As you know or will soon learn, Office Web Apps in SharePoint 2013 is no longer a service application that is part of your SharePoint farm. Instead it is installed as a separate farm, which provides a number of advantages, such as reuse between multiple SharePoint and Exchange farms, a separate patching schedule, etc. It can be a little confusing at first though, to figure out how to connect an Office Web Apps farm to a SharePoint farm. What follows here are the installation pre-requisites for Office Web Apps and information about how to connect these farms together.
Office Web Apps does not have a prerequisites installer like SharePoint 2013 does so you may need to install these components separately before you starting installing.
UPDATE: I wanted to update with some additional information on this for RTM and Windows Server 2012. Part of the difficulty in providing this guidance before we ship is that things change. Here's the latest experiences when using RTM builds on Windows Server 2012:
You will need to jump through a couple of hoops on Server 2012 to get all the pre-reqs in place. You need to:
You can now install Office Web Apps. Once it’s installed, you need to either create a new Office Web Apps farm, or join your server to an existing farm. In this case I’m just going to describe how to create a new farm; to get the PowerShell to add a server to a farm just do a get-command *office* in PowerShell. To create the farm do the following:
Now that your Office Web Apps farm is up and running, you can connect your SharePoint farm. To do that, login to any server in your SharePoint farm and open the SharePoint PowerShell command window. Use the following command to connect to the Office Web Apps farm:
Generally speaking, you should configure Office Web Apps to use HTTPS. The reason for that is that you can only have one WopiZone binding per SharePoint farm, HTTP or HTTPS. If you ever have both HTTP and HTTPS web apps zones, you will need Office Web Apps to be HTTPS. If it's HTTP only, you will get mixed content warnings when you are in an HTTPS site and you try and render HTTP Office Web Apps. However if you try to render HTTPS Office Web Apps in an HTTP web app zone you will not get any warnings. In addition, since the access token is passed between SharePoint and the Office Web Apps servers it is safer to have the traffic encrypted with SSL so that it cannot be sniffed out and replayed.
UPDATE: One final note worth making here. When you create the New-SPWopiBinding to the web apps farm, it will use the server name you provide and expect it to be HTTPS. That means if you say your ServerName is wac.foo.com, then it will try and contact it at https://wac.foo.com. If you do not have an SSL certificate with a common name of wac.foo.com bound to the IIS server that the web apps is using, then the New-SPWopiBinding will fail and tell you that it can't find the server. There other thing to note is that THIS IS NOT NECESSARILY THE SERVER NAME SHAREPOINT WILL USE TO REQUEST WAC CONTENT!! The server name it will use is actually contained in a discovery document on the web apps server. If you navigate to https://wac.foo.com/hosting/discovery then you should get the XML document it uses, and it will show the names it is using for both the internal and external zone (web apps only have two zones, it is not like SharePoint).
The reason I bring this up is because what I found is that after I run the New-SPWopiBinding cmdlet on SharePoint, by default it is setting the current WOPI zone as internal-https. However, I use a fully qualified domain name for my WAC endpoint. So instead of SharePoint requesting web apps at https://wac.foo.com, it makes the request to https://wac. The problem then is that your SSL certificate on the web apps servers does not match the request coming from SharePoint, so you will get a random and varying assortment of errors. The solution to this is to change your WOPI zone in SharePoint with the Set-SPWopiZone cmdlet, i.e. Set-SPWopiZone external-https. That will make SharePoint use the external name in the discovery document, which should be https://wac.foo.com. Many thanks to Yanlin for helping me track this down!
perfect timing on this one steve. thanks! :)
Great article. And the only place I've seen coverage of bot http and https.
I installed the Office Web Apps 2013 server as described in here technet.microsoft.com/.../jj219455(v=office.15) and started the 2 powershell commands on the sharepoint server 2013 as described in here: technet.microsoft.com/.../ff431687(v=office.15).
