Plan server-to-server authentication
Applies to: SharePoint Online, SharePoint Server 2013
Topic Last Modified: 2016-03-28
Summary: Plan and prepare to configure server-to-server authentication from SharePoint Server 2013 to Office 365.
Server-to-server authentication enables your SharePoint Server 2013 farm to consume content and resources from your Office 365 tenant. For example, search can be configured to allow federated users to see both SharePoint Server 2013 and SharePoint Online search results in a SharePoint Server 2013 search portal.
Before using this topic, you should read Overview of hybrid SharePoint 2013 for technical decision makers.
The two major things that you need to plan for when configuring server-to-server authentication between SharePoint Server 2013 and Office 365 are:
Your web application configuration
This section helps you plan how to configure your SharePoint Server 2013 web application to support hybrid functionality.
Outbound requests to SharePoint Online can be made from any web application in the on-premises SharePoint farm that uses Integrated Windows authentication using NTLM, as shown in the following image.
If your existing web application is not configured to use Integrated Windows authentication using NTLM, you must either create a web application or extend your existing web application and configure it to use Integrated Windows authentication using NTLM.
If you have to create a new web application to configure for hybrid functionality, you have two choices:
Extend an existing web application to connect to an existing content database. This creates a new website in Internet Information Services (IIS) with a unique URL and authentication configuration. The extended web application can be used to access the same site collections and content as the original web application by using the new URL.
This is the best choice if you want users to go to an enterprise search portal in an existing site collection to use hybrid search.
Create a new web application and a new content database. This creates a new web application that has a new, empty content database in which you can create a new site collection with an enterprise search portal.
This is the best choice if you want users to go to an enterprise search portal in a new site collection to use hybrid search.
Integrated Windows authentication using NTLM is required to allow the SharePoint Authentication service to pass user claims to SharePoint Online using OAuth.
For more information about how to create a claims-based web application, see Create claims-based web applications in SharePoint 2013.
For more information about how to extend a web application, see Extend claims-based web applications in SharePoint 2013.
For more information about site collections, see Overview of sites and site collections in SharePoint 2013.
With the exception of hybrid OneDrive for Business, all hybrid SharePoint Server solutions require you to replace the default STS certificate.
The Security Token Service (STS) of the on-premises SharePoint farm requires a default certificate to validate incoming tokens. In a SharePoint hybrid environment, Azure AD acts as a trusted token signing service for SharePoint Server and uses the STS certificate as the signing certificate. But Azure AD can’t use the default STS certificate from SharePoint Server as a signing certificate.
Therefore, you must replace the default STS certificate on each server in the on-premises SharePoint farm with one of the following:
A certificate issued by a public certification authority (CA) that’s trusted by Azure Active Directory
A self-signed certificate
Best practice: Always use a certificate from a CA in a production environment. Self-signed certificates should be used only for test and pilot environments.
You’ll replace the default STS certificate later when you configure the identify management infrastructure.
If you choose to use a self-signed certificate, it will be created during the deployment configuration. The steps for creating a self-signed certificate are included in Configure server-to-server authentication from SharePoint Server 2013 to SharePoint Online.
Create your STS certificate before you begin the configuration process.