"The remote server returned an error: (401) Unauthorized" in SharePoint 2013 Provider Hosted Apps

Sathish Nadarajan
SharePoint MVP
Published On :   26 May 2015
Visit Count
Today :  6    Total :   21644
Plan, Migrate, Secure, Report
SharePoint & Office 365 Tool. Simple & Easy to Use. 15-Day Trial!

SharePoint Office 365 Tool
Simple & Powerful Tool for Migration, Security & Reporting. Free Trial

This is one exception we used to get often during the setup of Provider Hosted Apps in SharePoint 2013. In this article, let us what are the possible things we can do to resolve this.

1. Make sure that you have the Proper Issuer ID Registered and the Security Token has been created. To create the Issuer ID, please refer HERE

2. For our convenient, the Script to create the Issuer ID is as follows.

 #Registering a Issuer ID 14077233-e062-4874-9acd-9c4fbe578f2f
  Add-PSSnapin "Microsoft.SharePoint.PowerShell"
  $issuerID = "3ec8ca41-2add-46b7-b0f8-48b81dcea65d"
  $targetSiteUrl = "https://c4968397007.dc07.loc:2000/sites/DeveloperSite/"
  $targetSite = Get-SPSite $targetSiteUrl
  $realm = Get-SPAuthenticationRealm -ServiceContext $targetSite
  $registeredIssuerName = $issuerID + '@' + $realm
  $publicCertificatePath = "C:\Sathish\PHACertificate.cer"
  $publicCertificate = Get-PfxCertificate $publicCertificatePath
  Write-Host "Create Security token issuer"
  $secureTokenIssuer = New-SPTrustedSecurityTokenIssuer -Name $issuerID -RegisteredIssuerName $registeredIssuerName -Certificate $publicCertificate -IsTrustBroker
  $secureTokenIssuer | select *
  $secureTokenIssuer  | select * | Out-File -FilePath "SecureTokenIssuer.txt"
  #Turn off the HTTPS requirement for OAuth during development
  $serviceConfig = Get-SPSecurityTokenServiceConfig
  $serviceConfig.AllowOAuthOverHttp = $true
  Write-Host "All done..."

3. Make sure that the ClientID has been registered properly. We had already seen this also in this article.

4. Use the below script to create the client ID.

 # Registering App principal
  Add-PSSnapin "Microsoft.SharePoint.PowerShell"
  # set intialization values for new app principal
  $appDisplayName = "PHAMVCTrial"
  $clientID = "41251e31-1604-41a9-9f50-8ba8fef3cfa5"
  $targetSiteUrl = "https://c4968397007.dc07.loc:2000/sites/DeveloperSite/"
  $targetSite = Get-SPSite $targetSiteUrl
  $realm = Get-SPAuthenticationRealm -ServiceContext $targetSite
  $fullAppPrincipalIdentifier = $clientID + '@' + $realm
  Write-Host "Registering new app principal" 
  $registeredAppPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppPrincipalIdentifier -Site $targetSite.RootWeb -DisplayName $AppDisplayName
  $registeredAppPrincipal | select * | Format-List
  $registeredAppPrincipal | select * | Format-List | Out-File -FilePath "Output.txt"
  Write-Host "Registration Completed"
  #Get-SpAppPrincipal -? 

5. Make sure that the same Client ID and the Issuer ID are present on your PHA’s web.config and on the AppManifest.xml


     <add key="webpages:Version" value="" />
     <add key="webpages:Enabled" value="false" />
     <add key="ClientValidationEnabled" value="true" />
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
     <add key="ClientId" value="41251e31-1604-41a9-9f50-8ba8fef3cfa5" />
     <add key="ClientSigningCertificatePath" value="C:\Sathish\PHACertificate.pfx" />
     <add key="ClientSigningCertificatePassword" value="Password11" />
     <add key="IssuerId" value="3ec8ca41-2add-46b7-b0f8-48b81dcea65d" />


     <RemoteWebApplication ClientId="41251e31-1604-41a9-9f50-8ba8fef3cfa5" />

6. Go to the page _layouts/15/AppPrincipals.aspx and make sure that the Client IDs are properly registered. Again this is a double check only.

7. Go the Page _layouts/15/AppInv.aspx and Lookup for your App by giving the ClientID. Again this is also a double check.

8. Make sure that the SharePoint Site Collection is HTTPS Enabled.

9. Because, the High Trust Apps should be ran on the HTTPS sites only

10. Make sure that the Remote App Web does not allow the Anonymous Users.

11. Usually if it is been allowed, then the Request.LogonUserIdentity will return back the NT AUTHORITY\IUSR.

12. This will not have permission on the SharePoint Site. Then we will get the UnAuthorised exception.

13. Remote Web App should also be HTTPS Enabled as well. We can make this from the IIS Bindings Section.

14. Specify host names (Preferred method if NTLM authentication is desired)

a. To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

b. Set the DisableStrictNameChecking registry entry to 1.

    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:


    1. Right-click MSV1_0, point to New, and then click Multi-String Value.
    2. Type BackConnectionHostNames, and then press ENTER.
    3. Right-click BackConnectionHostNames, and then click Modify.
    4. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.

i. Quit Registry Editor, and then restart the IISAdmin service.

15. Disable the loopback check (less-recommended method)

a. The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.
To set the DisableLoopbackCheck registry key, follow these steps:

b. Set the DisableStrictNameChecking registry entry to 1

    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:


    1. Right-click Lsa, point to New, and then click DWORD Value.
    2. Type DisableLoopbackCheck, and then press ENTER.
    3. Right-click DisableLoopbackCheck, and then click Modify.
    4. In the Value data box, type 1, and then click OK.

i. Quit Registry Editor, and then restart your computer.

16. Make sure that the web.config of the PHA contains the following entries.

 <location path="FederationMetadata">
         <allow users="*" />
     <authentication mode="Forms" />
     <compilation debug="true" targetFramework="4.5" />
       <deny users="?" />
     <pages controlRenderingCompatibilityVersion="4.0" enableSessionState="true" />
     <httpRuntime requestValidationMode="4.5" />
     <customErrors mode="Off" defaultRedirect="mycustompage.htm" />

17. The AppManifest.xml will be as below.

 <?xml version="1.0" encoding="utf-8" ?>
 <App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
     <RemoteWebApplication ClientId="d2067516-f90e-4933-994c-568602afe875" />
     <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Manage" />

18. Verify the App Pool Account on which the Remote Web App is running.

19. That account should have access to the Content DB, SharePoint Sites etc.,

20. One important thing is, while developing, make sure that you are hosting the Remote Web App inside the Default Web Application. Not under the SharePoint-80 Site Collection. Because, when we install a new instance of SharePoint, the Default Site is being stopped and the port 80 has been used by the SharePoint. This, I am not referring to all the situations. But during installation, if we made any mistake, this will happen.

21. The objective is, the Remote Web App should be running on the Default Web Site and HTTPS Enabled. If you look at the AppManifest in the step number 14, the StartPage attribute contains the HTTPS URL of the Remote Web App.

All the Above steps mentioned are for double check only. I hope, many of us will be definitely facing these issues frequently. Hence, thought of making this handy and share to the community.

Happy Coding,

Sathish Nadarajan.

SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.

SharePoint Analytics