SharePoint Pals
 | Sign In
"The remote server returned an error: (401) Unauthorized" in SharePoint 2013 Provider Hosted Apps
by Sathish Nadarajan 26 May 2015
SharePoint MVP
Today  :   13     Total  :    15338

This is one exception we used to get often during the setup of Provider Hosted Apps in SharePoint 2013. In this article, let us what are the possible things we can do to resolve this.

1. Make sure that you have the Proper Issuer ID Registered and the Security Token has been created. To create the Issuer ID, please refer HERE

2. For our convenient, the Script to create the Issuer ID is as follows.

 #Registering a Issuer ID 14077233-e062-4874-9acd-9c4fbe578f2f
  Add-PSSnapin "Microsoft.SharePoint.PowerShell"
  $issuerID = "3ec8ca41-2add-46b7-b0f8-48b81dcea65d"
  $targetSiteUrl = "https://c4968397007.dc07.loc:2000/sites/DeveloperSite/"
  $targetSite = Get-SPSite $targetSiteUrl
  $realm = Get-SPAuthenticationRealm -ServiceContext $targetSite
  $registeredIssuerName = $issuerID + '@' + $realm
  $publicCertificatePath = "C:\Sathish\PHACertificate.cer"
  $publicCertificate = Get-PfxCertificate $publicCertificatePath
  Write-Host "Create Security token issuer"
  $secureTokenIssuer = New-SPTrustedSecurityTokenIssuer -Name $issuerID -RegisteredIssuerName $registeredIssuerName -Certificate $publicCertificate -IsTrustBroker
  $secureTokenIssuer | select *
  $secureTokenIssuer  | select * | Out-File -FilePath "SecureTokenIssuer.txt"
  #Turn off the HTTPS requirement for OAuth during development
  $serviceConfig = Get-SPSecurityTokenServiceConfig
  $serviceConfig.AllowOAuthOverHttp = $true
  Write-Host "All done..."

3. Make sure that the ClientID has been registered properly. We had already seen this also in this article.

4. Use the below script to create the client ID.

 # Registering App principal
  Add-PSSnapin "Microsoft.SharePoint.PowerShell"
  # set intialization values for new app principal
  $appDisplayName = "PHAMVCTrial"
  $clientID = "41251e31-1604-41a9-9f50-8ba8fef3cfa5"
  $targetSiteUrl = "https://c4968397007.dc07.loc:2000/sites/DeveloperSite/"
  $targetSite = Get-SPSite $targetSiteUrl
  $realm = Get-SPAuthenticationRealm -ServiceContext $targetSite
  $fullAppPrincipalIdentifier = $clientID + '@' + $realm
  Write-Host "Registering new app principal" 
  $registeredAppPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppPrincipalIdentifier -Site $targetSite.RootWeb -DisplayName $AppDisplayName
  $registeredAppPrincipal | select * | Format-List
  $registeredAppPrincipal | select * | Format-List | Out-File -FilePath "Output.txt"
  Write-Host "Registration Completed"
  #Get-SpAppPrincipal -? 

5. Make sure that the same Client ID and the Issuer ID are present on your PHA’s web.config and on the AppManifest.xml


     <add key="webpages:Version" value="" />
     <add key="webpages:Enabled" value="false" />
     <add key="ClientValidationEnabled" value="true" />
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
     <add key="ClientId" value="41251e31-1604-41a9-9f50-8ba8fef3cfa5" />
     <add key="ClientSigningCertificatePath" value="C:\Sathish\PHACertificate.pfx" />
     <add key="ClientSigningCertificatePassword" value="Password11" />
     <add key="IssuerId" value="3ec8ca41-2add-46b7-b0f8-48b81dcea65d" />


     <RemoteWebApplication ClientId="41251e31-1604-41a9-9f50-8ba8fef3cfa5" />

6. Go to the page _layouts/15/AppPrincipals.aspx and make sure that the Client IDs are properly registered. Again this is a double check only.

7. Go the Page _layouts/15/AppInv.aspx and Lookup for your App by giving the ClientID. Again this is also a double check.

