This blog posts describes the steps necessary to configure an environment to run your provider-hosted high trust apps in SharePoint 2013. Provider-hosted apps are apps that are hosted outside SharePoint. They run for example on an IIS server. Anything is possible. A provider-hosted app is considered as a high trust app when any user identity can be used for creating the access token. The app creates the user portion of the access token that is passed to SharePoint. A high trust uses a digital certificate to establish a trust between the provider-hosted app and SharePoint. Be aware that a high trust is not the same as a full trust. A high trust app must still request app permissions.

There are a lot of great resources out there in articles, blog posts, comments on questions and of course on TechNet. To my honest opinion none of them explains it from beginning to end. To understand the process, you need to understand the necessary steps taken. In principal these steps are valid from development to production. Some of the steps are only needed when you are using a development environment and should not be performed on a production environment because there are not needed there and could create an unsecure configuration. It will be explained per step if that’s the case.

My current configuration

To have a start point it is important to understand which configuration I’m using to demonstrate this. Some functionality depends on certain versions of SharePoint and Windows Server. My current configuration is as follows.

  • Windows Server 2012 Standard (latest updates installed)
  • SharePoint Server 2013 (version 15.0.4693.1000)
  • SQL Server 2012 (version 11.00.3128)
  • Visual Studio Premium 2013 (12.0.31101.00 Update 4)

Define your domains

Before we start configuring an environment we need to define some domains for our solution.

Location Domain Certificate Purpose
SharePoint 2013 Normal SSL Certificate The location of the SharePoint 2013 website in which the provider-hosted app is used.
Internet Information Services apphost-contosoweb.ccom Wildcard SSL Certificate The domain under which your provider-hosted apps will run.
Internet Information Services SSL due to the wildcard SSL certificate of the domain A provider-hosted app called myapp.

You need to use SSL to run apps in your SharePoint web applications. There are many reasons to have a secured connection. Think of the validation process and getting the access token. So both domains need an SSL certificate. I will be using a wildcard certificate to allow me to deploy more than one provider-hosted app under the same high trust.


When you start working with host names you need to resolve them to the correct IP address. Most people use the host file found under c:windowssystem32driversetc. I recommend to start using DNS to resolve them. Your environment will then be the same as your “real” world production environments.

Open Server Manager Dashboard and select “Tools” at the right top. Select the application “DNS”. We need to specify so called “Forward Lookup Zones” for the domains. The configuration differs per environment. Other IP addresses and DNS configurations may apply to your case. The first one will be for

Right mouse click on “Forward Lookup Zones” and select New Zone. Use the following settings:

  • Primary Zone
  • To All DNS servers running on domain controllers in this domain
  • Zone name:
  • Do not allow dynamic updates

Create a new host A record in the created zone with the following settings:

  • Name is empty
  • IP Address =

When all configurations are done it will look like below.

The second forward lookup zone is created for the domain

Right mouse click on “Forward Lookup Zones” and select New Zone. Use the following settings:

  • Primary Zone
  • To All DNS servers running on domain controllers in this domain
  • Zone name:
  • Do not allow dynamic updates

Create a new host A record in the created zone with the following settings:

  • Name is empty
  • IP Address =

Create a new alias CName record in the created zone with the following settings:

  • Alias name = *
  • Fully Qualified domain name =

When all configurations are done it will look like below.

The next step is only necessary when you are creating a demo or development environment. We need to use the DNS on our machine instead of the DNS given to the environment. Go to your network adapter and open the properties. Open the “Internet Protocol Version 4” and specify the local DNS server. In our case this is

Because all traffic is now routed to our DNS we will lose internet availability. To correct that we specify the Google Public DNS server in our DNS. Go to DNS. Right mouse click on the server and select properties. Open tab “Forwarders” and add the IP Address to the list.

Create your SharePoint website

First we need to create the website in SharePoint. Go to Central Administration à Application Management à Manage Web Applications. As we already mentioned every website is running under SSL. So we create a new web application with the port set to 443 and SSL turned on. Don’t forget to set the host header to

Choose any site template you wish. In my case I used a standard team site. When you are creating a development environment and you want to deploy your apps to your SharePoint website from Visual Studio you will need to use a Developer site template or another template which has side loading of apps enabled. Only use side loading of apps for development purposes. So don’t use it on any production environment. To enable side loading of apps for a specific SharePoint website use the following PowerShell script.

Add-PSSnapin Microsoft.SharePoint.PowerShell

Enable-SPFeature e374875e-06b6-11e0-b0fa-57f5dfd72085 –url


As mentioned earlier I will be using a wildcard certificate for the provider-hosted apps. But be aware! Wildcard certificates are very expensive. Use if possible self-signed certificates and only use an official wildcard certificate for your production environment. Using self-signed certificates can cause a little pain, since trusting these certificates requires additional tasks in the browser. Something you don’t want to have on your production environment, while on your development or test environment it shouldn’t be a problem.

If you are going to use self-signed certificates there are a lot of tools available to generate them. Some of these tools cause problems when using multiple self-signed certificates on the same user. My recommendation to you is using the tool MAKECERT. This tool is automatically installed with Visual Studio. If you are on a production environment you can temporarily download the Windows SDK kit to get the tool. It works great!

