Article 23 from 30 : Troubleshooting High-Trust App

This post is article 23 from the 30 Articles App series for SharePoint

In this article I will be discussing about basic guidelines on troubleshooting tips for High-Trust apps. I assume that you already has good understanding of High-Trust app and how to develop one.

Below are some steps you should consider to look into when you run into problems:

(1)    For Hight-Trust App your remote web’s web.config should have appsetting something like below


<add key="ClientId" value="your-client-id-guid-in-lowercase"/>

<add key="ClientSecret" value="client-secret"/>

<add key="ClientSigningCertificatePath" value="C:\cert.pfx"/>

<add key="ClientSigningCertificatePassword" value="****"/>

<add key="IssuerId" value="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"/>


(2)    Refer to article-15 to know about how to configure high-trust using client-certificate and configuring high-trust.

(3)    App deployed successfully but client context is always null or you are getting 401 unauthorized error

Make sure you are passing valid identity of Logged in user,

Do iisreset after high-trust configuration if necessary

(4)    App deployed successfully but you are getting 403 forbidden error

oAuth requires SharePoint to run HTTPS. So whenever your SharePoint app attempt to make a call using a test certificate, you will get 403 (forbidden) error.

To overcome this issue, simply turn off HTTPS on your development SharePoint environment using following Powershell command:

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true

Hope that helps..!!

Article 15 from 30 : Configuring Server to Server High Trust for provider hosted apps

This post is article 15 from the 30 Articles App series for SharePoint

Today, I will discuss about what is High-Trust Apps and how to configure s-2-s protocol.

What is a High-Trust App?

It is provider-hosted app for on-premise environment use and not proposed for cloud-hosted environment. It uses server-to-server protocol to create “High-trust”. It is considered “high-trust” because it is trusted to use any user identity that the app needs, because the app is responsible for creating the user portion of the access token.

A high-trust app uses a certificate instead of a context token to establish trust.

Apps that use the server-to-server protocol would typically be installed behind the firewall in instances that are specific to each individual company.

How to configure server-to-server high-trust?

Step-1 : Configure an app for use as a high-trust app

creates and exports a test certificate by using the Create Self Signed Certificate option in IIS.


create .pfx file ::

Go to IIS Manager -> Choose Server Certificates  -> right-click and choose “Create Self-signed Certificate”.


select just created certificate ->export the .pfx file

Include ClientSigningCertificatePath and password  for this .pfx file to web.config file of the app.

create .cer file ::

select just created certificate -> double click and choose the “Details” tab -> on bottom right corner click the “Copy to File”


The certificate export wizard will start and choose don’t export the private key. keep the default values for file format. choose the path for .cer file and export.


Step-2 : Configure SharePoint 2013 to use high-trust apps
Pre-requisite : you should have configured the App isolation for on-premise environment at this point.

the app management service and user profile application should be started and running

at least one profile is created in the User Profile Service Application as follows


Run following powershell script using SharePoint Management Console:

(1) get appId
$appId = your app id (Guid) here. All letters of the client-id must be of lowercase.

(2) get spweb where you want to deploy your high-trust app
$spurl ="http://yoursharepointSite"
$spweb = Get-SPWeb $spurl

(3) Get the current authentication realm for your SharePoint site
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site

(4) Get the corresponding file to the .cer file you are using for the app => the one we just created in step-1
$certificate = Get-PfxCertificate $publicCertPath

(5) Get the app Id together with the realm value.
$fullAppIdentifier = $appId + '@' + $realm

(6) Create a trusted security token service. This basically fetches metadata from your app and establish trust with it, so that SharePoint 2013 can accept tokens that are issued by your app.
New-SPTrustedSecurityTokenIssuer -Name "High-Trust-App-Name" -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier

(7) Register the app principal with the app management service, so you can grant app permissions.
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName "High-Trust-App-Name"

Now you have successfully configured server-to-server high trust and the app can use certificate instead of a context token.

Hope you all had a lovely Christmas and wish you all a very happy and healthy new year..!!