Fabian Williams Blog

Solving problems with SharePoint day and night

How To: Create, Configure, Consume SharePoint 2010 Secure Store in Business Connectivity Services

Synopsis: I have seen quite a bit of confusion out there regarding how to use Secure Store Service for SharePoint 2010.  While MSDN does have interesting articles, there has been no Alpha to Omega process that shows the relationship to the LOB System, Security Groups representive of the BCS Consumers, BCS Access Account representive of the Credential Owner [Impersonated User], and how to wire it up in SharePoint Designer 2010. This blog hopefully will dispel all fears about Secure Store and answer a MSDN Forum question while at it.

The Blog is broken up into sections

  • Prep Work
    • Active Directory Users in Play
      • The Service Account I am selecting as the Impersonated User (Credential Owner)
      • The Security Group where all the people that will consume BCS Data will reside
    • SQL Server Security
      • Who has Access to What
  • Setup
    • Creating & Configuring the Secure Store Object
    • Creating & Configuring the External Content Type in SharePoint Designer 2010
      • Creating External Connection with Secure Store
      • Creating the External Content Type
    • Reviewing the External Content Type (ECT)
    • Reviewing the Security on the ECT
  • Test & Validation
    • Creating an External List derived from the ECT
    • Logging on as a User from the Security Group AND Secured in the permission setting of the ECT
    • Logging on as a User from the Security Group NOT Secured in the permission setting of the ECT

Part 1: Setup

clip_image001

Above:  This represents the AD Account [appBCSUser] which I will use as the Impersonated User i.e. the Broker if you will that will connect to the LOB system on behalf of the Group of people who should have access to the data but DOES NOT have access to the database. This is something your DBA will love because he doesn’t have a flurry of people having accounts on his/her DB.

clip_image002

Above: This represents the AD Security Group [SecureStoreBCSUsers] that have access or should have access to LOB Systems. You can of-course have multiple of these for any number of LOB Systems. Note here that Fabian and Hardeep are in this list, we will be the test users later on.

clip_image003

Above:  Lets look into CA now and set up our environment

clip_image004

Above:  Click Applications Management then Manage Service Applications

clip_image005

Above: We are interested in the Secure Store Service so we click it

clip_image006

Above:  We already have some there from previous Labs, but we will create a new one… click New

clip_image007

Above:  We create a Target Application ID [note this cant be changed once committed], Display Name which can be the Same App ID, and so on.

clip_image008

Above:  I populate the fields and choose “Group” as my Target Application Type. MSDN has a good explanation as to why you want to do that over other options. the Long and Short is that it allows me in this example to tie an AD Group FabianLab\SecureStoreBCSUsers to a single set of credentials i.e. the FabianLab\appBCSUser account. Ill show a few other options below

clip_image009

Above:  By default it wants to know how you will collect the credential of the Impersonated User in my case it is a Windows Account so this works.

clip_image010

Above: I change it around a bit for kicks by adding the word Testing infront of the default text

clip_image011

Above:  Here are a few other options that you can use. SSS is a Claims Aware SSO solution and can take in just about any Authentication Mechanism

clip_image012

Above:  So here because I only log on to CA with the Farm Admin Account, I set that as the target App Admin, however here is where we start to make the App Work for our design. In Members, you can see that i have my AD Group Account earlier. This means that I dont have to meddle with the SSS App anymore, just add and subtract from the AD Security Group.

clip_image013

Above:  It processes once i click OK

clip_image014

Above: Now i have a NEW SSS App, but wait you may ask… what about the Impersonated User.. we are coming to that…

clip_image015

Above:  We click on the custom actions available and select SET CREDENTIALS to set the Mapping for the Impersonated Users to the Group that we will Manage of “Allowed Users”…

clip_image016

Above:  Our trusty Silverlight App shows the progress of us opening a Dialog Pane

clip_image017

Above: The default look of the Credential Mapping

clip_image018

Above: I populated the values with my User Account previously mentioned in the AD Step

Part 2: Validation and Testing

 

clip_image001[4]

