404 & 401 Errors with the App Management Service

from:http://blogs.technet.com/b/sharepoint_-_inside_the_lines/archive/2013/06/23/404-amp-401-errors-with-the-app-management-service.aspx

I recently was testing out the configuration of the App Management Service in SharePoint 2013.  For the most part I followed the TechNet article on the steps but because I like to create scripts I can share with customers I did the configuration in PowerShell.  Below is the script which not only creates the App Management Service but also the Subscription Service which is required by the App Management Service.  (If you use this script make sure you setup your service accounts as managed accounts first)  I also like to get my DNS Forward Lookup Zone and wildcard CNAME alias created before running the script in case the AD/DNS guys have any changes they want to suggest.

To setup the DNS forward lookup zone and wildcard CNAME alias I followed the TechNet article I already referenced but in case you are following this post instead of that I’ll quickly rehash it.  First, open DNS then right click Forward Lookup Zoneand click New Zone.  When going through the wizard click Next to start it then select Primary Zone and click Next.  Then choose if it is at the Forest or the Domain, in my case it doesn’t matter so I chose Domain and then click Next.  Next you will provide a name for your zone (CampBushnellApps.lcl – This will become the $AppDomain variable in the script below).  Once that’s done I use the defaults through the rest of the wizard and click Finish to create.

Now I can create the wildcard CNAME alias.  To do so I select the newly created forward lookup zone and right click and select new Alias (CNAME).  In the New Resource Record window I type * for the Alias Name and the WFE FQDN for the FQDN field (in this case SPWeb2013.campbushnell.lcl).  If I wanted to use a load balanced URL (DNS A Record) instead I could do that instead of pointing directly at the WFE.  This can work great for abstracting the server name or in the case that I have multiple WFEs.  

Now that the DNS side of the house is configured, I run my script…  (The first section of the scripts I write I always setup my variables for use in the script which is great for multiple farms)

#Create Variables

write-host 0. Setup Variables

$AMAcct = Get-SPManagedAccount "campbushnell\svcSPApps" #App Management Service Account

$SSAcct = Get-SPManagedAccount "campbushnell\svcSPSubscript" #Subscription Settings Service Account

$SubServiceName = "Subscription Settings Service"

$AppServiceName = "App Management Service"

$SubDBName = "SubscriptionSettingsServiceDB"

$AppDBName = "AppServiceDB"

$AppSvr = "SPApp2013"

$AppDomain = "CampBushnellApps.lcl"

$AppPrefix = "apps"

#Start the Subscription Settings Service and App Management Service

write-host 1. Subscription Settings Service and App Management Service

$SubServiceInstance = get-SPServiceInstance -server $AppSvr | ?{$_.TypeName -eq "Microsoft SharePoint Foundation Subscription Settings Service"}

Start-SPServiceInstance -Identity $SubServiceInstance

$AppServiceInstance = get-SPServiceInstance -server $AppSvr | ?{$_.TypeName -eq "App Management Service"}

Start-SPServiceInstance -Identity $AppServiceInstance

#Create Subscription Settings Service App Pool

write-host 2. Configure Subscription Settings Service App Pool

$appPoolSubSvc = New-SPServiceApplicationPool -Name $SubServiceName-"AppPool" -Account $SSAcct

#Create Subscription Settings Service App

write-host 3. Configure Subscription Settings Service App

$appSubSvc = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $appPoolSubSvc –Name $SubServiceName –DatabaseName $SubDBName

#Create Subscription Settings Service App Proxy

write-host 4. Configure Subscription Settings Service App Proxy

$proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $appSubSvc

#Create App Management Service App Pool

write-host 5. Configure App Management Service App Pool

$appPoolAppSvc = New-SPServiceApplicationPool -Name $AppServiceName-"AppPool" -Account $AMAcct

#Create App Management Service App

write-host 6. Configure App Management Service App

$appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $appPoolAppSvc -Name $AppServiceName -DatabaseName $AppDBName

#Create App Management Service App Proxy

write-host 7. Configure App Management Service App Proxy

$proxyAppSvc = New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc

#Configure App URLs

write-host 8. Configure App URLs

Set-SPAppDomain $AppDomain

Set-SPAppSiteSubscriptionName -Name $AppPrefix -Confirm:$false

On occasion I have had step 8 of my script fail because SharePoint is still provisioning the service application and cannot setup the URLs.  In those cases I simply manually setup the required variables and rerun the two lines of code for step 8.  Once that is created I should be able to open Central Admin and access the Apps section.  In this area I am going to verify my App Domain and App Prefix are set to my variables by selecting Configure App URLs.

After I have verified that I go configure my App Catalog for the web application by selecting Manage App Catalog.  Because it is new I have to create one for the web application.  The process is much like creating a new site collection.

After that there is one more step to take to allow my web application to access apps from the SharePoint store, I need to activate the Apps that require accessible internet facing endpoints feature.  To do so I browse to Application Managementà Manage Web Applications à select my web application and select Manage Features in the ribbon.  Then I activate the feature.

At this point I am able to add apps from the SharePoint store to a SharePoint page!!!  But when I go and test the app on the page it bombs with “page cannot be displayed” error messages in the web part!  What gives!?!  Well after some Fiddler traces I found 404 errors.

As it turns out the default website is picking up the app and trying to respond for it rather than redirecting to a SharePoint web application.  First I attempted to fix this by disabling the default web site in IIS on my WFE.  Not the fix so I re-enabled it (not because it is doing anything but because I like to keep things as close to out of the box as I can, especially for testing purposes).  So instead I change the binding on my web application to pick up anything on port 80 (which is what my site is using).  When I test again I get prompted for credentials so I put them in and continue to get prompted.

What is with the prompting for credentials?  I quickly test again and this time my Fiddler trace shows me 401 errors.  First I wonder if it is a loopback issue so I disabled loopback and after my first prompt it accepts my credentials and my app works!

To disable loopback if you aren’t familiar, open the registry and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA and create a new DWORD (32-bit) Value with a name of DisableLoopbackCheck and set the value to 1.  Restart the server after the change to ensure it takes effect.  Reference articleKB 896861

But I know that prompting credentials on page load isn’t going to fly in the real world so how can I fix it?  Well, to be honest it so simple I almost didn’t try it… all I did was add the App Domain (*.CampBushnell.lcl) to my trusted sites and configured trusted sites to pass credentials.  (I would recommend that be part of a group policy rather than setup on individual computers)  I did take the Loopback out again and found that it still kept prompting for credentials so it definitely is part of the fix here.

As an aside in case you are using Kerberos with your web application… I spent several hours working through issues with this while using a Kerberos web application and found consistent prompting that neither of the above solutions resolved.  In fact, the only way I have found around it so far for a web application using Kerberos is to setup a separate web application that is NTLM and setup the IIS binding to it rather than the Kerberos based web application.  I still needed to trust the domain and forward credentials but after I did that the prompting issue stopped.