Every time I want to open a document in the browser or see the preview in sharepoint, I get an error: Sorry, something went wrong. And the log:
07/20/2012 13:59:54.44 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:portal2013.iseag.ch/.../WopiFrame.aspx) ef66bb9b-bfc4-70f1-67ed-15532f496ce0
07/20/2012 13:59:54.44 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ ef66bb9b-bfc4-70f1-67ed-15532f496ce0
07/20/2012 13:59:54.44 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Authentication Authorization aib35 Medium SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token ef66bb9b-bfc4-70f1-67ed-15532f496ce0
07/20/2012 13:59:54.47 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Authentication Authorization aib35 Medium SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token ef66bb9b-bfc4-70f1-67ed-15532f496ce0
07/20/2012 13:59:54.47 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation WOPI ajc39 Unexpected WOPIFrame - Unhandled exception: System.NotSupportedException: Can not create an identity context for system account user token. at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUserToken token, Boolean isShareByLinkGuestUser) at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUser user) at Microsoft.SharePoint.IdentityModel.OAuth2.SPOAuth2SecurityTokenManager.IssueLoopbackTokenString(Uri endpointAddress, SPUser user, String applicationContext, DateTime& validTo) at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPWeb web, Guid uniqueId, String proofKeyId, SPUrlZone zone, SPBasePermissions perms, Int64& ttl) at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPFile file, String proofKeyId, SPUrlZone zone, Int64& ttl) ... ef66bb9b-bfc4-70f1-67ed-15532f496ce0
07/20/2012 13:59:54.47* w3wp.exe (0x0C04) 0x19EC SharePoint Foundation WOPI ajc39 Unexpected ...at Microsoft.SharePoint.Utilities.SPWOPIHost.GetWOPITargetInternal(HttpContext httpContext, SPWeb web, Object& spPrimeObject, SPWOPIAction& requestedAction, SPRegionalSettings spSettings, String& wopiAppUrl, String& wopiFavIconUrl, String& wopiAccessToken, Int64& wopiAccessTokenTtl, String& errorMessageToDisplay, String& redirectUrl) at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoadHelper(WOPIFrame frame) at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoad(WOPIFrame frame) ef66bb9b-bfc4-70f1-67ed-15532f496ce0
07/20/2012 13:59:54.47 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation General aat87 Monitorable An error has occurred on the server. ef66bb9b-bfc4-70f1-67ed-15532f496ce0
07/20/2012 13:59:54.49 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:portal2013.iseag.ch/.../WopiFrame.aspx)). Execution Time=25.0716 ef66bb9b-bfc4-70f1-67ed-15532f496ce0
the two servers are in the same domain. for my testing environment I use normally a domain-admin account to install, configure and test.
@Dario Zueger with the system account it's doesn't work and you have this error : Sorry, something went wrong, try with another account who have the good permissions
As FYI, I was able to run the commands on Windows 2012 RC without any issues.
Also, the New-SPWOPIBinding command needs to be run using the SharePoint shell.
Do we need office license to edit documents in the browser
No, we don't need the license. If we have office web apps and SharePoint 2013 then we don't required a separate license for office. Anyway we are talking about preview versions, we don't require any licenses for now.
And incase if you get the error try to run the below powershell command on server.
$farm = get-officewebappsfarm
$farm.OpenFromUrlEnabled = $true
It looks like
a.Create the connection to WAC with this PowerShell command: New-SPWOPIBinding -ServerName <fully.qualified.machine.name of WAC server>
this step to succeed , require WAC SSL certificate imported as trusted root cert in sharepoint.
The "Windows Authentication" IIS feature is missing as prereq
When trying to create the WAC farm, get the error "The operation failed, The server did not meet the following prerequisites: The Windows Authentication Windows Server Feature must be installed and enabled
Great stuff Steve! Thanks
For the troubleshooting section
Issue: Word Document : "Sorry, there was a problem and we can't open this document. If this happens again, try opening the document in Microsoft Word."
Error: You see Unexpected error in the ULS logs on the Office Web App server.
"WOPI Check, non-200 return [code:Forbidden, url [sitename.domain.com/.../GUID]"
When using http for SharePoint site you need to set AllowOAuthOverHttp to true. This needs to be done in the SharePoint Management Shell using the following commands:
$sts = (Get-SPSecurityTokenServiceConfig)
$sts.AllowOAuthOverHttp = $true
Https SharePoint sites should work with default = false
Quick note @Matt - you should really NOT use Office Web Apps over http. There is an oauth token that is sent back and forth between the client, SharePoint and Office Web Apps and by using it over HTTP you open yourself to a cookie replay attack that could leave your content vulnerable.
Hi Steve - Our SharePoint site is HTTP, our Office Web Apps site is HTTPS. Is this still an issue? I understand when Office Web Apps fetches content from SharePoint, it contains the user's credentials and thus HTTPS is strongly recommended for production environments. Thanks for the feedback!
@Matt, yes, this is still an issue. The OAuth token exchange will go back and forth between the Office Web Apps server and the SharePoint server multiple times. So each time the call is made to the SharePoint server, it will happen in plain text over HTTP.
I have configured my Office App Server and SharePoint Server correctly ( in HTTP mode in a test environment) but I am not bale to edit documents in browser it says " I don't have license to edit". Can you please help here?