The process of server-to-server authentication involves the validation of the request a server gets for resources. It is based on a trust relationship that is between the STS of the server that runs SharePoint 2013 and the STS of another sever that supports the OAuth server to server protocol. This is a trust relationship so a requesting sever can access the resources that are secured on the SharePoint sever. This is done on behalf of a specific user account. It is also subject to the permissions of a given sever and a given user.
For example, this occurs when a server running Exchange Server 2013 is able to request resources of a server that is running SharePoint 2013 for a specific user account. This is in contrast with app authentication which involves the app not having access to the user account credential information. The user can be signed into the server, making the resource request but it isn’t a requirement. It depends on the specific service and the request being made.
When a server is running SharePoint 2013, there is an attempt to access a resource on a server. The incoming access request has to be authenticated in order for the server to accept the incoming access request and data. With server-to-server authentication, there is verification that the server running SharePoint 2013 and the user that is accessing it in the representation are both trusted.
The token that is used for any server-to-server authentication is a server-to-server token rather than a logon token. This server-to-sever token has information about the server that requests access. It also has information about the user account that the server is acting on the behalf of. With on premises servers, this is an example of how that basic process will occur:
- A user opens a SharePoint web page that requires information from another server.
- SharePoint 2013 generates a server-to-server token.
- SharePoint 2013 sends the server-to-server token to the new sever.
- The other server has to validate the server-to-server token from SharePoint.
- The other server has to send a message to SharePoint 2013. This message indicates that the server-to-server token was valid.
- The service on the server running SharePoint 2013 accesses the data on the server.
- The service on the server running SharePoint 2013 renders the page for the user.
If both servers are running Office 365, this is an example of how that process will occur:
- The user opens a SharePoint web page that requires information from another server.
- SharePoint Online requests and obtains a server to server token from ACS.
- SharePoint Online sends the server to server token to the server for Office 365.
- The server for Office 365 verifies that the identity of the user is correct based on the ACS server to server token.
- The server for Office 365 sends a message to SharePoint Online to state that the token sent through server-to-server has been validated.
- SharePoint Online accesses the data from the server for Office 365.
- SharePoint Online renders the page for the user to access.