Cheat Sheet to Troubleshoot SharePoint Provider hosted High-Trust Add-ins – 401, 403, 404, and Misc Errors

Anyone who has worked on provider hosted high-trust add-ins for SharePoint 2013 on-premises environment knows if an environment works, it works like a charm. If it fails, it’s worst thing as IT Pro you may encounter. Most of the errors while troubleshooting provider hosted high-trust configuration are mostly related to authentication and add-ins & SharePoint communication. Many of these errors are so generic like 401, 403, and 404 errors that it can quickly raise the frustration level along with the waste of hundreds of hours.

With this cheat sheet, I am planning to share my usual suspects and hoping to keep it updated as I encounter more weird errors in SharePoint provider-hosted high-trust add-ins configuration.

Microsoft Resources for Troubleshooting Apps

Usual Suspect Areas to look at

  • Expired certs on IIS, local Windows cert store, and SharePoint trust store (including all the chain certs)
  • Invalid Get-SPTrustedSecurityTokenIssuer
  • Invalid Get-SPTrustedRootAuthority
  • Invalid Cert Serial Number or Certs information in web.config
  • Invalid Alternate Access Mapping
  • Invalid HTTP or HTTPS binding in IIS
  • Missing DNS entries
  • Depending on your needs, you would need to set App permission in App Manifest
  • Validate Provider Hosted App IIS site – Enable Windows Auth, NTLM as preferred provider, App pool runs under 4.0 and ApplicationPoolIdentity

Myths – Invalid Causes called out in blogosphere

  • Certs Chain must be installed and imported in both local Cert store and IIS on both SharePoint and Provider Hosted Apps servers.
    • Removing RootCA & High Trust cert from SharePoint trust store (accessible from central admin) not affecting how Provider-hosted apps work, it works regardless.
    • According to API cert expert, Brian… IIS should have only lowest level cert what’s needed for binding, all parent chain certs shouldn’t be in IIS.
  • No Routing Web App on SharePoint Servers – This throws 404 error for SharePoint hosted, and Store hosted apps but works fine for Provider-hosted apps, routing web app is required for SharePoint hosted app.
  • You need to disable Anonymous Authentication on Provider hosted app IIS website – no reason to do this unless you want to do this as best practice.
  • NTLM has to be preferred provider (above Kerberos) for Windows Auth on Provider hosted app IIS website – no reason to do this unless you want to do this as best practice.
  • To get the title of the site, you would need to set App permission in App Manifest Depending – No need for this for title info.
  • SharePoint and App hosting servers should be in same time zone. No need for this either.

Error – An Unexpected error has occurred while installing app

  • This may happen if App was already installed with upper version and you are redeploying app using lower version to the same site. e.g. I had a site collection where I deployed an app with version. I have uninstalled an app and repackaged with version and deployed to the App Catalog. This caused an error while installing an app to the same site collection again. New version app would work fine with new site collection where this app never been installed earlier.
  • Myth – Many blogs and forum say – cleanup App Catalog recycle bin and that didn’t fix my issue.

Error – Blank Page while accessing installed app

Error – 401 Error – Unauthorized while accessing installed app


  • Possible Causes:
    • No Windows Auth is enabled on the Provider Hosted App IIS website.

Error – 401 Error – Unauthorized while running app, SharePoint-App communication issue

401-Unauthorized 2.PNG

  • Possible Causes:
    • Issuer ID is invalid or has uppercase letters or Issuer ID has space in Appweb web.config file.

Error – 403 Error – Forbidden while accessing installed app, SharePoint-App communication issue


  • Possible Causes:
    • Client ID is invalid, or Client ID has space in Appweb web.config file.
    • Get-SPSecurityTokenServiceConfig AllowOAuthOverHttp setting is invalid. It must be true if one of the SharePoint web application or Provider hosted App IIS website have HTTP binding. If both SharePoint and Add-ins using SSL, it should be false. In many cases, if you have HTTP binding on SharePoint in addition to SSL and if Add-ins using SSL with AllowOAuthOverHttp=false, may cause an error.

Error – 404 Error – While accessing installed app


404 2

  • Possible Causes:
    • DNS Entry Issue – Either Wrong or NO DNS entries – Try to ping the app URL to see if it reaches to correct server IP or F5 App Pool IP.

Error – An error occurred while processing your request – while accessing installed app

  • Background Note – This error gets generated by Visual Studio boilerplate code for SharePoint Context and TokenHelper.
  • Possible Causes:
    • Certificate Serial Number is invalid in Appweb web.config file.

Error – Keyset does not exist – while accessing installed app

Background Note – This error is related to SharePoint app running in IIS can’t access High Trust configured on Provider hosted cert store to initiate communication to SharePoint.

Possible Cause – If IIS_IUSERs don’t have permission to high trust on local cert store, it will throw Keyset doesn’t exist error – For the separate IIS server hosting Add-ins, configure BUILTIN\IIS_IUSRS users to the full control permission to cert. This allows apps running on IIS to access cert for high-trust SharePoint communication. On Windows Server 2012 R2, Use command line tool – Windows HTTP Services Certificate Configuration Tool – WinHttpCertCfg.exe. On Windows Server 2008 R2, you can use Microsoft WSE 2.0 SP3 GUI tool, look up wildcard cert (e.g. *.niks.local) and gave full control IIS_IUSRS from the machine, restart the IIS.

Error – Sorry, Something went wrong – while adding/installing an app to the site – App differs from another App with the same version and product ID

Sorry something wrong

This is worst kind of error where it’s really hard to troubleshoot. In most cases – you have to look into ULS logs to troubleshoot as this isn’t a glaring mistake. Luckily, that mistake does provide you ULS correlation ID which you can use to troubleshoot.

In my case – I had come across this error in ULS log.

Issue – 11/03/2015 14:44:28.00   w3wp.exe (0x1C28)                       0x0548  SharePoint Foundation                 General                                       ajlz0       High       Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type ‘System.Web.HttpUnhandledException’ was thrown. —> System.InvalidOperationException: The provided App differs from another App with the same version and product ID.     at Microsoft.SharePoint.Lifecycle.SprocWrappers.CreateApp(SqlSession dbSessionWrapper, Byte[] fingerprint, Guid siteId, Guid productId, Version version, String title, String contentMarket, String assetId, SPAppSource source, String tempIconUrl)     at Microsoft.SharePoint.Administration.SPApp.CreateAppAndCommitPackage(SqlSession session, Byte[] fingerprint, String path, Guid siteId, String assetId, String contentMarket, SPAppSource source)     at Microsoft.SharePoint.Administration.SPApp.CreateAppUsingPackageMetadata(Stre… 4d143e9d-3578-6086-1f97-858d6df686c1

There are various online articles and places this error has been discussed and folks have solved many different ways –

Have you come across any other scenarios not discussed here? Plan to post in the comments section to increase awareness of your particular situation. You never know – it may help someone out there.


This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Cheat Sheet to Troubleshoot SharePoint Provider hosted High-Trust Add-ins – 401, 403, 404, and Misc Errors

  1. Pingback: Troubleshooting High Trust Provider Hosted Add-Ins « An Expected Error Has Occurred

  2. David de Jong says:

    Awesome, comprehensive list! Came across another one that stumped me for quite a while:
    The Root Certificate Authority had been created with an incorrect FriendlyName (a typo). Had to remove Root and STS, set the FriendlyName in Certificate Manager, re-export certs and then recreate Root and STS.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s