Run the following commands in a command line or Windows PowerShell.



cd “c:program files (x86)Windows Kits8.1binx64”

makecert -n “CN=ContosoWeb Root,O=Contoso,OU=IT,L=SharePoint,S=NY,C=US” -pe -ss Root -sr LocalMachine -sky exchange -m 120 -a sha1 -len 2048 -r

makecert -n “” -pe -ss My -sr LocalMachine -sky exchange -m 120 -in “ContosoWeb Root” -is Root -ir LocalMachine -a sha1 -eku

makecert -n “CN=*” -pe -ss My -sr LocalMachine -sky exchange -m 120 -in “ContosoWeb Root” -is Root -ir LocalMachine -a sha1 -eku


This will generate a root certificate with the name “ContosoWeb Root”. The actual certificates which will be used for the websites are generated below this root certificate. You will need to give a number of parameters with the commands. These options are explained here

The number given to option Eku describes the object identifier. This identifier specifies: iso(1), identified-organization(3), dod(6), internet(1), security(5), mechanisms(5), pkix(7), kp(3) and serverAuth(1). It indicates that the certificate can be used as a SSL server certificate. For more information

Now open a console to certificates. If you don’t know how just follow my lead.

Run the command MMC. File à Add/remove snap-in…Select “Certificates in the left column and add this one to the right. During adding select the option “Computer account” and “Local Computer”. Press the “OK” button. You will find yourself now in the screen for certificates.

You will find both certificates under Certificates (Local Computer) à Personal à Certificates. The next step will be exporting both certificates.

Click right mouse button on the certificate. Select All tasks à Export. Leave all the default settings as is and export the certificates to the following corresponding file names “apps-contosoweb-com.cer” and “contosoweb-com.cer”.

The next step is to import them again. But this time into the folder Certificates (Local Computer) à Trusted Root Certification Authorities à Certificates and Certificates (Local Computer) à SharePoint à Certificates. Importing the certificate can be done by right mouse click the folder and select All tasks à Import. The result will be as follow.

You need to place the certificates under Trusted Root Certification Authorities to prevent SSL warnings in your browser when using self-signed certificates.

Both the certificate files are needed later on when we enable SSL on the web applications.

Creating a high trust

A trust is necessary due to the fact that the provider-hosted app is hosted outside SharePoint in a separate web application. To create a high trust we need the token issuer ID from the certificate. Get the token issuer ID by double mouse click on the provider-hosted app certificate and select the second tab “Details”.

Next look for the field called “Authority Key Identifier” and click it. In the box below the properties the KeyID is shown. This is the token issuer ID we need to use for our high trust. We need to convert this value to a GUID.

KeyID = a4 88 24 4b 10 3e ae ca 2f 58 6d 30 6c d3 a0 8a becomes A488244B-103E-AECA-2F586D306CD3A08A

It is very important that the GUID is convert to upper case. If not the script we are going to use to create the high trust will fail. Run the following script to create a high trust between the provider-hosted app(s) and SharePoint.


Add-PSSnapin Microsoft.SharePoint.PowerShell

$publicCertPath = “C:contosocertificatesapphost-contosoweb-com.cer”

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($publicCertPath)

New-SPTrustedRootAuthority -Name “apphost-contosoweb-com.cer” -Certificate $certificate

$realm = Get-SPAuthenticationRealm
$specificIssuerId = “A488244B-103E-AECA-2F586D306CD3A08A

$fullIssuerIdentifier = $specificIssuerId + “@” + $realm

New-SPTrustedSecurityTokenIssuer -Name “ContosoAppsHighTrust” -Certificate $certificate –RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker



We need to check if there is a trust relationship enabled between the domain for the provider-hosted apps and SharePoint. Open Central Administration à Security à Manage trusts to get the list of trust relationships with your SharePoint farm.

As you can see there is a trust relationship named apphost-contosoweb-com.cer and it contains the certificate issuer and to whom it is issued. In this case it is issued to the certificate which will be used for the provider-hosted app.

Create your provider-hosted app website

The next step is creating a web application for the provider-hosted app. This is done in Internet Information Services Manager. Open IIS and select the folder sites under the server name. Right mouse click and select Add Website. This dialog allows you to create an ASP.NET web application.

Give it a site name and select a folder on disk where the web application files are stored. For the binding you need to select https and port 443. Next you need to specify the host name. Our provided-hosted app is called “myapp”. So the host name becomes Since IIS 8.0 we have something called “Server Name Indication”. It is an extension of the TLS protocol and it allows you to run multiple SSL certificates on a single IP address for websites. Due to this option there is no need for additional IP addresses anymore. Our setup, especially when it runs on the same machine, needs to have this enabled. Finally we select the correct SSL certificate. This is the wildcard certificate for the domain under which our provider-hosted app is hosted.

By default Windows Authentication is not enabled for the web application. Therefore select the web application and select the option “Authentication”. Enable Windows Authentication. You are now set and ready to publish your provider-hosted app to this location.

