Configuring Office Web Apps in SharePoint 2013
As you know or will soon learn, Office Web Apps in SharePoint 2013 is no longer a service application that is part of your SharePoint farm. Instead it is installed as a separate farm, which provides a number of advantages, such as reuse between multiple SharePoint and Exchange farms, a separate patching schedule, etc. It can be a little confusing at first though, to figure out how to connect an Office Web Apps farm to a SharePoint farm. What follows here are the installation pre-requisites for Office Web Apps and information about how to connect these farms together.
Prerequisites
Office Web Apps does not have a prerequisites installer like SharePoint 2013 does so you may need to install these components separately before you starting installing.
- Install PowerShell 3.0 (RC1 is the latest version at this time: https://www.microsoft.com/en-us/download/details.aspx?Id=29939)
- Install .NET 4.5 (RC is the latest version at this time: https://www.microsoft.com/visualstudio/11/en-us/downloads#net-45). IMPORTANT: If the installer shuts down any of the .NET listeners during installation, you MUST reboot the server prior to installing WAC. Otherwise you will find numerous errors about endpoint not found, not listening, or connection refused in the Office Web Apps application node in the Event Viewer and you will not be able to render any documents.
- Install this hotfix: https://www.microsoft.com/download/en/details.aspx?id=27928
UPDATE: I wanted to update with some additional information on this for RTM and Windows Server 2012. Part of the difficulty in providing this guidance before we ship is that things change. Here's the latest experiences when using RTM builds on Windows Server 2012:
- You don't need to do any of the three steps above.
- You need to start PowerShell as an administrator.
- You need to add the WAC admin module as follows: import-module "C:\Program Files\Microsoft Office Web Apps\AdminModule\OfficeWebApps\OfficeWebApps.psd1"
You will need to jump through a couple of hoops on Server 2012 to get all the pre-reqs in place. You need to:
- Install the IIS, .NET 4.x, and the Ink and Handwriting Services (no idea why on that last one)
- After all that's finished you have to go back add additional features to that service:
- "ASP.NET 4.5"
- ".NET Extensibility 4.5"
- "ISAPI Extensions"
- "ISAPI Filters"
- "Server Side Includes"
You can now install Office Web Apps. Once it’s installed, you need to either create a new Office Web Apps farm, or join your server to an existing farm. In this case I’m just going to describe how to create a new farm; to get the PowerShell to add a server to a farm just do a get-command *office* in PowerShell. To create the farm do the following:
- Open PowerShell by going to Start…Run and typing powershell.
- To use HTTPS with WAC (recommended):
- Create an SSL certificate that will be used with the fully qualified domain name of the server; make note of the friendly name you use when you create the certificate. You should use IIS to request the certificate to ensure that it gets created in the correct certificate store.
- Provision the WAC farm with this PowerShell command: New-OfficeWebAppsFarm -Verbose -InternalUrl https://<machinename> -ExternalUrl https://<fully.qualified.machine.name> -CertificateName <FriendlyNameOfCertificateFromPreviousStep> -ClipartEnabled -TranslationEnable
- To use HTTP with WAC (not recommended):
- Provision the WAC farm on the WAC server with this PowerShell command: New-OfficeWebAppsFarm -Verbose -InternalURL https://<machinename> -ExternalUrl https://<fully.qualified.machine.name> -AllowHttp -ClipartEnabled –TranslationEnabled
Now that your Office Web Apps farm is up and running, you can connect your SharePoint farm. To do that, login to any server in your SharePoint farm and open the SharePoint PowerShell command window. Use the following command to connect to the Office Web Apps farm:
- To use HTTPS with WAC (recommended):
- Create the connection to WAC with this PowerShell command: New-SPWOPIBinding -ServerName <fully.qualified.machine.name of WAC server>
- To use HTTP with WAC (not recommended; Note – will not work if you did not configure Office Web Apps to support HTTP):
- Create the connection from the SharePoint farm to the WAC farm with this PowerShell command: New-SPWOPIBinding -ServerName <NameOfWacServer> -AllowHTTP
- Run the following command on the SharePoint server (note there's no "s" at the end): Set-SPWopiZone internal-http
Generally speaking, you should configure Office Web Apps to use HTTPS. The reason for that is that you can only have one WopiZone binding per SharePoint farm, HTTP or HTTPS. If you ever have both HTTP and HTTPS web apps zones, you will need Office Web Apps to be HTTPS. If it's HTTP only, you will get mixed content warnings when you are in an HTTPS site and you try and render HTTP Office Web Apps. However if you try to render HTTPS Office Web Apps in an HTTP web app zone you will not get any warnings. In addition, since the access token is passed between SharePoint and the Office Web Apps servers it is safer to have the traffic encrypted with SSL so that it cannot be sniffed out and replayed.
