Provider Host App Development In SharePoint 2013


This is a quick look at On Premise SharePoint 2013 environments. I decided to write this article because I knew the complexity of this PHA Configuration. Before jumping in to the PHA configuration, it’s worthwhile to quickly recap what are Provider Hosted Apps.

Provider Host App:

The provider Host App is hosted outside of SharePoint. The provider-hosted high trust app model is a powerful tool which should be utilized when the situation either demands custom managed code or when a low-trust solution does not suffice or SharePoint Host app does not do. It has its own infrastructure and the Provider is responsible for keeping it running. They allow you to use Server Side code and use the .NET CSOM (not the Microsoft.SharePoint.dll.)


Image Source.

Why Provider Host App?

  • The Provider Host App you can run some server side code which is not possible with a SharePoint hosted app.
  • The second is if SAML Claims authentication provider is setup with ADFS 2.0.
  • You can host a provider-hosted SharePoint Add-in on a Microsoft Azure web role instead of a web application (whether the web application is on-premises or a Azure Web Site).

Before you develop a provider Host App you may need to do some prerequisites,

  • SharePoint 2013 Server
  • Visual Studio 2012
  • IIS
  • High Trust Certificates.

For SharePoint you must have the following service applications provisioned and started:

  • User Profile Service Application Started
  • Subscription Service Application with proxy
  • Subscription Settings Service instance started
  • Application Management Service Application and proxy
  • App Management Service instance stared

High Trust Certificates:

A high-trust Certificate is a provider-hosted SharePoint App that uses the digital certificates to establish trust between the remote web application and SharePoint.

This is the link to create a certificate in IIS.

Here I would like to give a PowerShell code to create the self-signed certificate (.pfx file)


In the folder that you saved the .cer and .pfx file in SharePoint server, be sure that the App pool identity for the following IIS Apps have Read rights to the C:\Certs folder.


PowerShell Code;

Copy the below Code and save it as a Makecertificate.ps1

Then run the below cmd in PowerShell,

C:\powershells\Makecertificate.ps1-Domain – OutputDir C:\Certificates -$Password Password1


  1. PARAM(  
  2.    [Parameter(Mandatory=$true, HelpMessage="Enter the uri for the domain (e.g.")][string]$Domain,  
  3.    [Parameter(Mandatory=$true, HelpMessage="Enter the full path where the certificates will be created.")][string]$OutputDir,  
  4.    [Parameter(Mandatory=$true, HelpMessage="Enter the password for the certificate.")][string]$Password  
  5. )  
  7. if (-not $outputDir.EndsWith('\'))  
  8. {  
  9.    $outputDir += "\"  
  10. }  
  12. $makecert = "C:\Program Files\Microsoft Office Servers\15.0\Tools\makecert.exe"  
  13. $certmgr = "C:\Program Files\Microsoft Office Servers\15.0\Tools\certmgr.exe"  
  15. New-Item $outputDir -ItemType Directory -Force -Confirm:$false | Out-Null  
  17. $pubCert = $outputDir + $domain + ".cer"  
  18. $privateCert = $outputDir + $domain + ".pfx"  
  20. $output = & $makecert -r -pe -n "CN=$domain" -b 01/01/2013 -e 01/01/2023 -eku -ss my -sr localMachine -sky exchange -sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider" $pubCert  
  22. $output = & $certmgr /add $pubCert /s /r localMachine root  
  24. $publicCertificate = Get-PfxCertificate -FilePath $pubCert  
  25. $publicCertificateThumbprint = $publicCertificate.Thumbprint  
  27. Get-ChildItem cert:\\localmachine\my | Where-Object {$_.Thumbprint -eq $publicCertificateThumbprint} | ForEach-Object {  
  28.    $privateCertificateByteArray = $_.Export("PFX", $password)  
  29.    [System.IO.File]::WriteAllBytes($privateCert, $privateCertificateByteArray)  
  30. }  


  • Domain: The url to the provider hosted web application.
  • OutputDir: The folder where the certificates are created.
  • Password: The password for the private certificate.

Next Article: How to create IIS website and register the certificate to IIS website.