ON-PREMISES APP AUTHENTICATION WITH S2S

In some situations an organization might need its SharePoint environment and solutions to be purely on-premises. This could be for security reasons, technical reasons such as in disconnected network situations, or simply because on-premises solutions are the company policy. In these situations, using Office 365, Azure Access Control Services (ACS), and apps hosted in Azure will not work. An alternative is to host the apps on premises along with the SharePoint sites and to use Server to Server (S2S) authentication. S2S effectively removes reliance on Azure Access Control Services (ACS). In its place SharePoint acts as the Security Token Service (STS) and predefined certificates are used to sign and verify the tokens that are generated. S2S uses extensions to the OAuth 2.0 protocol that are not (at the time of this writing) currently part of the OAuth 2.0 standard, but have been submitted by Microsoft for future inclusion.

Applications that run using S2S are also said to be “high-trust” apps. High-trust apps must authenticate users independently themselves versus being passed a trusted identity as part of the context token from SharePoint. Typically, applications would authenticate a user using Windows Authentication (NTLM) or a similar scheme. High-trust apps are considered “high trust” because SharePoint trusts the application and trusts that it has authenticated and identified the user context being passed as part of an API call.

Part of ...