Execute SharePoint actions in user context

If you roll out SharePoint actions in the context of the logged-in user (or in the context of the person who started a process), you can roll out a SharePoint Provider Hosted App in OnPremise environments. This must be rolled out as a High-Trust App in order to offer the option of logging on to SharePoint in the context of different people. A corresponding user token is generated for the different people via this provider hosted app. The following steps are necessary for the rollout:

SharePoint Client Register

• Open the SharePoint Web to be accessed in any browser
• Open the url /_layouts/15/appregnew.aspx (i.e. https://WEBURL/_layouts/15/appregnew.aspx)
• Enter the Client Id specified by linqi as Client Id
• Generate a Client Secret
• Enter the domain under which you want to host the Provider Hosted App as App Domain (without https or similar)
• Enter the App Domain with https:// as Redirect URI
• Create the App Registration via Create

SharePoint Client Permissions

• Open the SharePoint Web to be accessed in any browser
• Open the url /_layouts/15/appinv.aspx (i.e. https://WEBURL/_layouts/15/appinv.aspx)
• Use the named Client Id to load the app via lookup
• Enter the following as Permission Request XML:

<AppPermissionRequests> 
   <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>

Roll out IIS application

• You can roll out the IIS application to the same server on which linqi is running, for example
• .Net Framework 4.8 must be installed, as well as ASP for IIS
• Create a new app pool (e.g. linqi SharePoint Auth)
• Create a new site (e.g. linqi SharePoint Auth) that uses the application pool
• Deactivate Anonymous Auth for this site, and activate Windows Auth for this site
• Copy the content of the Provider Hosted App provided by linqi into the folder of the site
• Customize the web.config as follows:
  • ClientSigningCertificatePath: Enter here the path to the PFX file that was registered for the High Trust Provider Hosted App in the SharePoint
  • ClientSigningCertificatePassword: Enter the encrypted password for the PFX file here. To encrypt the password, you can use the linqi Encryption Tool which is supplied with the installer.
  • LdapDomain: Enter the LDAP domain here which is used to load the user data with which the access to Sharepoint runs. The domain must therefore be the same as the one used by SharePoint
  • LdapUsername: Enter the user name of the account used for read access to the Active Directory here
  • LdapPassword: Enter the encrypted password for the account used for read access to the Active Directory

Roll out SharePoint app

• Add the supplied SharePoint app to the SharePoint catalog
• Install the app in the SharePoint sites to which access is granted

Configure SharePoint Provider Hosted App in linqi

• Open the appsettings.json file in the linqi folder (e.g. C:\inetpub\wwwroot\linqi\appsettings.json)
• In the "SharePoint" area, insert the following values:

"SharePointAuthProxy": "https://PROVIDER_HOSTED_APP_DOMAIN/?SPHostUrl={0}&SPLanguage=en-US&SPClientTag=0&SPProductNumber=16%2E0%2E10337%2E12109&userId={1}",
"SharePointAuthProxyUsername": "PROVIDER_HOSTED_APP_USER_NAME",
"SharePointAuthProxyPassword": "PROVIDER_HOSTED_APP_USER_PASSWORD"

• Replace the values as follows:
  • PROVIDER_HOSTED_APP_DOMAIN: Add here the domain under which the IIS application is accessible
  • PROVIDER_HOSTED_APP_USER_NAME: Enter the name of the user that is used to access the application. You can configure the IIS application so that only this user has access to the application.
  • PROVIDER_HOSTED_APP_USER_PASSWORD: Enter the encrypted password of the user that is used to access the application.
• Restart the linqi application in IIS to pull the new configuration.
• You can then use As logged in user or As process initiator as the type of authentication in linqi for SharePoint connections to perform the actions in the corresponding context.