Setting up Provider hosted apps environment with SharePoint 2013

Hi All,

As we all know, setting up Provider hosted app in SharePoint 2013 environment can be a pain at times.

We all have come across various issues while setting this up.

Sharing a self created and tested document with step-by-step approach to set this up and create a provider hosted app.

Any suggestions, thoughts or comments are appreciated!!!


SharePoint Central Admin Prerequisites

SharePoint you must have the following service applications provisioned and started:

· Subscription Service Application with proxy

· Subscription Settings Service instance started

· Application Management Service Application and proxy

· App Management Service instance started

· Must have User Profile Service started

Prerequisite (Need to check if we need to setup ADFS on INT environment?)

1. SharePoint 2013 server is ready with apps configured

2. ADFS 3.0 server is ready with realm set to SharePoint.

3. ADFS is registered with SharePoint as a trusted identity provider.

4. ADFS 3.0 server is ready with realm set to provider hosted app

5. Server is ready for hosting provider hosted app.

6. Load balancer configured for provider hosted web application

7. Certificate is available in private, public part along with password.

Step 1: Create a Certificate

1. In the development environment you can use a self-signed certificate, but you would need a commercial certificate when you publish your Apps to store. So we will create a self-signed one. In the IIS manager, click on Server Certificates.

2. Click on Create Self Signed Certificate

3. Enter some meaningful name like HighTrustCert and Click on Ok.

4. Now we need to export the personal exchange format (.pfx) file. Right Click on the Certificate in IIS click on Export and provide an accessible location. Also enter the password that you want to use and Click on Ok

5. Next, double click on the Certificate in IIS. Click on Details tab and click onCopy to File.

6. Now you should see the Certificate Export Wizard (remember earlier we exported the .pfx file). The first screen elucidate the significance of what we are doing. Keep Clicking Next across the three screens. Below screenshots demonstrate the same. I keep all the default options. Just one thing to mark that now we are now exporting the .cer file. I choose the same location. Click onSave.

And finally, click on Finish. You should see you the message “The export was successful”.

Step 2: Run Windows PowerShell cmdlets to set up trusted security token service

1. Run SharePoint 2013 Management Shell as administrator. First thing first, you need an Issuer ID. An important point, it has to be Lowercase only.

Create a GUID with Visual Studio. Make sure all letters are lowercase. For e.g.7591c7a2-cc56-40ef-8f71-20a4d8450ed7

2. Run the below PowerShell cmdlets to create trusted security token service.

$publicCertPath = “D:\Certificate\WB_EBiz_WFACert.cer”

$appId = “7591c7a2-cc56-40ef-8f71-20a4d8450ed7”

$spurl = “http://wbgmsspsnd017/sites/EBiz”

$spweb = Get-SPWeb $spurl

$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site

$certificate = Get-PfxCertificate $publicCertPath

$fullAppIdentifier = $appId + ‘@’ + $realm

New-SPTrustedSecurityTokenIssuer -Name “WB EBiz WFA App” -Certificate$certificate -RegisteredIssuerName $fullAppIdentifier

$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName “WB EBiz WFA App”

This will add certificate to both Personal Store and Trusted Root Certification Authorities store in mmc. To verify, go to your Trusted Root Certification Authorities Store and you should see your Certificate there

Significance / additional info of the cmdlets

issuerID : assigning the GUID generated in the previous step

publicCertPath : path where I saved my .cer file.

web : your Developer site URL

realm : should be the same as your farm ID

New-SPTrustedSecurityTokenIssuer : Just a tip, when you use the Name parameter it can be helpful to include a readable name, such as “High Trust App” or “Contoso S2S apps” instead of the issuer ID.

IsTrustBroker: this flag ensures that you can use the same certificate for other apps as well. If you don’t include this, you might receive “The issuer of the token is not a trusted issuer” error. So we have two possible approaches each having their own pros and cons .i.e. use the same certificate shared by multiple apps Or use a separate certificate for each app. Read additional details at Guidelines for using certificates in high-trust apps for SharePoint 2013

iisreset : to ensure the Issuer becomes valid, else it takes 24 hours.

Additionally you can turn off the https requirements using below PowerShell cmdlets. But ensure to turn it on by changing $true to $false in the second cmdlet below.

