You can't add a provider-hosted add-in to a SharePoint 2013 site in non-default zones

Symptoms
Consider the following scenario:

  • You use SharePoint Server 2013, and you apply the March 2013 update to your installation.
  • You use a SharePoint 2013 web application that's configured to have multiple zones.
  • You enable the "HTTP" prefix for the Default zone.
  • You deploy a provider-hosted add-in that has a remote event receiver to this web application
In this scenario, when you add an add-in from the SharePoint store or the app catalog, you receive the following error message:

Sorry, something went wrong with adding the app.
Cause
This problem occurs because of the manner in which SharePoint calls remote event receivers. When SharePoint calls a remote event, such as when you install or uninstall an application on a site, the process sets the HostWebFullUrl parameter to the Default zone URL instead of the zone URL to which the user is currently connected. 

Workaround
To work around this issue, use one of the following methods, as appropriate:

  • Make sure that the Default zone uses "HTTPS" if OAuth is required (recommended).
  • Set AllowOauthOverHttp to True (supported but not recommended).

    Important We do not recommend this method because of security concerns, such as the lack of encryption by not having SSL enabled.
More information
When the remote event is triggered, SharePoint calls the remote application that hosts the event receiver, and then it provides a token that has the HostWebFullUrl parameter. HostWebFullUrl is automatically set to the Default zone URL, regardless of the zone to which the user is connecting when the remote event is triggered. Therefore, the URL of the default zone must be reachable by the high-trust add-in.

By default, OAuth events that are made over HTTP are rejected. Therefore, the Default zone should use the HTTPS protocol to accept OAuth requests. Alternatively, you can set the SPSecurityTokenServiceManager.AllowOAuthOverHttp property to True. However, to maintain site security, we do not recommend that you do this.
References
For more information about how to enable OAuth over HTTP, see the following MSDN article:


For more information about the March 2013 update for SharePoint 2013, go to the following Microsoft Knowledge Base article:

2767999 Description of the SharePoint Server 2013 update: March 12, 2013

For more information about how to configure Alternate Access Mapping and host headers for web application zones in an application domain, see the following TechNet and MSDN Blog articles:

Properties

Article ID: 3135876 - Last Review: 02/04/2016 16:25:00 - Revision: 3.1

Microsoft SharePoint Server 2013

  • kbinfo kbsurveynew KB3135876
Feedback