Click here to Skip to main content
14,972,737 members
Articles / Productivity Apps and Services / Sharepoint
Posted 8 Oct 2015

Tagged as


2 bookmarked

Configure SharePoint 2013 Provider Hosted High Trusted App and deploy in separate IIS site

Rate me:
Please Sign up or sign in to vote.
5.00/5 (4 votes)
13 Nov 2015CPOL3 min read
This tip talks about creating a provider hosted app for on-premise SharePoint server and host it in trusted IIS site.


As you all know, Provider hosted app model is one of the Sharepoint 2013 App models, where the app is outside of SharePoint server. Either we use Azure websites or IIS for hosting. The main purpose for writing this tip is to make developers understand the step by step approach for hosting app in IIS.

Step by Step Approach

Create a Self-signed Certificate for a High Trusted App. Steps are as Follows:

  1. Click the server in IIS manager and double click server certificates
  2. Create a self-signed certificate
  3. Export as a pfx file to a folder with password protected
  4. Double click the created certificate and click the Details tab
  5. Click Copy to File and proceed steps to create .cer file

Configure Sharepoint 2013 to Use the Created Certificate

  1. Create IssuerId by starting the Powershell and enter [guid]::newguid().tostring().tolower()
  2. Place the below cmdlets in the SharePoint shell command:
$publicCertPath = "C:\root\High_Trust_App_1.cer"
#$issuerId = [System.Guid]::NewGuid().ToString()
$issuerId = ([Guid]"450d02a5-5f69-46ea-9b56-996c9692663d").ToString()
$spurl ="http://sp:1984/sites/Devsite"

$spweb = Get-SPWeb $spurl
$sc = Get-SPServiceContext $
$realm = Get-SPAuthenticationRealm -ServiceContext $sc
$certificate = Get-PfxCertificate $publicCertPath

$fullIssuerIdentifier = $issuerId + '@' + $realm

New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate 
	-RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker
write-host "Full Issuer ID: " -nonewline
write-host $fullIssuerIdentifier -ForegroundColor Red
write-host "Issuer ID for web.config: " -nonewline
write-host $issuerId -ForegroundColor Red

#Disable OAuth HTTPS requirement FOR DEV!!
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true

New-SPTrustedRootAuthority -Name "$($certificate.Subject)_$($certificate.Thumbprint)" 
	-Certificate $certificate

Note: In the above cmdlets, you need to change guid, site url and path of certificate.

And if you are not using “https”, then run this command:

#Disable OAuth HTTPS requirement FOR DEV!!
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true

IIS Site Creation

  1. Create a site in IIS and in the edit bindings, add "https" with the created certificate
  2. Once the site is created, ensure Anonymous Authentication is Disabled and Windows Authentication in Enabled under “Authentication” of the site. And check the provider of Windows Authentication contains “NTLM
  3. Select the website and then double click on directory browsing and enable it. Now your site is ready:
    e.g: https://localhost:1650/

Creating Provider Hosted App in Visual Studio

  1. Go to Visual Studio and click “New Project” and select provider hosted app
  2. Under Configure Authentication settings, click “Use a certificate” and provide the above created details
  3. Create a GUID from Visual Studio or Shell command for “Client Id”
  4. Add the below under web.config:
    <add key="ClientId" value="450d02a5-5f69-46ea-9b56-996c9692663d" />
    <add key="ClientSigningCertificatePath" value="C:\root\test_cert_1.pfx" />
    <add key="ClientSigningCertificatePassword" value="Pass@123" />
    <add key="IssuerId" value="fda8d804-7ba0-4a00-8dfd-d1fcc36f81a2" />

And AppManifest add the below:

    <RemoteWebApplication ClientId="450d02a5-5f69-46ea-9b56-996c9692663d" />

AppManifest under Permission tab configure Permission for web as full control.

Register the App Principal that Means Register the clientid in the SPFarm

Run the below cmdlets in shell command:

$clientId = "450d02a5-5f69-46ea-9b56-996c9692663d"
$spweb = Get-SPWeb "http://sp:1985/sites/DevSite"
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site
$fullAppIdentifier = $clientId + '@' + $realm
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier 
	-Site $spweb -DisplayName "SimpleHTApp"
Set-SPAppPrincipalPermission -Site $spweb -AppPrincipal $appPrincipal -Scope Site -Right FullControl

Modify the TokenHelper.cs in the App Project

To work with certificates, we need to modify tokenhelper to retrieve it by its serial number.

Remove ClientSigningCertificatePath, ClientSigningCertificatePassword, and ClientCertificate under #region private fields and add the below lines in that place.

Private static readonly string ClientSigningCertificateSerialNumber = 

private static readonly X509SigningCredentials SigningCredentials = 

Create a function under #region private methods:

private static X509Certificate2 GetCertificateFromStore()
  if (string.IsNullOrEmpty(ClientSigningCertificateSerialNumber))
     return null;

  // Get the machine's personal store 
  X509Certificate2 storedCert;
  X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
     // Open for read-only access
     // Find the cert
     storedCert = store.Certificates.Find(X509FindType.FindBySerialNumber,
  finally  {
  return storedCert;


private static X509SigningCredentials GetSigningCredentials(X509Certificate2 cert)
  return (cert == null) 
         ? null 
         : new X509SigningCredentials(cert, 

Also replace all ClientCertificate with GetCertificateFromStore() in tokenhelper class

Publish Sharepoint WebApp

  1. Create a new profile “SampleProfile
  2. Under connection click “Web deploy package” and give the package location
  3. Specify the https site that created in the above steps for Site/ application
  4. Click publish

Create Add in Package

  1. Click publish on app project
  2. Select the profile we created in the above steps
  3. In Hosting Tab, mention the below values:
    Website : https://localhost:1650 (created in above steps)
    Client ID: 450d02a5-5f69-46ea-9b56-996c9692663d
    Cert location = C:\psmi\test_cert_1.pfx
    Cert password = pass1
    IssuerId = "fda8d804-7ba0-4a00-8dfd-d1fcc36f81a2"
  4. Click finish
  5. From app.publish folder, “” which we need to upload in the app catalog under the specified SharePoint site
  6. Drill down zip file in the published folder and get the content folder. Copy the folder and files under PackageTmp
  7. Place it in the IIS site folder (https://localhost:1650)
  8. Trust the app and see your provider hosted app

Hope these steps will clearly explain to you more than screenshots.



This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Jhanani Ravishankar
United Arab Emirates United Arab Emirates
No Biography provided

Comments and Discussions

-- There are no messages in this forum --