8. Make sure that the SharePoint Site Collection is HTTPS Enabled.

9. Because, the High Trust Apps should be ran on the HTTPS sites only

10. Make sure that the Remote App Web does not allow the Anonymous Users.

11. Usually if it is been allowed, then the Request.LogonUserIdentity will return back the NT AUTHORITY\IUSR.

12. This will not have permission on the SharePoint Site. Then we will get the UnAuthorised exception.

13. Remote Web App should also be HTTPS Enabled as well. We can make this from the IIS Bindings Section.

14. Specify host names (Preferred method if NTLM authentication is desired)

a. To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

b. Set the DisableStrictNameChecking registry entry to 1.

    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:


    1. Right-click MSV1_0, point to New, and then click Multi-String Value.
    2. Type BackConnectionHostNames, and then press ENTER.
    3. Right-click BackConnectionHostNames, and then click Modify.
    4. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.

i. Quit Registry Editor, and then restart the IISAdmin service.

15. Disable the loopback check (less-recommended method)

a. The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.
To set the DisableLoopbackCheck registry key, follow these steps:

b. Set the DisableStrictNameChecking registry entry to 1

    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:


    1. Right-click Lsa, point to New, and then click DWORD Value.
    2. Type DisableLoopbackCheck, and then press ENTER.
    3. Right-click DisableLoopbackCheck, and then click Modify.
    4. In the Value data box, type 1, and then click OK.

i. Quit Registry Editor, and then restart your computer.

16. Make sure that the web.config of the PHA contains the following entries.

 <location path="FederationMetadata">
         <allow users="*" />
     <authentication mode="Forms" />
     <compilation debug="true" targetFramework="4.5" />
       <deny users="?" />
     <pages controlRenderingCompatibilityVersion="4.0" enableSessionState="true" />
     <httpRuntime requestValidationMode="4.5" />
     <customErrors mode="Off" defaultRedirect="mycustompage.htm" />

17. The AppManifest.xml will be as below.

 <?xml version="1.0" encoding="utf-8" ?>
 <App xmlns=""
     <RemoteWebApplication ClientId="d2067516-f90e-4933-994c-568602afe875" />
     <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Manage" />

18. Verify the App Pool Account on which the Remote Web App is running.

19. That account should have access to the Content DB, SharePoint Sites etc.,

20. One important thing is, while developing, make sure that you are hosting the Remote Web App inside the Default Web Application. Not under the SharePoint-80 Site Collection. Because, when we install a new instance of SharePoint, the Default Site is being stopped and the port 80 has been used by the SharePoint. This, I am not referring to all the situations. But during installation, if we made any mistake, this will happen.

21. The objective is, the Remote Web App should be running on the Default Web Site and HTTPS Enabled. If you look at the AppManifest in the step number 14, the StartPage attribute contains the HTTPS URL of the Remote Web App.

All the Above steps mentioned are for double check only. I hope, many of us will be definitely facing these issues frequently. Hence, thought of making this handy and share to the community.

Happy Coding,

Sathish Nadarajan.

blog comments powered by Disqus

SharePoint Pals

SharePoint Pals, a community portal for SharePoint developers, Administrators and End Users. Let's join hands and share the point together.
Read this on mobile


Angular Js Training In Chennai
Advanced Angular Js training with real world developer scenarios
Angular Js, Web Api and Ionic for .Net Developers
All in one client side application development for .Net developers
Angular Js For SharePoint Developers
Get ready for the future. Its no more just C#

Get Connected

SharePoint Resources

SharePoint 2013 and 2010 Web Parts
Free Web Parts with Source Code for SharePoint Community

SharePoint 2013 Books and Tutorials
Collection of free SharePoint 2013 books and tutorials (eBooks, pdfs)

Supported By

Contribute your article and be eligible for a one month Free Subscription for Plural Sight. The Author of the most popular New Article (published in the previous month) will be awarded with a Free One month Plural Sight Subscription. Article can be sent to in a word document.

Related Resources

Recent Tweets

Twitter January 15, 00:25
How To Enable Target Value And Actual Value In #D3 Gauge Chart

Twitter January 15, 00:24
How To Open #SharePoint List Hyperlink Column In Modal #Popup Window

Twitter January 15, 00:24
Quick Introduction To #Asp.NetCore And It’s Features

Twitter January 15, 00:22
How To Configure #PerformancePoint Services To Use Secure Store In #SharePoint 2013

Twitter January 15, 00:21
How To Block Or Disable #Office365 Services

Follow us @SharePointPals
Note: For Customization and Configuration, CheckOutRecent Tweets Documentation