EnjoySharePoint YouTube Channel

SharePoint 2013 App Authentication Using S2S High Trust


– A trusted connection between client app and SharePoint Web server
– Eliminates the need of involving ACS when running apps within private networks
– Trust between Servers is configured using one or more SSL certificate
– App Server code requires access to public/private key pair of SSL certificate
– Requires creating S2S Security Token Service on SharePoint Web server(s)

Get Office 365 Enterprise E3 Or Business Premium Subscription & Try out all the features

Read some SharePoint 2013 tutorials:

On- premises App Authentication is used for setting up High Trust apps that use the server-to-server (S2S) protocol. This is a Provider Hosted app deployed in a private network which eliminates the need to involve ACS for creating authentication tokens. In essence, an S2S Trust represents a trusted connection between a client app running on a local app server and the web servers in the SharePoint farm.

S2S (High Trust) – App Only Context:
An S2S accesses the token by calling the GetS2SAccessTokenWithWindowsIdentity method of the TokenHelper class. Use the TokenHelper::GetS2SAccessTokenWithWindowsIdentity method, passing a null for the WindowsIdentity parameter.


Let’s see how we can actually utilize the “App Only” policy to elevate user permissions. I have written the following code in the code behind of the TestPage.aspx of S2S Provider Hosted App.

1. Uri _hostWeb = newUri(Request.QueryString[“SPHostUrl”]);
2. stringappOnlyAccessToken = TokenHelper.GetS2SAccessTokenWithWindowsIdentity(_hostWeb, null);
3. using(ClientContext clientContext = TokenHelper.GetS2SAccessTokenWithWindowsIdentity(_hostWeb.ToString(), appOnlyAccessToken)) {
4. List Testlist = clientContext.Web.Lists.GetByTitle(“TestList”);
5. ListItemCreationInformation info = new ListItemCreationInformation();
6. SharePoint.Client.ListItem item = Testlist.AddItem(info);
7. item[“Title”] = “Created S2SApp”;
8. item[“Body”] = “Created from S2S” + DateTime.Now.ToLongTimeString();
9. Update();
10. Load(item);
11. ExecuteQuery();
12. }

Deploy the app and then log on as a user who only has read permission to the list. Execute the code and a new item is created even though the user does not have permission to create items in the list. The “Created By” and “Modified By” fields in the list will reflect that it was the SHAREPOINT\App account that was used to create the item.

This capability is only available to provider-hosted apps, not to SharePoint-hosted apps. In a SharePoint-hosted app, there is Full trust code that is not limited by permissions – it can do anything it wants.

Check out Best Alternative to InfoPath -> Try Now
You May Also like the Following SharePoint Tutorials:

About Sagar Pardeshi

I am Developer working on Microsoft Technologies for the past 6+years. I am very much passionate about programming and my core skills are SharePoint, ASP.NET & C#,Jquery,Javascript,REST. I am running this blog to share my experience & learning with the community I am an MCP, MCTS .NET & Sharepoint 2010, MCPD Sharepoint 2010, and MCSD HTML 5,Sharepoint 2013 Core Solutions. I am currently working on Sharepoint 2010, MOSS 2007, Sharepoint 2013,Sharepoint 2013 App Dev, C#, ASP.NET, and SQL Server 2008.

View all posts by Sagar Pardeshi →