High-trust provider-host add-in for SharePoint 2013 on-premise

Reference 

https://dev.office.com/sharepoint/docs/sp-add-ins/create-high-trust-sharepoint-add-ins

https://dev.office.com/sharepoint/docs/sp-add-ins/package-and-publish-high-trust-sharepoint-add-ins

1. Install & configure SharePoint 2013 on-premise (not include)
Install & configure provider-hosted server
• Window 2008 / 2012 with IIS and ASP.NET 3.5 / 4.5 
• Web Deploy
2. Use self-signed certificate for developing and replace it with domain-issued certificate or a commercial certificate issued by a Certificate Authority for PROD
3. Create self-signed certificate in provider-hostoed server
   • Open IIS and highligh <Server name>
   • Double-click on Server Certificates in Feature View
   • Click on Create Self-signed certificate in Actions
   • Specify a name for certificate (HighTrustTest)
   • Keep certificate store to Personal
   • Click OK to finish
4. Export pfx file
   • Back to Feature View
   • Right click on the certificate created in step 3 (HighTrustTest) and click Export
   • Choose a destionation folder for saving pfx file and provide passowrd
5. Create cer file
   • Back to Feature View
   • Double-click on the certificate created in step 3 (HighTrustTest)
   • Click Cope to File in Details tab
   • Check "No, do not export the private key" in Export Private Key section
   • Check "DER encoded binary X.509 (.CER)" in Export File format section
6. Config SharePoint to trust provider-hosted server
   • Copy .cer file to any server in SharePoint farm
   • Run below script wit PowerShell

   • $remoteCerPath= "C:\HighTrustTest.cer"
     $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($remoteCerPath)
     New-SPTrustedRootAuthority -Name "HighTrustTestCert" -Certificate $certificate
     
     $realm = Get-SPAuthenticationRealm
     
     $issuerId = [System.Guid]::NewGuid() ## write down IssueId, will be userd in next
     $issuerIdentifier = $issuerId.ToString() + '@' + $realm
     
     New-SPTrustedSecurityTokenIssuer -Name "High Trust Test Cert" -Certificate $certificate -RegisteredIssuerName $issuerIdentifier -IsTrustBroker
     
     IISReset

      

   • Set OAuth over HTTP

   • $serviceConfig = Get-SPSecurityTokenServiceConfig
     $serviceConfig.AllowOAuthOverHttp = $true
     $serviceConfig.Update()