How to Package and Deploy a High Trust App

With the introduction of app model, high trust apps are gaining popularity. Solutions nowadays are not restricted to only SharePoint, and different solutions have emerged to solve business problems. To get the best of many worlds, the provider hosted app has gained a lot of momentum.

Deployment of a high trust app in SharePoint requires a certificate creation, installation, and establishing trust between the web application and SharePoint.

This article examines the high level process of a high trust app deployment.

Basic prerequisites are:

  • On premise SharePoint 2013 environment
  • Visual studio for the development
  • IIS server to host the remote web application

Registering the High Trust App

High trust apps always need to be registered on the SharePoint firm in which the app will be installed.

Registration is done on the url : http:// <Sharepoint_website>/layouts/15/appregnew.aspx . Generate the App ID, App Secret using this form. Once you create this, keep the details for future use.

Obtaining the Certificate

For development or testing purposes, a self-signed certificate is enough. However this will result in a warning pop up, so when you’re in a proper testing environment or production environment, a certificate signed by a trusted third party is a must.

The certificate should be in two formats: Personal Information Exchange (pfx), and Security Certificate (cer). If it is not in either of these formats when originally obtained, it can be converted using a utility. Also, once a pfx format version has been obtained, the pfx file can be imported into IIS and then the .cer version exported.

If the certificate is originally obtained in a .cer format, it will contain both the private and public keys. As a general practice, the .cer file that is used by SharePoint should not contain the private key. Consider importing the original certificate to IIS and then exporting a new .cer version that does not include the private key.

Creating a certificate is enough with respect to high trusted apps, however if you intend to learn more about certificates and public key private keys, internet blogs and MSDN are good source.

Configuring the Remote Web Server and PFX Certificate

To configure the remote web server and pfx certificate, you need to import the certificate into IIS on the remote web server using PowerShell.

  1. Use the Windows PowerShell command to create a certificate object:
$publicCertPath = "C:\Certs\HighTrustSampleCert.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($publicCertPath)
  1. Add the following line to ensure that SharePoint treats the certificate as a root authority.
New-SPTrustedRootAuthority -Name "HighTrustSampleCert" -Certificate $certificate 

Add the following line to get the ID of the authorization realm.

$realm = Get-SPAuthenticationRealm

Your remote web application will use an access token to get access to SharePoint data. The access token must be issued by a token issuer that SharePoint trusts. In a high-trust app for SharePoint, the certificate is the token issuer. Add the following lines to construct an issuer ID in the format that SharePoint requires: specific_issuer_GUID@realm_GUID.

$specificIssuerId = "********-****-****-****-************"
$fullIssuerIdentifier = $specificIssuerId + '@' + $realm 


This defines the high-level steps needed for configuring a high trust app. However this is a complex process which often gets into issues and troubleshooting is time consuming. So it is highly recommended that one should try to create and deploy a very simple high trust app and then modify accordingly.

November 23, 2015
Skip to toolbar