Above:  So in SQL Sever you can clearly see that the only account that has Access to the Database “FabianPlayPen” is the AD User mentioned above right…

clip_image002[4]

Above:  We create a new External Content Type by defining the name and Selecting External system to define our Connectivity

clip_image003[4]

Above:  We choose SQL from the list of choices

clip_image004[4]

Above: We define our SSO connection. One note here though in full disclosure, I had tried a few times to make this work and did a typo, so I re-did my SSS App and called it FabianLABSSSMSDNForumQ from what i had it last but the steps are the same.

clip_image005[4]

Above:  Here you may or may not get challenged for credentials when you click OK. The credentials you put here are or should be your own; assuming that you are in that Security Group that will be mapped to the Impersonated User. If not, then you need an account in that Security Group List.

clip_image006[4]

Above:  Once completed you will be able to connect to your LOB System, expand it and perform any operation allowable to you

clip_image007[4]

Above: In our instance lets just create a FULL CRUD operation

clip_image008[4]

Above: Validation that it is complete

clip_image009[4]

Above: Click the “Save” button to push the ECT up to the BDC Metadata Store.

clip_image010[4]

Above:  Now we can check a place where alot of Gotchas happen. Now one may assume that because they have access to the LOB system via the impersonated user and Group Mapping you are done… You’d be wrong, now you NEED to have permission to use the ECT and I already have mine set up by default under “Set Store Permission” to add myself, the search account, and my service account by default. You may need to put your security group here to make it seamless, but because i am doing demos and want it to break depending on my use case, i leave it fluid.

clip_image011[4]

Above:  to do that, click the custom actions and select “Set Permissions”

clip_image012[4]

Above: Do your business here by adding the users you want to have access. Here note that Hardeep doesnt have access while he IS a member of the Security Group.

clip_image013[4]

Above:  Once done, now we can create our External List by choosing our ETC recently created.

clip_image014[4]

Above:  Commit to the System and cross your fingers…. Voilla!

 

Part 3: UAT

clip_image015[4]

Above: Logged on as Me…

clip_image016[4]

Above: Logged on as Hardeep

 

Conclusion

Hopefully this helps you understand the mechanism of SSS, alot more can be done in Code using Visual Studio, have full all. Your comments and reposts are welcomed.

Advertisement

April 16, 2010 - Posted by | Business Connectivity Services, Secure Store, SharePoint 2010, SharePoint Administration, SharePoint Designer 2010, SharePoint Development, SharePoint How-To, SQL Server |

23 Comments »

  1. Just want to say what a great blog you got here!
    I’ve been around for quite a lot of time, but finally decided to show my appreciation of your work!

    Thumbs up, and keep it going!

    Cheers
    Christian, iwspo.net

    Comment by Toowhewly | May 16, 2010 | Reply

    • I appreciate the feedback, please spead the word… more blogs to come

      Comment by fabiangwilliams | May 28, 2010 | Reply

  2. Beautiful start to finish on SSS, Fabian. First complete post on the topic I’ve seen to date.

    Comment by Scott Morrison | May 27, 2010 | Reply

    • Thanks Scott, i have been traveling soo much that i havent posted in a while but i will this weekend on Managed Metadata, Term Store etc.. stay tuned.. appreciate the feedback, spread the word

      Comment by fabiangwilliams | May 28, 2010 | Reply

  3. Thank you very much for posting this! Fantastic walkthrough.

    Comment by Asher | June 3, 2010 | Reply

  4. Hi Fabian! how do you do this when modeling with Visual Studio? When I edit the BDC model XML manually and add the SecondarySsoApplicationId and SsoProviderImplementation properties, and then deploy, i keep getting an error in the logs saying “The property with name ‘secondaryssoapplicationid’ is missing on the lobsysteminstance”.

    Comment by Phil Wicklund | June 4, 2010 | Reply

    • Phil, maybe i dont understand what you are saying, when I do my BCS in Visual Studio I use LINQ to SQL to make my data connectivity, that handles my security context to the Data Store, are you saying you want to use another Data Connectivity method ( Secure Store Object Model) to do that? and how?

