7
votes

I have an On-Premises, High-Trust Provider-Hosted App (PHA) written using the standard Visual Studio 2013 PHA template. I've followed the configuration steps for High-Trust/S2S apps presented by Kirk Evans in his blog here:

http://blogs.msdn.com/b/kaevans/archive/2012/11/27/creating-high-trust-sharepoint-apps-with-microsoft-office-developer-tools-for-visual-studio-2012-preview-2.aspx

Everything worked as expected without much need for modification until I added a service to host an event receiver for the AppInstalled event. When I tried installing the app with the event enabled, I received the following error from SharePoint:

The remote event receiver callout failed. Details: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM;Negotiate'.

Out-of-the-box the PHA is not configured to support Anonymous authentication in its service bindings. When I add support for Anonymous authentication via web.config, the app installs and all the event receiver logic executes as expected, including CSOM calls that add lists and security groups to the host web.

This leaves me with a two-part question:

  1. Is Anonymous access a definite requirement for High-Trust/S2S app event receivers? On the one hand this seems like a security hole. On the other hand, I haven't found any way to force SharePoint to use an authentication scheme other than Anonymous during app lifecycle events. Have I missed something?
  2. If Anonymous access is required, does anyone have recommended (tested and confirmed) best practices for alternate ways to secure that communication? IP Address restrictions come to mind, but I haven't thought it through completely.

TIA

1

1 Answers

1
votes
  1. Anonymous access is definitely required for High-Trust/S2S app event receivers.

  2. You can use HTTPs to secure the communication with App Event receiver. A suggestion would be to block the access of the app event receiver from external domain as SharePoint will call the web service from within the network.