So while building some demonstration High Trust Provider Hosted Apps in SharePoint 2013, I kept hitting the “401 Unauthorized” error.
Now this error when looking into “ulsviewer” comes up with a whole bunch of errors.
As you can see all of these seem to point to some permission or account issue. However I tried accessing my Provider Hosted App with various accounts and it still failed.
The website I setup within Internet Information Server (IIS), was set with a custom application pool and using an account already known to SharePoint. I read many blog posts that talk about checking the “Client ID” and “Issuer ID“.
Within Visual Studio I checked my core Project for the following settings:
I then went and checked my “AppManifest” file by viewing it in “Code” mode.
I compared the “Client ID” value and checked that my “Issuer ID” was correct. Nothing wrong with this configuration at all.
I also read that it could be an issue with “Anonymous” access being enabled on the “Provider Hosted” website. So I checked that too.
Nothing wrong with that setup either. Every time however I would get this error. So I spent some time looking over my “Provider Website” configuration. As I did this I noticed that my application pool was not set to an “Identity” but to “ApplicationPoolIdentity“.
So I made the change here to make it use a specific account as it should.
Once I made this change I tested again and I still got the same error. So I left it as is and started checking the website itself. As I checked it I noticed that credentials were set for the “Physical Path Credentials” setting, which should not be there.
So I changed the setting for this to be the following:
Now after setting this and testing the Provider Hosted App page loaded as expected. So the lesson here was to make sure that the account you are hitting the Provider Hosted App with, is actually the ending account. In my scenario is quite clearly was being changed due to the misconfiguration of the core Provider Hosted website within IIS.
I have seen this issues logged in all the forums and blog posts, so hopefully this will give you one more thing to check is right.
Thanks a million for this one. After two hours of checking everything that we could think of, at the end it was exactly the ‘Physical Path Credentials’ setting that we found through your article.