UPDATE: One final note worth making here. When you create the New-SPWopiBinding to the web apps farm, it will use the server name you provide and expect it to be HTTPS. That means if you say your ServerName is wac.foo.com, then it will try and contact it at https://wac.foo.com. If you do not have an SSL certificate with a common name of wac.foo.com bound to the IIS server that the web apps is using, then the New-SPWopiBinding will fail and tell you that it can't find the server. There other thing to note is that THIS IS NOT NECESSARILY THE SERVER NAME SHAREPOINT WILL USE TO REQUEST WAC CONTENT!! The server name it will use is actually contained in a discovery document on the web apps server. If you navigate to https://wac.foo.com/hosting/discovery then you should get the XML document it uses, and it will show the names it is using for both the internal and external zone (web apps only have two zones, it is not like SharePoint).
The reason I bring this up is because what I found is that after I run the New-SPWopiBinding cmdlet on SharePoint, by default it is setting the current WOPI zone as internal-https. However, I use a fully qualified domain name for my WAC endpoint. So instead of SharePoint requesting web apps at https://wac.foo.com, it makes the request to https://wac. The problem then is that your SSL certificate on the web apps servers does not match the request coming from SharePoint, so you will get a random and varying assortment of errors. The solution to this is to change your WOPI zone in SharePoint with the Set-SPWopiZone cmdlet, i.e. Set-SPWopiZone external-https. That will make SharePoint use the external name in the discovery document, which should be https://wac.foo.com. Many thanks to Yanlin for helping me track this down!
Comments
Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
I have configured my Office App Server and SharePoint Server correctly ( in HTTP mode in a test environment) but I am not bale to edit documents in browser it says " I don't have license to edit". Can you please help here?Anonymous
January 01, 2003
@Matt, yes, this is still an issue. The OAuth token exchange will go back and forth between the Office Web Apps server and the SharePoint server multiple times. So each time the call is made to the SharePoint server, it will happen in plain text over HTTP.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
good descriptionAnonymous
January 01, 2003
Great stuff Steve! Thanks For the troubleshooting section Issue: Word Document : "Sorry, there was a problem and we can't open this document. If this happens again, try opening the document in Microsoft Word." Error: You see Unexpected error in the ULS logs on the Office Web App server. "WOPI Check, non-200 return [code:Forbidden, url [sitename.domain.com/.../GUID]" When using http for SharePoint site you need to set AllowOAuthOverHttp to true. This needs to be done in the SharePoint Management Shell using the following commands: $sts = (Get-SPSecurityTokenServiceConfig) $sts.AllowOAuthOverHttp = $true $sts.Update() Https SharePoint sites should work with default = falseAnonymous
January 01, 2003
Quick note @Matt - you should really NOT use Office Web Apps over http. There is an oauth token that is sent back and forth between the client, SharePoint and Office Web Apps and by using it over HTTP you open yourself to a cookie replay attack that could leave your content vulnerable.Anonymous
July 23, 2012
perfect timing on this one steve. thanks! :)Anonymous
July 23, 2012
Great article. And the only place I've seen coverage of bot http and https.Anonymous
July 24, 2012
Hey I installed the Office Web Apps 2013 server as described in here technet.microsoft.com/.../jj219455(v=office.15) and started the 2 powershell commands on the sharepoint server 2013 as described in here:technet.microsoft.com/.../ff431687(v=office.15). Every time I want to open a document in the browser or see the preview in sharepoint, I get an error: Sorry, something went wrong. And the log: 07/20/2012 13:59:54.44 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:portal2013.iseag.ch/.../WopiFrame.aspx) ef66bb9b-bfc4-70f1-67ed-15532f496ce0 07/20/2012 13:59:54.44 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ ef66bb9b-bfc4-70f1-67ed-15532f496ce0 07/20/2012 13:59:54.44 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Authentication Authorization aib35 Medium SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token ef66bb9b-bfc4-70f1-67ed-15532f496ce0 07/20/2012 13:59:54.47 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Authentication Authorization aib35 Medium SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token ef66bb9b-bfc4-70f1-67ed-15532f496ce0 07/20/2012 13:59:54.47 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation WOPI ajc39 Unexpected WOPIFrame - Unhandled exception: System.NotSupportedException: Can not create an identity context for system account user token. at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUserToken token, Boolean isShareByLinkGuestUser) at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUser user) at Microsoft.SharePoint.IdentityModel.OAuth2.SPOAuth2SecurityTokenManager.IssueLoopbackTokenString(Uri endpointAddress, SPUser user, String applicationContext, DateTime& validTo) at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPWeb web, Guid uniqueId, String proofKeyId, SPUrlZone zone, SPBasePermissions perms, Int64& ttl) at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPFile file, String proofKeyId, SPUrlZone zone, Int64& ttl) ... ef66bb9b-bfc4-70f1-67ed-15532f496ce0 07/20/2012 13:59:54.47* w3wp.exe (0x0C04) 0x19EC SharePoint Foundation WOPI ajc39 Unexpected ...at Microsoft.SharePoint.Utilities.SPWOPIHost.GetWOPITargetInternal(HttpContext