We all have had our share of pain when it comes to using High Trust Add-ins in SharePoint. The aim of this article is to put together a collection of common problems and solutions. I’ll try to keep this post updated with any new issues that we might come across.

Error – 401 unauthorized error when running a high-trust app

  • Issuer ID is invalid or has uppercase letters or Issuer ID has space in Appweb web.config file. Use the following powershell to get a list of all the TrustedSecuityTokenIssuer in your farm:
Get-SPTrustedSecurityTokenIssuer | select Name,RegisteredIssuerName | fl
  • Thumbprint was incorrectly registered, use Get-SPTrustedSecurityTokenIssuer and make sure the Thumbprint you get when you look at the certificate is equal to the one you find here.
  • The realm should be the same for any issuers that you had registered and it should be the same as your farm ID:
Get-SPFarm | select Id
$spurl ="http://sp/sites/DevCenter"
$spsite = Get-SPSite $spurl
$realm = Get-SPAuthenticationRealm -ServiceContext $spsite
Write $realm
  • Your add-in does not have permission to the resource you are trying to access. Run that the following PowerShell cmdlet ($web is the SharePoint website you are trying to get access to and $appPrincipal is the add-in ID):
Set-SPAppPrincipalPermission -Site $web -AppPrincipal $appPrincipal -Scope Site -Right FullControl
  • Your digital certificate was not added to the trusted certificate store. Be sure you have followed the procedures in Package and publish high-trust SharePoint Add-ins.
  • There is no user profile created for the user who is accessing the remote web application

Error – 403 Error – Forbidden while accessing installed app, SharePoint-App communication issue

  • Client ID is invalid or has uppercase letters or Client ID has space in Appweb web.config file.
  • Get-SPSecurityTokenServiceConfig AllowOAuthOverHttp setting is invalid.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.