I have a high-trust (PHA) hosting application written using the standard Visual Studio 2013 PHA template. I have been following the settings for the High-Trust / S2S apps submitted by Kirk Evans on his blog:
http://blogs.msdn.com/b/kaevans/archive/2012/11/27/creating-high-trust-sharepoint-apps-with-microsoft-office-developer-tools-for-visual-studio-2012- preview-2.aspx
Everything worked as expected, without much change, until I added a service to host the event receiver for the AppInstalled event. When I tried to install the application with the event enabled, I received the following error from SharePoint:
The remote event receiver callout failed. Details: An unauthorized HTTP request using the Anonymous client authentication scheme. The authentication header received from the server was "NTLM, Negotiate."
Due to the box, the PHA is not configured to support anonymous authentication in its service bindings. When I add support for anonymous authentication through web.config, the application installs and all the logic of the event listener executes as expected, including CSOM calls that add lists and security groups to the host network.
This leaves me with a two-part question:
- Anonymous access to a specific requirement for the application High-Trust / S2S event receivers? On the one hand, it looks like a security hole. On the other hand, I did not find a way to force SharePoint to use an authentication scheme other than Anonymous during application lifecycle events. Did I miss something?
- If anonymous access is required, has anyone recommended (verified and verified) best practices for alternative ways to protect this message? IP address restrictions come to mind, but I did not think about it completely.
TIA
authentication configuration sharepoint-2013
Sean hester
source share