Anyone who has worked on provider hosted high-trust add-ins for SharePoint 2013 on-premises environment knows if an environment works, it works like a charm. If it fails, it’s worst thing as IT Pro you may encounter. Most of the errors while troubleshooting provider hosted high-trust configuration are mostly related to authentication and add-ins & SharePoint communication. Many of these errors are so generic like 401, 403, and 404 errors that it can quickly raise the frustration level along with the waste of hundreds of hours.
With this cheat sheet, I am planning to share my usual suspects and hoping to keep it updated as I encounter more weird errors in SharePoint provider-hosted high-trust add-ins configuration.
Microsoft Resources for Troubleshooting Apps
- MSDN Resource for Troubleshooting High Trust Apps – https://msdn.microsoft.com/en-us/library/office/Dn762440.aspx
Usual Suspect Areas to look at
- Expired certs on IIS, local Windows cert store, and SharePoint trust store (including all the chain certs)
- Invalid Get-SPTrustedSecurityTokenIssuer
- Invalid Get-SPTrustedRootAuthority
- Invalid Cert Serial Number or Certs information in web.config
- Invalid Alternate Access Mapping
- Invalid HTTP or HTTPS binding in IIS
- Missing DNS entries
- Depending on your needs, you would need to set App permission in App Manifest
- Validate Provider Hosted App IIS site – Enable Windows Auth, NTLM as preferred provider, App pool runs under 4.0 and ApplicationPoolIdentity
Myths – Invalid Causes called out in blogosphere
- Certs Chain must be installed and imported in both local Cert store and IIS on both SharePoint and Provider Hosted Apps servers.
- Removing RootCA & High Trust cert from SharePoint trust store (accessible from central admin) not affecting how Provider-hosted apps work, it works regardless.
- According to API cert expert, Brian… IIS should have only lowest level cert what’s needed for binding, all parent chain certs shouldn’t be in IIS.
- No Routing Web App on SharePoint Servers – This throws 404 error for SharePoint hosted, and Store hosted apps but works fine for Provider-hosted apps, routing web app is required for SharePoint hosted app.
- You need to disable Anonymous Authentication on Provider hosted app IIS website – no reason to do this unless you want to do this as best practice.
- NTLM has to be preferred provider (above Kerberos) for Windows Auth on Provider hosted app IIS website – no reason to do this unless you want to do this as best practice.
- To get the title of the site, you would need to set App permission in App Manifest Depending – No need for this for title info.
- SharePoint and App hosting servers should be in same time zone. No need for this either.
Error – An Unexpected error has occurred while installing app
- This may happen if App was already installed with upper version and you are redeploying app using lower version to the same site. e.g. I had a site collection where I deployed an app with 126.96.36.199 version. I have uninstalled an app and repackaged with 188.8.131.52 version and deployed to the App Catalog. This caused an error while installing an app to the same site collection again. New version app would work fine with new site collection where this app never been installed earlier.
- Myth – Many blogs and forum say – cleanup App Catalog recycle bin and that didn’t fix my issue.
Error – Blank Page while accessing installed app
- Check if HTTP or HTTPS of remoteweb URL.
- Check if URL is correct e.g. http://appurl/pages/default.aspx/pages/default.aspx .. This may happen because webs are packaged and deployed with remoteweb parameter – http://appurl/pages/default.aspx and app might be published as ~remoteURL/pages/default.aspx in Appmanifest.
- Check if remoteweb URL is same as a registered app – look through appinv.aspx.
Error – 401 Error – Unauthorized while accessing installed app
- Possible Causes:
- No Windows Auth is enabled on the Provider Hosted App IIS website.
Error – 401 Error – Unauthorized while running app, SharePoint-App communication issue
- Possible Causes:
- Issuer ID is invalid or has uppercase letters or Issuer ID has space in Appweb web.config file.
Error – 403 Error – Forbidden while accessing installed app, SharePoint-App communication issue
- Possible Causes:
- Client ID is invalid, or Client ID has space in Appweb web.config file.
- Get-SPSecurityTokenServiceConfig AllowOAuthOverHttp setting is invalid. It must be true if one of the SharePoint web application or Provider hosted App IIS website have HTTP binding. If both SharePoint and Add-ins using SSL, it should be false. In many cases, if you have HTTP binding on SharePoint in addition to SSL and if Add-ins using SSL with AllowOAuthOverHttp=false, may cause an error.
Error – 404 Error – While accessing installed app
- Possible Causes:
- DNS Entry Issue – Either Wrong or NO DNS entries – Try to ping the app URL to see if it reaches to correct server IP or F5 App Pool IP.
