High Trust S2S Provider Hosted App with "App + User" Policy

Category: apps for sharepoint 2013


Sharep0int on Tue, 10 Feb 2015 18:17:06


I am relatively new to sharepoint app development. 

Trying to create a on premises, High Trust provider hosted app with App + User Policy. I have followed below document to create a demo.


I am facing few issue and I have some question to clarify, if anybody can help.

1) When I inspect my request in dev tools, it give me below form data.
SPSiteUrl: <My Sharepoint site URL>

now when i inspect log with above corelation id, i am finding below errors.
-- Error when get token for app i:0i.t|ms.sp.ext|ab8ff461-bc75-4516-b475-b666ac47eec0@802f23e1-6e11-45d1-909c-07a7b0ab0ce2, exception: Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable.    
-- App token requested from appredirect.aspx for site: 92bfe5c4-7255-4b09-a89a-07e0e2b03622 but there was an error in generating it.  This may be a case when we do not need a token or when the app principal was not properly set up.
-- Getting Error Message for Exception Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable.    

a) I belive in high-trust app it shouldn't look for Azure ACS. Is this error because of some incorrect configuration?
b) SPAppToken is null here. Is it null always in case of hig trust app?

2) Say I am logged into sharepoint with User A and trying to launch sharepoint app. 
Within app code I want to get identity of logged in user(which is A). From below code i found that Request.LogonUserIdentity gives me identity of user A. But how can we sure that request is came from sharepoint only. I can copy the same app URL and paste in browser window and login with window credential and get the same result. So question is how can I verify if its legitimate request came from sharepoint only and no one is faking request.
ALos, when I inspect request in dev tools, its passing Authorization key in request header. What is use of this?

			using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity))            {                clientContext.Load(clientContext.Web, web => web.Title);                clientContext.ExecuteQuery();                Response.Write(clientContext.Web.Title);            }

3) Also what happens if my app doesnt support windows authentication and only support FBA, is there any way to get user identity in this case? 

Any help would be much appreciated.



deverr on Thu, 12 Feb 2015 12:53:17


The error is related to the SSL in premise environment:


About SPAppToken issue, you can refer the nice articles below:


Hope this will help you.

mintxelas on Thu, 04 May 2017 15:41:29

For #1: you have it sorted out I guess. It has to be an infrastructure problem with the trust setup.

For #2: For validating the request is coming from Sharepoint, you can check the REFERRER in the request.

For #3: AFAIK high trust with user identiy only works for NTLM, but you can authenticate the user as you see fit (FBA if you want) and then perform an App-Only request to sharepoint using the app's identity. 

A bit late, but hope it helps ;)