httpContext, SPWeb web, Object& spPrimeObject, SPWOPIAction& requestedAction, SPRegionalSettings spSettings, String& wopiAppUrl, String& wopiFavIconUrl, String& wopiAccessToken, Int64& wopiAccessTokenTtl, String& errorMessageToDisplay, String& redirectUrl) at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoadHelper(WOPIFrame frame) at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoad(WOPIFrame frame) ef66bb9b-bfc4-70f1-67ed-15532f496ce0 07/20/2012 13:59:54.47 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation General aat87 Monitorable An error has occurred on the server. ef66bb9b-bfc4-70f1-67ed-15532f496ce0 07/20/2012 13:59:54.49 w3wp.exe (0x0C04) 0x19EC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:portal2013.iseag.ch/.../WopiFrame.aspx)). Execution Time=25.0716 ef66bb9b-bfc4-70f1-67ed-15532f496ce0 the two servers are in the same domain. for my testing environment I use normally a domain-admin account to install, configure and test.Anonymous
August 01, 2012
@Dario Zueger with the system account it's doesn't work and you have this error : Sorry, something went wrong, try with another account who have the good permissionsAnonymous
August 09, 2012
Thanks Steve! As FYI, I was able to run the commands on Windows 2012 RC without any issues. Also, the New-SPWOPIBinding command needs to be run using the SharePoint shell.Anonymous
October 10, 2012
Do we need office license to edit documents in the browserAnonymous
October 19, 2012
Alan, No, we don't need the license. If we have office web apps and SharePoint 2013 then we don't required a separate license for office. Anyway we are talking about preview versions, we don't require any licenses for now.Anonymous
October 19, 2012
Alan, And incase if you get the error try to run the below powershell command on server. $farm = get-officewebappsfarm $farm.OpenFromUrlEnabled = $trueAnonymous
October 29, 2012
It looks like a.Create the connection to WAC with this PowerShell command: New-SPWOPIBinding -ServerName <fully.qualified.machine.name of WAC server> this step to succeed , require WAC SSL certificate imported as trusted root cert in sharepoint.Anonymous
November 20, 2012
The "Windows Authentication" IIS feature is missing as prereq When trying to create the WAC farm, get the error "The operation failed, The server did not meet the following prerequisites: The Windows Authentication Windows Server Feature must be installed and enabledAnonymous
January 10, 2013
Hi Steve - Our SharePoint site is HTTP, our Office Web Apps site is HTTPS. Is this still an issue? I understand when Office Web Apps fetches content from SharePoint, it contains the user's credentials and thus HTTPS is strongly recommended for production environments. Thanks for the feedback!Anonymous
July 24, 2013
view in browser: no licence needed edit in browser: user needs a office licenceAnonymous
January 15, 2014
Last week, I had learned about an issue that popped up in a SharePoint 2013 farm where the WOPI ZoneAnonymous
February 16, 2014
I have had a very difficult time setting up Office Web Apps with SharePoint 2013. I have a simple question: Does Office Web Apps require Kerberos authentication to be used? I don't believe so. The documentation states that only Claims mode authentication is required. When using Claims you can choose to use NTLM or Negotiate auth. Additionally, as far as I know, its the C2WTS that serializes and deserializes the encrypted & signed token by getting it from HTTP POST data. Thus, seems to me Kerberos is not needed but I could be wrong since I cannot get OWA and SharePoint 2013 to work together. Is the C2WTS also required to run on the Office Web Apps server? MiAnonymous
June 19, 2014
And do you have already an article similar to this but configuring OWA with HTTPS with NLB?Anonymous
July 07, 2014
Hi Steve, am planning to add one more SP farm to my office web app server...can you pls let me know how it can be doneAnonymous
September 18, 2014
The comment has been removedAnonymous
October 04, 2014
Configuring Office Web Apps in SharePoint 2013 - Share-n-dipity - Site Home - TechNet BlogsAnonymous
October 20, 2014
Great Article!
Simple and Obvious
Wait MoreAnonymous
October 23, 2014
I've got Office Web Apps working alright with our SharePoint 2013 installation. We're in a situation where we want to view versioned documents via office web apps. This doesn't seem to work. Anybody got more info on this at all?Anonymous
December 01, 2014
The post OWAS and SharePoint 2013 Overview and Installation appeared first on Dynamics 101 .
IntroductionAnonymous
December 23, 2014
I have one separate office web apps server and one standalone SharePoint 2013 farm. Create a HTTP WOPIBinding between them. Everything is working fine.Now I built a new Multi-Server SharePoint 2013 farm and my requirement is use the existing office web apps server to bind with new SharePoint farm also.
Question : 1) Can I use HTTP WOPIBinding to same office web app server with one more SharePoint 2013 farm?
2) What type of challenges I will face?
Please help to resolve this ASAP.Anonymous
February 02, 2015
hi,, i am trying to configure Office web app with my sharepoint web server, while binding with New-SPWOIPBinding -servername -allowhttp .. and i get error message like server not responding and tyring to attempt (1 of 5) and failed.
checked the zone,, checked the certificate.. fully qualified name,, no firewall.. i don,t know what is the problem ???
Kindly help me outAnonymous
February 27, 2015
Information was good, I like your post.
Looking forward for more on this topic.
http://staygreenacademy.com">SharePoint 2013 Developer training OnlineAnonymous
March 01, 2015
I had the unfortunate need to understand the licensing model a little bit better recently for enabling