App-Only Authentication in SharePoint Provider Hosted Apps

In the article I wrote a few weeks ago: Renew Certificate in Provider Hosted Apps Scenario I provided information on how to renew an expired certificate in the context of Provider Hosted Apps. What I missed during this activity was a simple flag when creating the trusted security issuer.

New-SPTrustedSecurityTokenIssuer -Name “$issuerName” -RegisteredIssuerName “$regIssuerName” -Certificate $certificate -IsTrustBroker

The thought process behind this little change is the reason for this article. One and a half work days went into meetings, research and tests. The solution was found in a team effort that was possible because we concentrated for a substantial timespan without interruption.

The difficulty of finding the issue is because outputting the SharePoint Object via below command

Get-SPTrustedSecurityTokenIssuer | ? { $_.Name -eq “$issuerName” }

will not give indication whether or not the -IsTrustBroker flag has been set.

This article gave me a bit of insight into the New-SPTrustedSecurityTokenIssuer command

Significance/additional info of the cmdlets

  1. issuerID : assigning the GUID generated in the previous step
  2. publicCertPath : path where I saved my .cer file.
  3. web : your Developer site URL
  4. realm : should be the same as your farm ID
  5. New-SPTrustedSecurityTokenIssuer : Just a tip, when you use the Name parameter it can be helpful to include a readable name, such as “High Trust App” or “Contoso S2S apps” instead of the issuer ID.
  6. -IsTrustBroker: this flag ensures that you can use the same certificate for other apps as well. If you don’t include this, you might receive “The issuer of the token is not a trusted issuer” error. So we have two possible approaches each having their own pros and cons .i.e. use the same certificate shared by multiple apps Or use a separate certificate for each app. Read additional details at Guidelines for using certificates in high-trust apps for SharePoint 2013
  7. iisreset : to ensure the Issuer becomes valid, else it takes 24 hours.

The context and symptom of this issue:


SharePoint Provider Hosted Apps run on the PHA environment. They can create client contexts on the app webs on SharePoint side.

This is possible by either using the existing user token


or creating one via an app-only token.

TokenHelper.GetClientContextWithAccessToken(_hostWeb.ToString(), appOnlyAccessToken)


Only for the first of the two options this is possible.

An error is thrown when trying to execute a query to retrieve items via a caml query.

This has been working until the certificates used for the PHA-SharePoint trust expired.


at System.Net.HttpWebRequest.GetResponse()

at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()

at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb)

Button_Click: The remote server returned an error: (401) Unauthorized.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: