High Trust provider Apps (On-Premise environment) won’t publish when Azure App Proxy enabled in web application service application proxy Association


High Trust provider Apps (On-Premise environment) won’t publish when Azure App Proxy enabled in web application service application proxy Association

A high trust app (aka S2S, for Server-To-Server) is for on-premise environment and not intended for cloud-hosted environment. Apps that use S2S would typically be installed behind the firewall in instances that is specific to an individual company. A High trust app is allowed to perform any actions it has been granted permissions to, regardless of the user's permission.

To configure the trust for these apps, you can follow the steps mentioned in article Create high-trust SharePoint Add-ins.

There could be some instances where you have Hybrid configured in your on-premise environment which is done using Azure Service application proxy. In this scenario, while trying to install any high trusted app in SharePoint on-premise site collection, we get the error message “Sorry, something went wrong with adding the app. Click to retry".

When you check the ULS Logs, you will find error message as below where it complains about validating access token.


OWSTIMER.EXE SharePoint Foundation App Deployment M6uw High App Packaging: Create SPAppPart : the app part relationship: https://schemas.microsoft.com/sharepoint/2012/app/relationships/content-resource is not recognized, skipping.
OWSTIMER.EXE SharePoint Foundation App Deployment ajlc1 High Error when try to get access token when deployAppInstanceId <AppInstnceID> with AppPrincipalId <AppPrincipalID>Exception=System.ArgumentNullException: Value cannot be null.                    Parameter name: applicationRealm at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext userIdentityContext, String applicationId,Uri applicationRealm, SPApplicationContextAccessTokenTypeapplicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenForDeploymentTask(Guid siteId, SPUserToken userToken,String appPrincipalId) at Microsoft.SharePoint.Lifecycle.SPAppPrincipalAccessTokenTask.<>c__DisplayClass1.<Deploy>b__0()


This happens because it is trying to validate the app principal access token at cloud or Azure proxy level. Since we are creating a high-trust app for on-premises use, we must disable access token check that is related to cloud-hosted app, which is not needed for high-trust apps.


Backup and add the following register key AppDeploymentCheckAppPrincipalAccessToken in SharePoint servers at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS] with value REG_DWORD 0x00000000 (0)













WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall / reconfigure Windows or Sharepoint. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows

References : Create high-trust SharePoint Add-ins

Create and use access tokens in provider-hosted high-trust SharePoint Add-ins

Troubleshooting high-trust SharePoint Add-ins

Creating SharePoint Add-ins that use high-trust authorization


POST BY : Goldi Agrawal [MSFT]