      Comment by fabiangwilliams | June 4, 2010 | Reply

      • Hi Fabrian, Do you know any solution for Code Based (Visual Studio) access using Secure Store. I have implemented BCS model using Visual Studio with Linq to SQL to access database, but i wanna use Secure Store credentials in my Linq to SQL connection. Thanks

        Comment by Satya Kanithi | October 14, 2010

      • you can certainly code agianst it, I dont have anything i can share with the public on that one mate, but it could be out there.

        Comment by fabiangwilliams | October 16, 2010

  5. Hi fabiam

    Any ideas as to how I can re-create the Secure Store Service Proxy. it seems that in our farm, someone removed it.
    Thank you

    Comment by Tomas | June 8, 2010 | Reply

    • there are powershell commands for that, see Spence Harbar blog.. or Darin Bishop, or Todd Klindt

      Comment by fabiangwilliams | June 9, 2010 | Reply

  6. Great explanation with easy to follow steps.

    Job well done.

    By the way, I linked to this blog from my site.

    Comment by Tony Yin | June 9, 2010 | Reply

    • Thank you Tony, please feel free to spread the word however you see fit… Cheers mate

      Comment by fabiangwilliams | June 9, 2010 | Reply

  7. Followed the instructions, getting an error when trying to view the external list:

    soap:ServerException of type ‘Microsoft.SharePoint.SoapServer.SoapServerException’ was thrown.An error has occurred.

    Server application event log says:

    Secure Store Service Error

    The Microsoft Secure Store Service application Secure Store Service failed to retrieve credentials. The error returned was ‘Access is denied.’. For more information, see the Microsoft SharePoint Products and Technologies Software Development Kit (SDK).

    Any help would be greatly appreciated.

    Thanks
    Chris

    Comment by Christopher Fitzgerald | June 21, 2010 | Reply

    • Ok, well if you went all the way through and got that error then i would first check the permissions on the ETC in CA. Make sure the user that is logged on has the requisite permission at the ETC level regarless of what he/she has on the LOB system.

      Comment by fabiangwilliams | June 26, 2010 | Reply

  8. Fabian ,You are the best …

    Comment by umar | June 28, 2010 | Reply

    • It take a community, thanks for the accolade.

      Comment by fabiangwilliams | June 30, 2010 | Reply

  9. How do you store a SQL Server Account and Password in the Secure Store (instead of an AD account)?

    Comment by J.P. | July 15, 2010 | Reply

    • Its the same process except it is not a Windows UserName and Password

      Comment by fabiangwilliams | July 16, 2010 | Reply

  10. Is there a way to setup a series of tables, or do they have to be done one by one? I have a database with a lot of lookup tables, and setting this up for each table seems a bit daunting….is there an easier way?

    Comment by S.P. | October 8, 2010 | Reply

    • Im not sure i understand your question, please rephase with more detail if you can.

      Comment by fabiangwilliams | October 16, 2010 | Reply

  11. Hi Fabian,

    Thanks for a great post!

    I went through your steps and created everything.
    One thing I do not completely understand:

    If I understand correctly you have to add users/set permissions on two occasions, right?:
    1. in the user group (AD)
    2. for the External Content Type (Central Admin)

    However, only the latter seems to be of relevance.
    For if I remove the logged in user from the AD group he has still access to the External List?!

    Therefore: what is the relevance of adding the user to the AD group?

    Cheers,

    Waldemar

    Comment by Waldemar | November 2, 2010 | Reply

  12. Can I configure it if I don’t have Active Directory?
    I’m using windows administrator account to connect to database. I added Windows user account which I use to log in to a SharePoint site.
    In SSS, I set Target Application Type to Group. I added All Users (windows) to Members (later I also added All Authenticated Users).
    Finally, I set my Target Application Credentials to windows administrator because this is the account which has access to my database.

    When I try to add connection in SharePoint Designer, I get an error: Access denied by Business Data Connectivity.

    Do you know how to fix it or there’s no way without AD?

    Comment by mateuszorlowski | November 3, 2010 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

« Previous | Next »

Follow

Get every new post delivered to your Inbox.

Join 170 other followers