Error – An error occurred while processing your request – while accessing installed app
- Background Note – This error gets generated by Visual Studio boilerplate code for SharePoint Context and TokenHelper.
- Possible Causes:
- Certificate Serial Number is invalid in Appweb web.config file.
Error – Keyset does not exist – while accessing installed app
Background Note – This error is related to SharePoint app running in IIS can’t access High Trust configured on Provider hosted cert store to initiate communication to SharePoint.
Possible Cause – If IIS_IUSERs don’t have permission to high trust on local cert store, it will throw Keyset doesn’t exist error –http://webservices20.blogspot.com/2011/02/wcf-keyset-does-not-exist.html. For the separate IIS server hosting Add-ins, configure BUILTIN\IIS_IUSRS users to the full control permission to cert. This allows apps running on IIS to access cert for high-trust SharePoint communication. On Windows Server 2012 R2, Use command line tool – Windows HTTP Services Certificate Configuration Tool – WinHttpCertCfg.exe. On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS.
Error – Sorry, Something went wrong – while adding/installing an app to the site – App differs from another App with the same version and product ID
This is worst kind of error where it’s really hard to troubleshoot. In most cases – you have to look into ULS logs to troubleshoot as this isn’t a glaring mistake. Luckily, that mistake does provide you ULS correlation ID which you can use to troubleshoot.
In my case – I had come across this error in ULS log.
Issue – 11/03/2015 14:44:28.00 w3wp.exe (0x1C28) 0x0548 SharePoint Foundation General ajlz0 High Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type ‘System.Web.HttpUnhandledException’ was thrown. —> System.InvalidOperationException: The provided App differs from another App with the same version and product ID. at Microsoft.SharePoint.Lifecycle.SprocWrappers.CreateApp(SqlSession dbSessionWrapper, Byte fingerprint, Guid siteId, Guid productId, Version version, String title, String contentMarket, String assetId, SPAppSource source, String tempIconUrl) at Microsoft.SharePoint.Administration.SPApp.CreateAppAndCommitPackage(SqlSession session, Byte fingerprint, String path, Guid siteId, String assetId, String contentMarket, SPAppSource source) at Microsoft.SharePoint.Administration.SPApp.CreateAppUsingPackageMetadata(Stre… 4d143e9d-3578-6086-1f97-858d6df686c1
There are various online articles and places this error has been discussed and folks have solved many different ways –
- Check the version number of new App is same or upper as previously installed App – In my environment, it was same. This wasn’t an issue.
- Uninstall all Apps from the site collection – In my environment, no apps installed. Tried both UI or PowerShell option to check if App exists – http://www.mavention.com/blog/provided-App-differs-another-App-same-version-product-ID and http://sharepoint.stackexchange.com/questions/140458/sharepoint-hosted-app-error-while-deployment
- Check if you can add this app to brand new site collection – In my environment, it worked. It means, there are hidden instances of this app on existing site collection but didn’t know how to clean up hidden instances.
- Check if you clean up both end user and site collection recycle bin – In my environment, I didn’t see any deleted app in recycle bin, still cleaned up but didn’t fix the issue – https://samlman.wordpress.com/2015/02/27/fixing-the-provided-app-differs-from-another-app-with-the-same-version-and-product-id-error-in-office-365/ or https://www.simple-talk.com/blogs/2015/01/23/sharepoint-apps-and-fixing-the-provided-app-differs-from-another-app-with-the-same-version-and-product-id-issue/
- Install App as non-Admin user – In my environment, installed as non-admin account, still doesn’t work – http://www.jeremythake.com/2013/10/sharepoint-2013-apps-the-provided-app-differs-from-another-app-with-the-same-version-and-product-id/
- Removed and Added App from App Catalog – In my environment, didn’t work – http://sharepoint.stackexchange.com/questions/140458/sharepoint-hosted-app-error-while-deployment
- Cleanup App Catalog recycle bin – In my environment, I deleted an app from recycle bin but still didn’t fix.
- FINALLY – Up the App version number or updated the product ID – I have updated version number and redeployed app to repair the issue.
- After I have fixed – I had come across John Liu’s article to tweak database to resolve this issue. Which I haven’t tested yet nor I will ever do – I wouldn’t recommend but something to consider – http://johnliu.net/blog/2015/12/yet-another-fix-for-app-with-the-same-version-and-product-id-on-premises
Have you come across any other scenarios not discussed here? Plan to post in the comments section to increase awareness of your particular situation. You never know – it may help someone out there.