I've seen coverage of bot http and https.

  • Hey

    I installed the Office Web Apps 2013 server as described in here technet.microsoft.com/.../jj219455(v=office.15) and started the 2 powershell commands on the sharepoint server 2013 as described in here: technet.microsoft.com/.../ff431687(v=office.15).

    Every time I want to open a document in the browser or see the preview in sharepoint, I get an error: Sorry, something went wrong. And the log:

    07/20/2012 13:59:54.44  w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          Logging Correlation Data       xmnv Medium   Name=Request (GET:portal2013.iseag.ch/.../WopiFrame.aspx) ef66bb9b-bfc4-70f1-67ed-15532f496ce0

     07/20/2012 13:59:54.44  w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          Logging Correlation Data       xmnv Medium   Site=/ ef66bb9b-bfc4-70f1-67ed-15532f496ce0

     07/20/2012 13:59:54.44  w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          Authentication Authorization   aib35 Medium   SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token ef66bb9b-bfc4-70f1-67ed-15532f496ce0

     07/20/2012 13:59:54.47  w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          Authentication Authorization   aib35 Medium   SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token ef66bb9b-bfc4-70f1-67ed-15532f496ce0

     07/20/2012 13:59:54.47  w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          WOPI                           ajc39 Unexpected WOPIFrame - Unhandled exception: System.NotSupportedException: Can not create an identity context for system account user token.     at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUserToken token, Boolean isShareByLinkGuestUser)     at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUser user)     at Microsoft.SharePoint.IdentityModel.OAuth2.SPOAuth2SecurityTokenManager.IssueLoopbackTokenString(Uri endpointAddress, SPUser user, String applicationContext, DateTime& validTo)     at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPWeb web, Guid uniqueId, String proofKeyId, SPUrlZone zone, SPBasePermissions perms, Int64& ttl)     at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPFile file, String proofKeyId, SPUrlZone zone, Int64& ttl)     ... ef66bb9b-bfc4-70f1-67ed-15532f496ce0

     07/20/2012 13:59:54.47* w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          WOPI                           ajc39 Unexpected ...at Microsoft.SharePoint.Utilities.SPWOPIHost.GetWOPITargetInternal(HttpContext httpContext, SPWeb web, Object& spPrimeObject, SPWOPIAction& requestedAction, SPRegionalSettings spSettings, String& wopiAppUrl, String& wopiFavIconUrl, String& wopiAccessToken, Int64& wopiAccessTokenTtl, String& errorMessageToDisplay, String& redirectUrl)     at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoadHelper(WOPIFrame frame)     at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoad(WOPIFrame frame) ef66bb9b-bfc4-70f1-67ed-15532f496ce0

     07/20/2012 13:59:54.47  w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          General                        aat87 Monitorable An error has occurred on the server. ef66bb9b-bfc4-70f1-67ed-15532f496ce0

     07/20/2012 13:59:54.49  w3wp.exe (0x0C04)                        0x19EC SharePoint Foundation          Monitoring                     b4ly Medium   Leaving Monitored Scope (Request (GET:portal2013.iseag.ch/.../WopiFrame.aspx)). Execution Time=25.0716 ef66bb9b-bfc4-70f1-67ed-15532f496ce0

    the two servers are in the same domain. for my testing environment I use normally a domain-admin account to install, configure and test.

  • @Dario Zueger with the system account it's doesn't work and you have this error : Sorry, something went wrong, try with another account who have the good permissions

  • Thanks Steve!

    As FYI, I was able to run the commands on Windows 2012 RC without any issues.

    Also, the New-SPWOPIBinding command needs to be run using the SharePoint shell.

  • Do we need office license to edit documents in the browser

  • Alan,

    No, we don't need the license. If we have office web apps and SharePoint 2013 then we don't required a separate license for office. Anyway we are talking about preview versions, we don't require any licenses for now.

  • Alan,

    And incase if you get the error try to run the below powershell command on server.

    $farm = get-officewebappsfarm

    $farm.OpenFromUrlEnabled = $true

  • It looks like

    a.Create the connection to WAC with this PowerShell command: New-SPWOPIBinding -ServerName <fully.qualified.machine.name of WAC server>

    this step to succeed , require WAC SSL certificate imported as trusted root cert  in sharepoint.

  • The "Windows Authentication" IIS feature is missing as prereq

    When trying to create the WAC farm, get the error "The operation failed, The server did not meet the following prerequisites: The Windows Authentication Windows Server Feature must be installed and enabled

  • Great stuff Steve! Thanks

    For the troubleshooting section

    Issue: Word Document : "Sorry, there was a problem and we can't open this document. If this happens again, try opening the document in Microsoft Word."

    Error: You see Unexpected error in the ULS logs on the Office Web App server.  

    "WOPI Check, non-200 return [code:Forbidden, url [sitename.domain.com/.../GUID]"

    When using http for SharePoint site you need to set AllowOAuthOverHttp to true. This needs to be done in the SharePoint Management Shell using the following commands:

    $sts = (Get-SPSecurityTokenServiceConfig)

    $sts.AllowOAuthOverHttp = $true

    $sts.Update()

    Https SharePoint sites should work with default = false

  • Quick note @Matt - you should really NOT use Office Web Apps over http.  There is an oauth token that is sent back and forth between the client, SharePoint and Office Web Apps and by using it over HTTP you open yourself to a cookie replay attack that could leave your content vulnerable.

  • Hi Steve - Our SharePoint site is HTTP, our Office Web Apps site is HTTPS.  Is this still an issue?  I understand when Office Web Apps fetches content from SharePoint, it contains the user's credentials and thus HTTPS is strongly recommended for production environments.  Thanks for the feedback!  

  • @Matt, yes, this is still an issue.  The OAuth token exchange will go back and forth between the Office Web Apps server and the SharePoint server multiple times.  So each time the call is made to the SharePoint server, it will happen in plain text over HTTP.

  • I have configured my Office App Server and SharePoint Server correctly ( in HTTP mode in a test environment) but I am not bale to edit documents in browser it says  " I don't have license to edit". Can you please help here?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment