Final edit of Develop sp-add-ins topics (SharePoint#1193)

* Final edit

* Final edit

* Final edit

* trying to fix chart

* Trying to fix chart

* Final edit

Author: Linda-Editor

docs/sp-add-ins/access-sharepoint-data-from-add-ins-using-the-cross-___domain-library.md

@@ -106,7 +106,7 @@ The following is a decoded example of a user+add-in access token generated by AC
 
 Note that all the values must be lowercase. (User+add-in access tokens are the same in the [Context Token flow](context-token-oauth-flow-for-sharepoint-add-ins.md) and the [Authorization Code flow](authorization-code-oauth-flow-for-sharepoint-add-ins.md).)
 
-```js
+```json
 {
  "aud": "00000003-0000-0ff1-ce00-000000000000/company.sharepoint.com@040f2415-e6e3-4480-96ce-26ef73275f73",
  "iss": "00000001-0000-0000-c000-000000000000@040f2415-e6e3-4480-96ce-26ef73275f73",
@@ -138,7 +138,7 @@ Note that all the values must be lowercase. (User+add-in access tokens are the s
 
 The following is a decoded example of an add-in-only access token generated by ACS to be used for calls to SharePoint using the [add-in-only policy](add-in-authorization-policy-types-in-sharepoint.md). White space has been added for readability. The token complies with the [JSON Web Token](https://datatracker.ietf.org/doc/rfc7519/) protocol. See Table 2 for details about the properties in the claim set. (The add-in-only policy is not available for applications that use the [Authorization Code flow](authorization-code-oauth-flow-for-sharepoint-add-ins.md), because they do not have an add-in manifest file and, thus, cannot request permission to use add-in-only calls.)
 
-```js
+```json
 {
  "aud":"00000003-0000-0ff1-ce00-000000000000/company.sharepoint.com@040f2415-e6e3-4480-96ce-26ef73275f73",
  "iss":"00000001-0000-0000-c000-000000000000@040f2415-e6e3-4480-96ce-26ef73275f73",
@@ -283,7 +283,7 @@ Response.Redirect(TokenHelper.GetAppContextTokenRequestUrl(sharePointUrl, Server
 
 The following is an example of a context token. The small JavaScript Object Notation (JSON) object at the top contains metadata about the token. These properties are the same as in access tokens (see earlier). The value of the **alg** property is the name of the algorithm that is used to generate the signature that ACS appends to the token. See Table 3 for details about the properties in the payload of the token. Note that all the values must be lowercase. (White space has been added for readability.)
 
-```js
+```json
 {"typ":"JWT","alg":"HS256"}
 .
 {

docs/sp-add-ins/create-and-use-access-tokens-in-provider-hosted-high-trust-sharepoint-add-ins.md

@@ -1,33 +1,23 @@
 ---
 title: Troubleshooting high-trust SharePoint Add-ins
-ms.date: 09/25/2017
+description: Use the Fiddler tool and other guidance for resolving high-trust issues.
+ms.date: 12/29/2017
 ms.prod: sharepoint
 ---
 
 
 # Troubleshooting high-trust SharePoint Add-ins
-Get some help with problems developing high-trust SharePoint Add-ins.
- 
-
- 
-
-This article describes the Fiddler tool and also provides some guidance for resolving some specific issues.
- 
 
 ## Use the Fiddler tool
 
-The free  [Fiddler tool](http://www.telerik.com/fiddler) can be used to capture the HTTP Requests sent by the remote component of your add-in to SharePoint. There is a [free extension to the tool](https://github.com/andrewconnell/SPOAuthFiddlerExt) that automatically decodes the access tokens in the requests.
- 
+The free [Fiddler tool](http://www.telerik.com/fiddler) can be used to capture the HTTP Requests sent by the remote component of your add-in to SharePoint. 
+
+There is a [free extension to the tool](https://github.com/andrewconnell/SPOAuthFiddlerExt) that automatically decodes the access tokens in the requests.
 
