Article 15 from 30 : Configuring Server to Server High Trust for provider hosted apps

This post is article 15 from the 30 Articles App series for SharePoint

Today, I will discuss about what is High-Trust Apps and how to configure s-2-s protocol.

What is a High-Trust App?

It is provider-hosted app for on-premise environment use and not proposed for cloud-hosted environment. It uses server-to-server protocol to create “High-trust”. It is considered “high-trust” because it is trusted to use any user identity that the app needs, because the app is responsible for creating the user portion of the access token.

A high-trust app uses a certificate instead of a context token to establish trust.

Apps that use the server-to-server protocol would typically be installed behind the firewall in instances that are specific to each individual company.

How to configure server-to-server high-trust?

Step-1 : Configure an app for use as a high-trust app

creates and exports a test certificate by using the Create Self Signed Certificate option in IIS.


create .pfx file ::

Go to IIS Manager -> Choose Server Certificates  -> right-click and choose “Create Self-signed Certificate”.


select just created certificate ->export the .pfx file

Include ClientSigningCertificatePath and password  for this .pfx file to web.config file of the app.

create .cer file ::

select just created certificate -> double click and choose the “Details” tab -> on bottom right corner click the “Copy to File”


The certificate export wizard will start and choose don’t export the private key. keep the default values for file format. choose the path for .cer file and export.


Step-2 : Configure SharePoint 2013 to use high-trust apps
Pre-requisite : you should have configured the App isolation for on-premise environment at this point.

the app management service and user profile application should be started and running

at least one profile is created in the User Profile Service Application as follows


Run following powershell script using SharePoint Management Console:

(1) get appId
$appId = your app id (Guid) here. All letters of the client-id must be of lowercase.

(2) get spweb where you want to deploy your high-trust app
$spurl ="http://yoursharepointSite"
$spweb = Get-SPWeb $spurl

(3) Get the current authentication realm for your SharePoint site
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site

(4) Get the corresponding file to the .cer file you are using for the app => the one we just created in step-1
$certificate = Get-PfxCertificate $publicCertPath

(5) Get the app Id together with the realm value.
$fullAppIdentifier = $appId + '@' + $realm

(6) Create a trusted security token service. This basically fetches metadata from your app and establish trust with it, so that SharePoint 2013 can accept tokens that are issued by your app.
New-SPTrustedSecurityTokenIssuer -Name "High-Trust-App-Name" -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier

(7) Register the app principal with the app management service, so you can grant app permissions.
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName "High-Trust-App-Name"

Now you have successfully configured server-to-server high trust and the app can use certificate instead of a context token.

Hope you all had a lovely Christmas and wish you all a very happy and healthy new year..!!