SharePoint 2013 Hosting :: Create Provider Hosted High Trust App for SharePoint 2013 (Short Guide)

About this topic there are several guides.

1. You need to have or create a certificate that is used as “security token issuer”. This certificate can be created using IIS Manager or any other tool.

I use “XCA” ( With that tool you can create your own Certification Authority. (Of course you can use the Windows Server Certification Authority.) – I use XCA because it’s easy to manage this kind of certificates there and I use the certificates on several dev machines.

If you do so too you need to create a root certificate for your Certification Authority and install it in the “Trusted Root Certification Authrities” of your Local Computer (not only your personal cert store).

2. The first step is to register (or create) the certificate within IIS Manager:
Right click on the server node and choose “Server Certificates”.

Use “Import” to apply an existing certificate. Or use “Create Self-Signed Certificate” to create a new certificate.

This are the steps to create a new self-signed certificate:

After commit (“OK”) you need to export the certificate with private key and a second time without private key.

3. Open Visual Studio 2012. Create a new project:

For “Issuer ID” you need to create a GUID using Visual Studio or PowerShell. Here is the PowerShell way:

Start PowerShell.



Copy to output into the dialog in Visual Studio 2012.

4. Open a Windows PowerShell ISE, create a new PowerShell script file and copy the following code to it. Most of the code comes from here:

$publicCertPath = “C:\root\High_Trust_App_1.cer”
#$issuerId = [System.Guid]::NewGuid().ToString()
$issuerId = ([Guid]”4729b8e2-073a-47f0-8538-105ec865f3d2″).ToString()
$spurl =http://sharepoint.local
$spweb = Get-SPWeb $spurl
$sc = Get-SPServiceContext $
$realm = Get-SPAuthenticationRealm -ServiceContext $sc
$certificate = Get-PfxCertificate $publicCertPath
$fullIssuerIdentifier = $issuerId + ‘@’ + $realm
New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker
write-host “Full Issuer ID: ” –nonewline
write-host $fullIssuerIdentifier -ForegroundColor Red
write-host “Issuer ID for web.config: ” –nonewline
write-host $issuerId -ForegroundColor Red
#Disable OAuth HTTPS requirement FOR DEV!!
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
New-SPTrustedRootAuthority –Name
“$($certificate.Subject)_$($certificate.Thumbprint)” -Certificate $certificate

Be sure to change any parameter that does not fit your environment. After that the script should look like this:

The following script lines are needed in order to get it working using a SharePoint site without SSL!!

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true

If you use SSL (e.g. https://sharepoint.local) you can skip this.

No other steps are required. I’ve tested this several times with always fresh SP 2013 environments because I had some difficulties to get this set up.

5. At this point I have not changed anything in Visual Studio after creating the project(s) (there are two) through the wizard.

Check the “web.config” file in you web project.

There you find the issuer ID again.

6. Now run the project. You need to trust the app.