- You use SharePoint Server 2013, and you apply the March 2013 update to your installation.
- You use a SharePoint 2013 web application that's configured to have multiple zones.
- You enable the "HTTP" prefix for the Default zone.
- You deploy a provider-hosted add-in that has a remote event receiver to this web application
- Make sure that the Default zone uses "HTTPS" if OAuth is required (recommended).
- Set AllowOauthOverHttp to True (supported but not recommended).
Important We do not recommend this method because of security concerns, such as the lack of encryption by not having SSL enabled.
By default, OAuth events that are made over HTTP are rejected. Therefore, the Default zone should use the HTTPS protocol to accept OAuth requests. Alternatively, you can set the SPSecurityTokenServiceManager.AllowOAuthOverHttp property to True. However, to maintain site security, we do not recommend that you do this.
For more information about the March 2013 update for SharePoint 2013, go to the following Microsoft Knowledge Base article:
For more information about how to configure Alternate Access Mapping and host headers for web application zones in an application domain, see the following TechNet and MSDN Blog articles:
Article ID: 3135876 - Last Review: 4 Feb 2016 - Revision: 1