Another 401 Unauthorized Tip for Working with SharePoint Apps

I’ve tried to update the related postings to this, but sometimes you need a call out to make sure it catches your attention so…here’s another troubleshooting tip for when you get a 401 unauthorized error when your app tries to access SharePoint content.  Suppose you have gotten everything working and then create a provider hosted app hosted in IIS instead of IIS Express (see here for more details on this process:  http://blogs.technet.com/b/speschka/archive/2013/06/12/converting-a-vs-net-web-for-a-provider-hosted-sharepoint-app-to-a-full-blown-web-or-console-application.aspx).  Despite that, when the code runs in your app you get access denied again.  Here’s the tip – set a breakpoint in TokenHelper.cs in the GetClaimsWithWindowsIdentity method, and then look at the identity.User.Value.  If you see a very short SID value, like S-1-5-17, then that probably means it’s the anonymous account for IIS.  The SID for a “real” user is much longer, something like S-1-5-21-1644491937-1935655697-1957994488-2138.  Remember that the way OAuth works (in the most common case with SharePoint Apps) is that it checks to make sure BOTH the app AND the user have rights to the content.  In most cases the anonymous user account will not have rights, and so you will get an access denied error message.  To fix this you need to go into IIS and find your provider hosted app, then disable Anonymous access and enable Windows authentication.  I recommend restarting the IIS virtual server for your hosted app, then try again.

One thought on “Another 401 Unauthorized Tip for Working with SharePoint Apps

  1. Hi man,

    Thanks for your useful post ! As I debug my provider hosted application I got a 401 error and it’s driving me crazy. I tried to do what you wrote (disable Anonymous users on the app web on IIS and enabling Windows auth) but it doesn’t changed anything.
    I got a shot SID (S-1-5-17) and the name of the account is “AUTORITE NT\\IUSR”. I doubt that this account have any rights … anyway, the app is deployed, and when I try to access it via a SP admin account, it will return the exact same error …

    Thanks for any hint, I’m stuck and half mad,
    cheers

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s