$serviceConfig = Get-SPSecurityTokenServiceConfig

$serviceConfig.AllowOAuthOverHttp = $true


Refer to the screenshot below of for the complete steps:

Step 3: Create a Simple “High Trust” Provider Hosted App using Visual Studio 2012(DEVELOPMENT)

1. Click New Project -> App for SharePoint 2013

2. Select ASP.NET MVC web app

3. Now select the PFX certificate generated in the last step. Provide password and Issuer ID

4. This will create a new MVC project.

5. Now Visual studio created two projects with in the same solution. MVCApp1 is the SharePoint App and MVCApp1Web is the remote webapp. Only artifact of the MVCApp1 is the appmanifest.xml. This is similar to what feature.xml to WSP. We provide the version, permission and startpage details of the app.

6. Make sure Windows authentication is enabled for web project, and check other settings as well.

7. Now you can directly debug the app by pressing f5. Now login to app using your windows credentials and trust the app. This will lead to sample app hosted from VS2013 if all the settings are right.

Step 4: Create App Domain and Set for SharePoint (DEPLOYMENT)

Configure App Domain

1. Create App Catalog site – new site from going in Central Admin – Apps – Manage App Catalog, Create new site collection

2. Configure App URLs

If you get a message – The Subscription Settings service and corresponding application and proxy needs to be running in order to make changes to these settings.

                Run the belowPS script to create new service application for subscription service… Though service is already running but service application is missing

$account = Get-SPManagedAccount “WB\spm13devep1” 

$appPool = New-SPServiceApplicationPool -Name SubscriptionServiceAppPool -Account $account

$serviceApp = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPool -name “Subscription Settings Service Application” -DatabaseName “SP2013INT-SubscriptionSettingsDB”

$serviceAppProxy = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $serviceApp

Then try again

Step 5: IIS Site Creation (DEPLOYMENT)

1. App Catalog Server (IIS) Configuration

a. Copy the Personal Information Exchange (.pfx) and published files into the app catalog server.

b. Enable the required features (refer the below screenshot) through “Add Roles and Features” in Server Manager.

c. Import the Certificate, IIS -> Server Certificates -> then click “Import” link in the right top.

d. Create a Folder for place the web app published files (ex. C:\inetpub\wwwroot\eBizApps )

e. Create a Website in IIS.  Right click in “Sites” then choose “Add Website”.

f. In the “Add Website” window, enter the proper site name, select the physical path (C:\inetpub\wwwroot\eBizApps) and then click “OK” button.

g. Select the site name (ex. eBizApps), click the “Bindings” link in right side.

h. In the Site Bindings window, Click “Add” button”

i. In the Add Site Binding window, select the Type as “https” and then select the SSL certificate. And then click “OK” button

j. Browse this site using Internet Explorer.  The site will open.

Once created, create SSL binding also

Click Bindings on right side

So we should have 2 bindings now

This website is empty now we need to deploy content from code (11 machine) to 08 machine which is here

Deployment involves App deployment and Website deployment

App Deployment:

Before publishing the app, a new client ID for the App should be generated form the app site. SharePoint uses this client ID to validate the App file while installing. Navigate to appregnew.aspx

Navigate to https://sp2013.gsi.local/sites/apps/ and generate AppId


So we might get a result like this when hit create button

The app identifier has been successfully created.

3. The App Domain is the domain name set on the remote web application server’s IIS Site that will be hosting this app.

App Id:    1b395959-b36f-47b3-84dc-f695d3a6a585   — this is APP/ CLIENT ID

App Secret:    Cf6n+YWaBJ8bDIqJp656J76IoJNPcNh+C3H99Ob0i/U= 

Title:    EBizWFA 

App Domain:    wbgmsspsnd008 

Redirect URI:    

Right click the solution and click publish and select Package the app. And enter the client ID and the remote site URL.

This wizard will generate a package

Take this package on 08 machine where IIS is. And run this command

Now IIS website should have all the content. Web project has been deployed

Make changes to web config file specific to environment.

Step 6: Package SharePoint App

Update clientId in App Manifest file.

Check for correct permissions assigned in AppManifest file. – Web (Full control)

Target url should be of the site to be deployed

Click Finish and this will publish the file in the bin\debug folder under “app.publish” folder

On opening the .app file with good old WINRAR all the resources can be extracted out. And verify appmanifest.xml .

Step 7: Add app to App Catalog

For an app to be consumed, it must be added to an app catalog.

1. Navigate to the app catalog and select Apps for SharePoint
2. Select New App and upload the .app file produced from the last set of steps

Step 8: Add app to site

1. Access a team site and selected site contents and clicked Add App.

2. Click on it and click Trust It

Note: If it errors on this step and you’re logged in as the system account, try again using a non-system account.

2.  After install, test by clicking on the app.

Leave a Reply

Your email address will not be published. Required fields are marked *