- 
 After you have installed Fiddler on the web application server, add the following markup to your web.config file to make requests from your remote web app go through this proxy. This way, you can capture a Fiddler trace and see the full response from SharePoint when you get an error.
 
 > [!NOTE] 
 > Ensure that you remove this markup if you are not running Fiddler. If you don't remove the markup, your add-in won't be able to make HTTP requests.
- 
-
-
-
 
 ```XML
 <system.net>
@@ -38,18 +28,14 @@ After you have installed Fiddler on the web application server, add the followin
 
 ```
 
-After you have Fiddler installed, you can also check the response headers from SharePoint, which will include a request GUID. This request GUID is a correlation ID you can look up in the logs to find any log errors associated with that request.
+After you have Fiddler installed, you can also check the response headers from SharePoint, which include a request GUID. This request GUID is a correlation ID that you can look up in the logs to find any log errors associated with that request.
 
 
- 
+<a name="UnauthorizedException"> </a> 
 
 ## 401 Unauthorized error
-<a name="UnauthorizedException"> </a>
-
-Several things can cause a  **401 Unauthorized** error when the high-trust add-in first accesses SharePoint. If you are using the Client-side Object Model (CSOM), the error looks something like the following:
- 
 
- 
+Several things can cause a **401 Unauthorized** error when the high-trust add-in first accesses SharePoint. If you are using the Client-side Object Model (CSOM), the error looks something like the following:
 
 ```C#
 [WebException: The remote server returned an error: (401) Unauthorized.]
@@ -65,11 +51,6 @@ Several things can cause a  **401 Unauthorized** error when the high-trust add-i
 ```
 
 If you are using the TokenHelper file and Windows identity, the code that triggers the exception looks like the following:
- 
-
- 
-
-
 
 ```C#
 ClientContext clientContext = 
@@ -78,67 +59,47 @@ clientContext.Load(clientContext.Web);
 clientContext.ExecuteQuery();
 ```
 
-Your first step in troubleshooting the issue is to use the Visual Studio debugger to verify that the access token and the  **ClientContext** object are constructed successfully. If they are, investigate the following possibilities:
- 
-
- 
- **Possible issues and resolution:**
- 
-
+Your first step in troubleshooting the issue is to use the Visual Studio debugger to verify that the access token and the **ClientContext** object are constructed successfully. If they are, investigate the following possibilities:
 
+**Possible issue and resolution**:
 
 - There is no user profile created for the user who is accessing the remote web application. Create the user profile.
 
- 
-- Your add-in does not have permission to the resource you are trying to access. Open the SharePoint Management Shell and run that the following Windows PowerShell cmdlet. The variable  `$web` is the SharePoint website you are trying to get access to and `$appPrincipal`) is the add-in ID. For more information, see  [Set-SPAppPrincipalPermission](http://technet.microsoft.com/en-us/library/jj219714%28v=office.15%29.aspx).
-    
-```
-  Set-SPAppPrincipalPermission -Site $web -AppPrincipal $appPrincipal -Scope Site -Right FullControl
-```
+- Your add-in does not have permission to the resource you are trying to access. Open the SharePoint Management Shell and run the following Windows PowerShell cmdlet. The variable `$web` is the SharePoint website you are trying to get access to, and `$appPrincipal` is the add-in ID. For more information, see [Set-SPAppPrincipalPermission](https://docs.microsoft.com/en-us/powershell/module/sharepoint-server/Set-SPAppPrincipalPermission?view=sharepoint-ps).
+      
+  ```powershell
+    Set-SPAppPrincipalPermission -Site $web -AppPrincipal $appPrincipal -Scope Site -Right FullControl
+  ```
 
-- Your web application is accepting anonymous requests. This means there is not a real user identity in the access token. Ensure that anonymous access has been disabled in IIS for the root directory of your remote web application. You can also check this by debugging your remote web application, and checking the value of  **Request.LogonUserIdentity** in the default.aspx.cs (or .vb) file to ensure that it's not an anonymous user.
-    
+- Your web application is accepting anonymous requests. This means there is not a real user identity in the access token. Ensure that anonymous access has been disabled in IIS for the root directory of your remote web application. You can also check this by debugging your remote web application, and checking the value of **Request.LogonUserIdentity** in the default.aspx.cs (or .vb) file to ensure that it's not an anonymous user.    
 
