Export (0) Print
Expand All

Plan for server-to-server authentication in SharePoint 2013

SharePoint 2013

Published: July 16, 2012

Summary: Learn how to plan for server-to-server authentication in SharePoint 2013.

Applies to:  SharePoint Foundation 2013 | SharePoint Server 2013 Standard | SharePoint Server 2013 Enterprise 

Server-to-server authentication allows for servers that are capable of server-to-server authentication to access and request resources from one another on behalf of users. Servers that are capable of server-to-server authentication run SharePoint 2013, Exchange Server 2013, Lync Server 2013, Azure Workflow Service, or other software that supports the Microsoft server-to-server protocol. Server-to-server authentication enables a new set of functionality and scenarios, such as What's new in eDiscovery in SharePoint Server 2013, that can be achieved through cross-server resource sharing and access.

To provide the requested resources from another server that can perform server-to-server authentication, the server that runs SharePoint 2013 must do the following:

  • Verify that the requesting server is trusted. To authenticate the requesting server, you must configure the server that runs SharePoint 2013 to trust the server that is sending it requests. This is a one-way trust relationship.

  • Verify that the type of access that the server is requesting is authorized. To authorize the access, you must configure the server that runs SharePoint 2013 for the appropriate set of permissions for the requested resources.

Note that the server-to-server authentication protocol in SharePoint 2013 is separate from user authentication and is not used as a sign-in authentication protocol by SharePoint users. The server-to-server authentication protocol, which uses the Open Authorization (OAuth) 2.0 protocol, does not add to the set of user sign-on protocols, such as WS-Federation. There are no new user authentication protocols in SharePoint 2013. The server-to-server authentication protocol does not appear in the list of identity providers.

In this article:

For information about how to plan for the User Profile application service for server-to-server authentication, see Server-to-server authentication and user profiles in SharePoint Server 2013.

Introduction

Planning for server-to-server authentication consists of the following tasks:

Important Important:

The web applications that include server-to-server authentication endpoints (for incoming server-to-server requests) or that make outgoing server-to-server requests to other servers must be configured to use Secure Sockets Layer (SSL).

note Note:

You only have to plan for server-to-server authentication on a server that runs SharePoint 2013 if you are configuring one or more server-to-server scenarios that require its use.

Identify the set of trust relationships

From the perspective of a server that runs SharePoint 2013, a trust relationship with another server that can perform server-to-server authentication consists of the following:

  • The server that runs SharePoint 2013 trusts requests from a server that can perform server-to-server authentication (incoming to the server that runs SharePoint 2013).

    This requires configuration on the server that runs SharePoint 2013 so that it trusts the requesting server.

  • The server that can perform server-to-server authentication trusts requests from a server that runs SharePoint 2013 (outgoing from the server that runs SharePoint 2013).

    This requires configuration on the server that can perform server-to-server authentication so that it trusts the requesting server that runs SharePoint 2013.

For each farm that runs SharePoint 2013, make a list of servers that are capable server-to-server authentication and that will be receiving incoming requests based on the server-to-server scenarios that involve the farm. There are two cases of server-to-server authentication relationships to examine.

Case 1: Farms are on-premises

If the farm that can perform server-to-server authentication is on-premises, you must configure the farm that runs SharePoint 2013. Use the New-SPTrustedSecurityTokenIssuer Windows PowerShell cmdlet to add a JavaScript Object Notation (JSON) metadata endpoint of the server that can perform server-to-server authentication to the server that runs SharePoint 2013. If the server that can perform server-to-server authentication is another server that runs SharePoint 2013, the JSON metadata endpoint is in the format: https://<HostName>/_layouts/15/metadata/json/1.

Case 2: Farms are part of an Office 365 tenancy

If the farm that runs SharePoint 2013 and the other server that can perform server-to-server authentication are both part of an Office 365 tenancy, no additional configuration for server-to-server authentication is needed.

After you determine the set of servers that require server-to-server authentication, see Configure server-to-server authentication in SharePoint 2013 to configure the server-to-server trust relationships.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft