Procedure to debug and fix error "This page can't be displayed" for provider-hosted SharePoint Add-ins

If you create an OoB provider-hosted SharePoint Add-in and run from Visual Studio, you should be able to see the default web page with “Welcome <your name>” on it.

However, we are getting the following error “This page can't be displayed” on all our development 2012 servers.

After extensive debugging, we have found a workaround for this issue and here are the steps to debug and fix it.

1. Verify TLS and SSL for browser are enabled as shown below for IE.

2. Verify the web app is inside IIS entry. The IIS configuration should be in this location C:\Users\harryc\Documents\IISExpress\config\applicationhost.xml. Check whether you have the application you developed in the configuration like below. 

 <site name="SharePointApp4Web" id="22">

                <application path="/" applicationPool="Clr4IntegratedAppPool">

                    <virtualDirectory path="/" physicalPath="C:\Projects\SharePoint2013\O365\DEV2013\SharePointApp4\SharePointApp4Web" />

                </application>

                <bindings>

                    <binding protocol="http" bindingInformation="*:44119:localhost" />

                    <binding protocol="https" bindingInformation="*:44304:localhost" />

                </bindings>

</site>

3. Verify Window system have any error as below.

In my case, the errors are:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

An error occurred while using SSL configuration for endpoint 0.0.0.0:44304.  The error status code is contained within the returned data.

4. Nest step is to verify the cert for the port number (44304) running the web. You should look at the Certificate Hash.

Run command with the port number the web is running:

IIS Cert netsh http show sslcert ipport=0.0.0.0:44304

    IP:port                      : 0.0.0.0:44304

    Certificate Hash             : ec4d6de883f60ab764f696e6a712f6694ec86b11

    Application ID               : {214124cd-d05b-4309-9af9-9caa44b2b74a}

    Certificate Store Name       : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check                  : Enabled

    Revocation Freshness Time    : 0

    URL Retrieval Timeout        : 0

    Ctl Identifier               : (null)

    Ctl Store Name               : (null)

    DS Mapper Usage              : Disabled

    Negotiate Client Certificate : Disabled

You can get the Certificate Hash and Application ID from above command. 

5. Verify cert on IIS directly.

You could also verify the certs to run the below command.

mmc.exe-File->Add/Remove Snapin..->Add Certificates->Select Computer account->Local Computer-OK.

Identify the certs the express 8 is using and right click Open->Details. Found the Thumprint value. This should match the value from netsh command line.

In my case, I'm getting following error "No keys found certificate!". You will understand why the provided-hosted app does not work. There is bad certificate.

We are not sure why the Visual Studio installation did not install/generate correct certificates for IIE 8 express. We are still working with Microsoft to isolate the root cause. The workaround is to change the certificate IIS Express runs against for a specific ip/port by manually deleting and re-adding the bindings via the command-line.

Here are the steps for your reference.

1. Create a self-signed certificate (i.e. “IISExpressTest”) on the server and make note of the Thumbprint value.

                Open IIS manager

                Click “Create Self-Signed Certificate…”

                Enter the name like IISExpressTest and keep Personal as store

                Right the Cert and click View

                View the details and copy the Thumbprint value like 

                    5cb2a108b853f372103294f74a12ddab0c549e6a for future step

2. From the command line do: 

netsh http show sslcert ipport=0.0.0.0:44304

    IP:port                      : 0.0.0.0:44304

    Certificate Hash             : ec4d6de883f60ab764f696e6a712f6694ec86b11

    Application ID               : {214124cd-d05b-4309-9af9-9caa44b2b74a}

    Certificate Store Name       : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check                  : Enabled

    Revocation Freshness Time    : 0

    URL Retrieval Timeout        : 0

    Ctl Identifier               : (null)

    Ctl Store Name               : (null)

    DS Mapper Usage              : Disabled

    Negotiate Client Certificate : Disabled

Record the Application ID for future step.

3. Determine what port a specific IIS Express site uses.  In my case, it was using 44304, so https://localhost:44304 was my site.

4. From the command line, delete the current cert.

netsh http delete sslcert ipport=0.0.0.0:44304

5. From the command line, bind the new cert.

netsh http add sslcert ipport=0.0.0.0:44304 appId={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash=‎5cb2a108b853f372103294f74a12ddab0c549e6a

The port number is the port for your web running by IIS

The appId is the value you got from step #2

The certhash is the value from step #1

6. Verify https://localhost: 44304 will bring up the new certificate “IISExpressTest”.

Run the web again and you could verify the issue should be fixed and you can click the certs and view details that matches the Thumbprint value.

This workaround needs to be run for any web created and I’m thinking to add this to the Visual Studio prebuild scrip to automate the step.