This short article is showing you how to get your ASP.NET Web Form can Run and debug in SharePoint 2013 on-premise.
You search internal “Create high-trust apps for SharePoint 2013” then you will get this article from msdn https://msdn.microsoft.com/en-us/library/office/fp179901.aspx.
Below are the key steps I extracted from the article.
To create a self-signed test .pfx certificate file
1. When you are debugging a high-trust app for SharePoint in Visual Studio, the remote web application is hosted in IIS Express on the machine where Visual Studio is installed. So the remote web application computer doesn’t have an IIS Manager where you can create the certificate. For this reason, you use the IIS on the SharePoint test server to create the certificate. In IIS manager, select the ServerName node in the tree view on the left.
2. Select the Server Certificates icon, as shown in Figure 1.
Figure 1. Server Certificates option in IIS
3. Select the Create Self-Signed Certificate link from the set of links on the right side, as shown in Figure 2.
Figure 2. Create Self-Signed Certificate link
4. Name the certificate HighTrustSampleCert, and then choose OK.
5. Right-click the certificate, and then select Export, as shown in Figure 3.
Figure 3. Exporting a test certificate
6. In Windows, or at a command line, create a folder called C:\Certs.
7. Back in IIS Manager, export the file to C:\Certs and give it a password. In this example, the password is password.
8. If your test SharePoint installation is not on the same computer where Visual Studio is running, create a folder C:\Certs on the Visual Studio computer and move the HighTrustSampleCert.pfx file to it. This is the computer where the remote web application runs when you are debugging in Visual Studio.
To create a corresponding .cer file
1. On the SharePoint server, be sure that the app pool identity for the following IIS app pools have Read rights to the C:\Certs folder:
o The app pool that serves the IIS web site that hosts the parent SharePoint web application for your test SharePoint website. For theSharePoint – 80 IIS website, the pool is called OServerPortalAppPool.
2. In IIS manager, select the ServerName node in the tree view on the left.
3. Double-click Server Certificates.
4. In Server Certificates view, double-click HighTrustSampleCert to display the certificate details.
5. On the Details tab, choose Copy to File to launch the Certificate Export Wizard, and then choose Next.
6. Use the default value No, do not export the private key, and then choose Next.
7. Use the default values. Choose Next.
8. Choose Browse, browse to C:\Certs, name the certificate HighTrustSampleCert, and then choose Save. The certificate is saved as a .cer file.
9. Choose Next.
10. Choose Finish.
Configure SharePoint 2013 to use certificates and configure trust for your app
The Windows PowerShell script that you create in this section is intended to support the use of F5 in Visual Studio. It will not properly configure a staging or production SharePoint installation. For instructions on configuring a production SharePoint to use certificates, see Package and publish high-trust apps for SharePoint 2013.
Double-check that you have completed the steps in Configure services in SharePoint for server-to-server app use (which is listed as a prerequisite for this article). If not, you must configure it now, before you proceed.
To configure SharePoint
1. In a text editor or Windows PowerShell editor, start a new file and add the following lines to it to create a certificate object:
$publicCertPath = "C:\Certs\HighTrustSampleCert.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($publicCertPath)
2. Add the following line to ensure that SharePoint treats the certificate as a root authority.
New-SPTrustedRootAuthority -Name "HighTrustSampleCert" -Certificate $certificate
3. Add the following line to get the ID of the authorization realm.
$realm = Get-SPAuthenticationRealm
4. Your remote web application will use an access token to get access to SharePoint data. The access token must be issued by a token issuer that SharePoint trusts. In a high-trust app for SharePoint, the certificate is the token issuer. Add the following lines to construct an issuer ID in the format that SharePoint requires: specific_issuer_GUID@realm_GUID.
$specificIssuerId = "11111111-1111-1111-1111-111111111111"
$fullIssuerIdentifier = $specificIssuerId + '@' + $realm
The $specificIssuerId value must be a GUID because in a production environment each certificate must have a unique issuer. However, in this context, where you use the same certificate to debug all your high-trust apps, you can hard code the value. If for any reason, you use a different GUID from the one used here, be sure that any letters in the GUID are lower case. The SharePoint infrastructure currently requires lower case for certificate issuer GUIDs.
5. Add the following lines to register the certificate as a trusted token issuer. The -Name parameter must be unique so in a production configuration, it is common to use a GUID as part (or all) of the name, but in this context, you can use a friendly name. The –IsTrustBroker switch is needed to ensure that you can use the same certificate for all the high-trust apps you develop. The iisreset command is required to make your token issuer registered immediately. Without it, you might have to wait as long as 24 hours for the new issuer to be registered.
New-SPTrustedSecurityTokenIssuer -Name "High Trust Sample Cert" -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker
6. SharePoint 2013 does not normally accept self-signed certificates. So when you are using a self-signed certificate for debugging, add the following lines to turn off SharePoint’s normal requirement that HTTPS be used when remote web applications call into SharePoint. If you don’t, then you’ll get a 403 (forbidden) message when the remote web application calls SharePoint using a self-signed certificate. You will reverse this step in a later procedure. Turning off the HTTPS requirement means that requests from the remote web application to SharePoint are not encrypted, but the certificate is still used as a trusted issuer of access tokens which is its main purpose in high-trust apps for SharePoint.
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
7. Save the file with the name HighTrustConfig-ForDebugOnly.ps1.
8. Open the SharePoint Management Shell as an administrator and run the file with the following line:
Create a high-trust app for SharePoint
In this section, you learn how to create a high-trust app for SharePoint using Visual Studio.
As stated in the Prerequisites for creating high-trust apps section, this article assumes you know how to create a provider-hosted app for SharePoint. For more information, see Get started creating provider-hosted apps for SharePoint.
To create a high-trust app for SharePoint
1. In Visual Studio, choose File, New, Project.
2. In the New Project wizard, expand the Visual C# or Visual Basic node, and then expand the Office/SharePoint node.
3. Choose Apps, and then choose to create an App for SharePoint project.
4. Name the project HighTrustSampleApp.
5. Save the project in a location you choose, and then choose OK.
6. Specify the full URL of the SharePoint developer site. For example, http://TestServer/sites/devsite/
7. Select the Provider-hosted option, and then choose the Next button.
8. If you are prompted to specify the type of web project, select ASP.NET Web Forms Application for the continuing example in this topic, and then choose the Next button.
9. The Configure authentication settings page of the wizard opens. The values that you add to this form will be added to the web.config file automatically. Under How do you want your app to authenticate?, choose Use a certificate.
10. Click the Browse button next to the Certificate location box and navigate to the location of the self-signed certificate (.pfx file) that you created (C:\Certs). The value of this field should be the full path C:\Certs\HighTrustSampleCert.pfx.
11. Type the password for this certificate in the Password box. In this case, it is “password“.
12. Type the issuer ID (11111111-1111-1111-1111-111111111111) in the Issuer ID box.
13. Choose Finish. Much of the configuration is done when the solution opens. Two projects are created in the Visual Studio solution, one for the app for SharePoint and the other for the ASP.NET web application.
After you done all that then you might hit any error “Error occurred in deployment step ‘Install app for SharePoint’: The System Account cannot perform this action”.
You actually need to do the below before you perform all the steps above.
1. Create a new account in your domain let say CONTOSO/SPApp_Admin
2. This account should be local admin
3. This account should also be farm admin [ Farm administrator can be added from central admin -> site settings -> People -> Fram Administrator -> Add CONTOSO/SPApp_Admin ]
4. Now login to your VM/ SharePoint Dev machine as CONTOSO/SPApp_Admin
5. You are good to go for deploying app to your local farm using visual studio