Set the certificate for the SharePoint website

Our SharePoint website which was generated earlier does not yet have a SSL certificate binding. Select the web application in IIS and select the option “Bindings” on the right. This opens a dialog with all the bindings defined for the SharePoint website.

Select the one which has the type https. Some of the settings are already set by SharePoint during the creation of the web application through Central Administration. We only need to enable “Server Name Indication” and select the right SSL certificate. Now the SharePoint website is available through https.

Get the private key

Before we can start creating our provider-hosted app we need one more thing from certificates. We need the private key. So open again certificates and select the certificate created for the domain Right mouse click à All Tasks à Export.

Select the option “Yes, export the private key”. In the second screen leave the default settings.

In the third screen you need to specify a password for the private key. Both the private key and password are necessary during provider-hosted app creation in Visual Studio. Finish the wizard and store the private key at a known location on disk.

Create your provider-hosted app

Finally we can start creating our provider-hosted app using Visual Studio. Open Visual studio and create a new project. Go to File à New à Project. Select “App for SharePoint” under the category Office/SharePoint à Apps.

Select the SharePoint site as the site which you want to use for debugging. Secondly select the type of app. In our case this is the Provider-hosted option.

In the next step select the type of web application. In our case I have chosen to create an ASP.NET Web Forms Application. It really doesn’t matter for the app.

In the last step you need to specify a certificate. We are going to run the provider-hosted app using high trust in our on-premise environment. Browse for your private key file and enter the password you entered when you exported the private key from the certificate. Finally we need to specify the issuer ID. This is the same ID we used to create the high trust. But watch out! Specify the issuer ID as a GUID in lowercase. Otherwise your app will not run. Click the Finish button to create the project.

Before we can actually publish and use the provider-hosted app some additional steps are needed. The first is opening the web.config file. In this configuration file all settings specified during the creation process of the provider-hosted app are stored. You are allowed to change these afterwards. When publishing the app to another server you need to be certain that the private key is also published there and that the reference is still valid.

The next step we need to do is changing the way how the client context is retrieved. There is no context token with high trust apps. The context token is specifically for the Windows Azure Access Control Service (ACS). We will get the client context based on the windows identity by calling the method TokenHelper.GetS2SClientContextWithWindowsIdentity.

The final step is changing the start page of the app. The app is going to be published under Therefore we change the start page as shown below.

Everything is now set to get your provider-hosted app up and running. Define a publish profile which publishes the app to the web application we have created earlier.

Deploy your app (the part with the manifest) to the SharePoint site. Run a browser and go to Click on the app and it will start your provider-hosted app. If everything went well your app is now running!


Creating provider-hosted apps is a great way of creating additional functionality for or remote provision your SharePoint environment without installing custom solutions. There are a lot of steps to be taken to accomplish using SSL certificates and the high trust between the app and SharePoint. Leaving out a step can result in not running the app correctly or even not running at all. Still I think it is not that difficult to setup an environment using provider-hosted apps in a high trust in on-premise environments. As long as you understand what you are doing you will make the right choices.


Some references to additional information for this article.

How to: Create high –trust apps for SharePoint 2013

What is Server Name Indication (SNI)?

IIS 8.0 Server Name Indication (SNI): SSL Scalability

Using Google Public DNS

Previous articleList business owners of site collections in SharePoint using PowerShell
Next articleStore Twitter mentions on blog posts in Azure database using Azure Logic App and Azure API App
A professional which inspires, motivates and educates businesses on how to leverage emerging technologies using Virtual, Augmented and Mixed Reality in their journey to digital innovation. He has a strong background on SharePoint, Office 365 and Microsoft Azure and is working with machine learning, artificial intelligence and cognitive services. Primarily focused on manufacturing, construction, industry, logistics and maritime/offshore, his goal is helping businesses to achieve more on creating, improving, smartening and shortening of business processes by using services, apps and devices. Furthermore, he engages in speaking, blogging and is organizer of events like the Mixed Reality User Group, Mixed Reality Talk @ VR, SP&C and the Global AI/MR Bootcamp. With more than 20 years of IT Business experience, acting in different roles like solution architect, he believes the future is just starting! Highly experienced in all realities, HoloLens and other devices, User experiences on devices and connecting the world to the cloud will help him to shape that future!


  1. Hi Alex,

    thanks for the post, it’s truly informative.
    In Addition, I deployed and ran the app but I got 404 error when executing the code line clientContext.ExecuteQuery();

    Do you have any suggestion about this?


  2. Thank you very much for this detailed explanation!
    As you mentioned in this blog post, I have also not found any other article that describes this process from start to and at this level of details. Really appreciate your work!

  3. Correct me if I’m wrong here but the only place the apphost-contosoweb cert is used is to get imported in SharePoint to create the trust between SharePoint and the IIS server?

  4. Great post!!!! One question how is the guid when my certificate in IIS is RSA (4096bits) instead of 2048bits like in the example?
    Is it possible to transform a longer key id in (Authority Key identifier) to a guid?

  5. KeyID=b3 12 89 b5 a9 4b 35 bc 15 00 f0 80 e9 d8 78 87 f1 13 7c 79 has 20 dual numbers instead of 16 like in your example….


Please enter your comment!
Please enter your name here