Here’s something that might cost you a TON of time if you aren’t careful, so please take a few minutes to read this. You should be seeing some documentation pretty shortly that describes how to create what we call an S2S application, which means Server to Server trust application. You will also see this called a “high trust application”. I won’t go into the specifics of what exactly it is because there’s a whole team of folks creating that content for you, however one important thing you need to know is that in the process of creating these applications, you need to generate a GUID that’s used to identify your application. That GUID is used when you set up the trust between SharePoint and your application (using the New-SPTrustedSecurityTokenIssuer cmdlet), and it’s also used in the AppManifest.xml for your SharePoint app as well as in the web.config for your hosted service that will be making calls into SharePoint.
The really important thing to know here is that you MUST MAKE ALL LETTERS IN THE GUID LOWERCASE – basically, the exact opposite of what I just did there. 🙂 I don’t know if that will be the “case” when SharePoint 2013 has it’s final release, but that is the situation in beta 2. This is important to know too because most people generate GUIDs when they’re in Visual Studio, using the GUID generator tool that comes with it. That tool generates GUIDs with uppercase letters, so you need to remember to convert them back down. For example, if you get a GUID that looks like 759600FB-8517-4A23-8576-C17D2351894C, then you need to change it to 759600fb-8517-4a23-8576-c17d2351894c before you start using it in all the locations I described above.
If you don’t do this, you will get a 401 Unauthorized error when your application attempts to retrieve data from SharePoint. If you do a Fiddler trace on the request and look at the Raw output from the SharePoint server response, you will see an error message that says “The issuer of the token is not a trusted issuer.”