 - Your digital certificate was not added to the trusted certificate store. Be sure you have followed the procedures in  [Package and publish high-trust SharePoint Add-ins](package-and-publish-high-trust-sharepoint-add-ins.md).
 
- 
+<a name="DomainRelatedErrors"> </a> 
 
 ## Miscellaneous SSL and ___domain-related authorization errors
-<a name="DomainRelatedErrors"> </a>
 
 A mismatch of ___domain names in configuration files and registration forms can prevent authorization. The following four values have to be exactly the same:
- 
 
+- The **Add-in Domain** that is specified when the SharePoint Add-in is registered on AppRegNew.aspx.    
 
-
-- The  **Add-in Domain** that is specified when the SharePoint Add-in is registered on AppRegNew.aspx.
-    
- 
-- The ___domain under which the remote web application's security certificate is registered.
-    
+- The ___domain under which the remote web application's security certificate is registered.    
 
-- The ___domain part of the  **StartPage** value in the AppManifest.xml file.
-    
+- The ___domain part of the **StartPage** value in the AppManifest.xml file.    
 
-- The ___domain part of the URLs of any event receivers specified in the AppManifest.xml.
-    
+- The ___domain part of the URLs of any event receivers specified in the AppManifest.xml.    
 
 In connection with this point, note the following:
- 
 
- 
+- If the remote component of your SharePoint Add-in is using any port other than 443, you must explicitly include the port as part of the ___domain in all four places; for example, `MarketingServer:3333`. (You must use the HTTPS protocol, for which the default port is 443.)
 
-- If the remote component of your SharePoint Add-in is using any port other than 443, you must explicitly include the port as part of the ___domain in all four places; for example,  `MarketingServer:3333`. (You must use the HTTPS protocol for which the default port is 443.)
+- The ___domain needs to be hardcoded in the **StartPage** value (and any event receiver URLs) of the AppManifest.xml file before the add-in is packaged. If you use the Publish Wizard in Visual Studio to package the add-in, you are prompted for the ___domain, and the Office Developer Tools for Visual Studio inserts it into the **StartPage** value for you (in place of the `~remoteWebUrl` token that is used during debugging. But if you are not using the Publish Wizard, you must manually replace the token with the ___domain (and protocol); for example `https://MarketingServer` or `https://MarketingServer:3333`.
 
- 
-- The ___domain needs to be hardcoded in the  **StartPage** value (and any event receiver URLs) of the AppManifest.xml file before the add-in is packaged. If you use the **Publish** wizard in Visual Studio to package the add-in, you will be prompted for the ___domain and the Office Developer Tools for Visual Studio will insert it into the **StartPage** value for you (in place of the `~remoteWebUrl` token that is used during debugging. But if you are not using the **Publish** wizard you must manually replace the token with the ___domain (and protocol); for example `https://MarketingServer` or `https://MarketingServer:3333`.
-    
- 
+<a name="DomainRelatedErrors"> </a> 
 
 ## Runtime error saying that there's no certificate with that serial number
-<a name="DomainRelatedErrors"> </a>
 
-If you are sure you have the correct certificate serial number in the web.config and you can see the certificate in the  **Windows Certificate Store**, then there may be a hidden extra character in the serial number in the web.config. This will happen if the serial number is copy'n'pasted from the **Microsoft Management Console**. Delete the entire serial number value from the web.config and *manually*  retype it.
+If you are sure you have the correct certificate serial number in the web.config, and you can see the certificate in the  Windows Certificate Store, there may be a hidden extra character in the serial number in the web.config. This happens if the serial number is copied and pasted from the Microsoft Management Console. Delete the entire serial number value from the web.config and *manually* retype it.
 
 ## See also