Configure Provider-Hosted App For SharePoint 2013

The following is the procedure for when the AppWeb is in a separate IIS Site (on the same server where SP is running or on separate IIS server all together).

If you are running a high-trust app from Visual Studio 2012 (using F5) then steps 1 – 8 (minus 7) are required. You don't need to change the GUID, you can use the same once that I used.

1. Check if any previously registered sptrustedsecuritytokenissuer exist there. If there is a mal-functioned one and if the –IsTrustBroker switch was used then the bad tokenissuer might be getting called. If this is the first time you are configuring the hightrust app then you can skip (a and b).

  • Run Get-SPTrustedSecurityTokenIssuer. If no Azure workflow is configured then this command should return empty. If you get any issuer apart from the workflow one then run the following script to delete it.
  • Remove-SPTrustedSecurityTokenIssuer (pass the Id value from the above output)

2. Create a new SPTrustedSecurityTokenIssuer by running the following script, passing your SharePoint Developer SiteUrl and Cert path (.cer) that you will use to sign the token with (you need to create a self-signed cert).

For more info see: Create high-trust apps for SharePoint 2013

Take a note of the $issuerId = "447f40c6-99df-4d37-9739-5370102489f7" in the following, we will be using it later.


[Parameter(Mandatory=$true)][string] $TargetSiteUrl,

[Parameter(Mandatory=$true)][string] $CertPath = $(throw "Usage: ConfigureS2SApp.ps1 <TargetSiteUrl> <Certificate>")


# On error, stop

$ErrorActionPreference = "Stop"

# Add sharepoint snapin

# add-pssnapin microsoft.sharepoint.powershell

function ConfigureS2SApp([string]$TargetSiteUrl, [string]$CertPath)


#write-host "Configuring with parameters $appTitle , $TargetSiteUrl , $CertPath"

write-host "you passed" $TargetSiteUrl $CertPath -foregroundcolor Green

$issuerId = "447f40c6-99df-4d37-9739-5370102489f7"

$spweb = Get-SPWeb $TargetSiteUrl

$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site

$fullAppIdentifier = $issuerId + '@' + $realm

$certificate = Get-PfxCertificate $CertPath

New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier –IsTrustBroker

#turning off https <optional> this will make our sharepoint site run on http and still work with high trust app.

$serviceConfig = Get-SPSecurityTokenServiceConfig

$serviceConfig.AllowOAuthOverHttp = $true



ConfigureS2SApp $TargetSiteUrl $CertPath

# done 

Write-host "S2S is now configured" -foregroundcolor Green

3. Create an App using VS2012 (provider hosted). In the second screen, use the same cert that you used in Step 2 (this time its .pfx file path). Issuer ID in Visual Studio will be the value that we supplied in PS in Step 2, in this sample its "447f40c6-99df-4d37-9739-5370102489f7".

App using VS2012
Issue ID

4. Open Web.Config of the AppWeb and generate a GUID for the ClientId. The <appSettings> of the web.config looks as in the following :


  <add key="ClientId" value="6534b629-f722-4207-9d7b-4673646c3ab1" />

  <add key="ClientSigningCertificatePath" value="C:\SP15\MasterReference\SimpleHighTrust\S2SCert.pfx" />

  <add key="ClientSigningCertificatePassword" value="password" />

  <add key="IssuerId" value="447f40c6-99df-4d37-9739-5370102489f7" />


5. Open AppManifest in code mode and paste the preceding ClientId. it should look as in the following:


  <RemoteWebApplication ClientId="6534b629-f722-4207-9d7b-4673646c3ab1" />


6. Provide an appropriate permission in the AppManifest. For a Visual Studio template generated provider hosted app code, provide Web Read permission.

7. Create an IIS site, ensure .Net 4.0 is the target framework. Enable https on this IIS site and also enable Windows Authentication and Disable Anonymous. You can use the same cert for https, but if its on a separate IIS, ensure you copy the certs.

8. Select the website and then double-click on Directory Browsing and Enable it as shown below:

Directory Browsing
Directory Browsing Enable
9. Compile and publish the app, you will be prompted as in the following.

Where is your website hosted? This will be the URL of the site where you want to host the appweb. In our sample it's the IIS site that we created in Step 7 (if this is on a separate IIS server, provide that URL). Also note that it must be https, OAuth requires https.

Client ID:6534b629-f722-4207-9d7b-4673646c3ab1
Cert location = location of cert (.pfx file)
Cert password = password of the cert
IssuerId = "447f40c6-99df-4d37-9739-5370102489f7"
website hosted

10. This will generate an app.publish folder in project\bin\debug. You will see an .app file and folder (this is what we want to run on a separate IIS site).
11. Drill down the folder and copy all the content of PackageTsmp in the virtual directory of the IISSite.
12. Go to SharePoint powershell and Register our app principal using the following script:

$clientId = "6534b629-f722-4207-9d7b-4673646c3ab1"
$spweb = Get-SPWeb "http://mspx2013"
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$fullAppIdentifier = $clientId + '@' + $realm
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName "SimpleHTApp"
Set-SPAppPrincipalPermission -Site $spweb -AppPrincipal $appPrincipal -Scope Site -Right FullControl

13. Go to the SharePoint Developer Site, click “new app to deploy”, click "upload" and browse to the .app file in the app.publish folder.

14. Consent to the perm prompt the app requests.

15. Click the app, this will redirect to the separate IIS site where our app is configured and you should see the Title of the HostWeb (your SharePoint Developer Site).

Up Next
    Ebook Download
    View all
    View all