SharePoint 2013 - App Authentication Using S2S High Trust


  • A trusted connection between client app and SharePoint Web server
  • Eliminates the need of involving ACS when running apps within private networks
  • Trust between Servers is configured using one or more SSL certificate
  • App Server code requires access to public/private key pair of SSL certificate
  • Requires creating S2S Security Token Service on SharePoint Web server(s)

On- premises App Authentication is used for setting up High Trust apps that use the server-to-server (S2S) protocol. This is a Provider Hosted app deployed in a private network which eliminates the need to involve ACS for creating authentication tokens. In essence, an S2S Trust represents a trusted connection between a client app running on a local app server and the web servers in the SharePoint farm.

S2S (High Trust) - App Only Context

An S2S accesses the token by calling the GetS2SAccessTokenWithWindowsIdentity method of the TokenHelper class. Use the TokenHelper::GetS2SAccessTokenWithWindowsIdentity method, passing a null for the WindowsIdentity parameter.

Let’s see how we can actually utilize the "App Only" policy to elevate user permissions. I have written the following code in the code behind of the TestPage.aspx of S2S Provider Hosted App.


  1. Uri _hostWeb = newUri(Request.QueryString["SPHostUrl"]);  
  2. stringappOnlyAccessToken = TokenHelper.GetS2SAccessTokenWithWindowsIdentity(_hostWeb, null);  
  3. using(ClientContext clientContext = TokenHelper.GetS2SAccessTokenWithWindowsIdentity(_hostWeb.ToString(), appOnlyAccessToken)) {  
  4.     List Testlist = clientContext.Web.Lists.GetByTitle("TestList");  
  5.     ListItemCreationInformation info = new ListItemCreationInformation();  
  6.     SharePoint.Client.ListItem item = Testlist.AddItem(info);  
  7.     item["Title"] = "Created S2SApp";  
  8.     item["Body"] = "Created from S2S” + DateTime.Now.ToLongTimeString();  
  9.     Update();  
  10.     Load(item);  
  11.     ExecuteQuery();  
  12. }  

Deploy the app and then log on as a user who only has read permission to the list. Execute the code and a new item is created even though the user does not have permission to create items in the list. The "Created By" and "Modified By" fields in the list will reflect that it was the SHAREPOINT\App account that was used to create the item.

In a previous article, I had explored S2S (High Trust) app example.


This capability is only available to provider-hosted apps, not to SharePoint-hosted apps. In a SharePoint-hosted app, there is Full trust code that is not limited by permissions – it can do anything it wants.