High Trust Provider Hosted Apps with App only Policy
We had a requirement at a customer to build an app which allows users to view the names of all the PDF files in the site collection even if the user does not have permissions to the library.
Even though the users can see the names of all the files, once they click on the link it should give them an Access Denied error.
The first thing that came to my mind was Provider Hosted Apps with App only policy to implement this requirement.
So we went about creating a High Trust Provider Hosted App using the CSOM SharePoint Search API.
After a couple of stumbles we managed to get the App up and running. Since it is a development environment, we had the web application in the Provider Hosted App project hosted on the local IIS of the SharePoint server.
The App works fine when we use the User and Client Context. However the moment we change it to App only policy it would throw an Unauthorized Exception.
It gave an System.UauthorizedAccessException with a CorrelationID. We searched the ULS logs with the correlation ID and found this error message ‘Do not apply UserResourceTally for app only request.’
After some re-search we found that with Search SharePoint does not allow you to use App only principal, in the App Manifest file you can find that the only permission associated with search is 'QueryAsUserIgnoreAppPrincipal'.
Therefore it executes as the currently logged in user.
We ended up changing the code back to User + App context and setting the credentials of a site collection administrator for the ClientContext in the code.
clientContext.Credentials = new NetworkCredential("CONTOSO\\spadmin", "password");