Synopsis: I have seen quite a bit of confusion out there regarding how to use Services for SharePoint 2010 Secure Store. While MSDN does have interesting articles, there has been no Alpha to Omega process that shows the relationship to the LOB System, Security Groups representative of the BCS Consumers, BCS Access Account representative of the Credential Owner [Impersonated User], and how to wire it up in SharePoint Designer 2010. This blog hopefully will dispel all fears about Secure Store and answer a MSDN Forum question while at it.
UPDATE: – On 10/14/2012 I have added another blog post Series that will extend this post for SharePoint 2013 employing WCF, .Net Assembly and OData with SharePoint Apps see it HERE
The Blog is broken up into sections
- Prep Work
- Active Directory Users in Play
- The Service Account I am selecting as the Impersonated User (Credential Owner)
- The Security Group where all the people that will consume BCS Data will reside
- SQL Server Security
- Who has Access to What
- Active Directory Users in Play
- Setup
- Creating & Configuring the Secure Store Object
- Creating & Configuring the External Content Type in SharePoint Designer 2010
- Creating External Connection with Secure Store
- Creating the External Content Type
- Reviewing the External Content Type (ECT)
- Reviewing the Security on the ECT
- Test & Validation
- Creating an External List derived from the ECT
- Logging on as a User from the Security Group AND Secured in the permission setting of the ECT
- Logging on as a User from the Security Group NOT Secured in the permission setting of the ECT
Part 1: Setup
Above: This represents the AD Account [appBCSUser] which I will use as the Impersonated User i.e. the Broker if you will that will connect to the LOB system on behalf of the Group of people who should have access to the data but DOES NOT have access to the database. This is something your DBA will love because he doesn’t have a flurry of people having accounts on his/her DB.
Above: This represents the AD Security Group [SecureStoreBCSUsers] that have access or should have access to LOB Systems. You can of-course have multiple of these for any number of LOB Systems. Note here that Fabian and Hardeep are in this list, we will be the test users later on.
Above: Lets look into CA now and set up our environment
Above: Click Applications Management then Manage Service Applications
Above: We are interested in the Secure Store Service so we click it
Above: We already have some there from previous Labs, but we will create a new one… click New
Above: We create a Target Application ID [note this cant be changed once committed], Display Name which can be the Same App ID, and so on.
Above: I populate the fields and choose “Group” as my Target Application Type. MSDN has a good explanation as to why you want to do that over other options. the Long and Short is that it allows me in this example to tie an AD Group FabianLabSecureStoreBCSUsers to a single set of credentials i.e. the FabianLabappBCSUser account. Ill show a few other options below
Above: By default it wants to know how you will collect the credential of the Impersonated User in my case it is a Windows Account so this works.
Above: I change it around a bit for kicks by adding the word Testing infront of the default text
Above: Here are a few other options that you can use. SSS is a Claims Aware SSO solution and can take in just about any Authentication Mechanism
Above: So here because I only log on to CA with the Farm Admin Account, I set that as the target App Admin, however here is where we start to make the App Work for our design. In Members, you can see that i have my AD Group Account earlier. This means that I dont have to meddle with the SSS App anymore, just add and subtract from the AD Security Group.
Above: It processes once i click OK
Above: Now i have a NEW SSS App, but wait you may ask… what about the Impersonated User.. we are coming to that…
Above: We click on the custom actions available and select SET CREDENTIALS to set the Mapping for the Impersonated Users to the Group that we will Manage of “Allowed Users”…
Above: Our trusty Silverlight App shows the progress of us opening a Dialog Pane
Above: The default look of the Credential Mapping
Above: I populated the values with my User Account previously mentioned in the AD Step
Part 2: Validation and Testing
![clip_image001[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0014.png "clip_image001[4]")
Above: So in SQL Sever you can clearly see that the only account that has Access to the Database “FabianPlayPen” is the AD User mentioned above right…
![clip_image002[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0024.png "clip_image002[4]")
Above: We create a new External Content Type by defining the name and Selecting External system to define our Connectivity
![clip_image003[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0034.png "clip_image003[4]")
Above: We choose SQL from the list of choices
![clip_image004[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0044.png "clip_image004[4]")
Above: We define our SSO connection. One note here though in full disclosure, I had tried a few times to make this work and did a typo, so I re-did my SSS App and called it FabianLABSSSMSDNForumQ from what i had it last but the steps are the same.
![clip_image005[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0054.png "clip_image005[4]")
Above: Here you may or may not get challenged for credentials when you click OK. The credentials you put here are or should be your own; assuming that you are in that Security Group that will be mapped to the Impersonated User. If not, then you need an account in that Security Group List.
![clip_image006[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0064.png "clip_image006[4]")
Above: Once completed you will be able to connect to your LOB System, expand it and perform any operation allowable to you
![clip_image007[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0074.png "clip_image007[4]")
Above: In our instance lets just create a FULL CRUD operation
![clip_image008[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0084.png "clip_image008[4]")
Above: Validation that it is complete
![clip_image009[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0094.png "clip_image009[4]")
Above: Click the “Save” button to push the ECT up to the BDC Metadata Store.
![clip_image010[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0104.png "clip_image010[4]")
Above: Now we can check a place where alot of Gotchas happen. Now one may assume that because they have access to the LOB system via the impersonated user and Group Mapping you are done… You’d be wrong, now you NEED to have permission to use the ECT and I already have mine set up by default under “Set Store Permission” to add myself, the search account, and my service account by default. You may need to put your security group here to make it seamless, but because i am doing demos and want it to break depending on my use case, i leave it fluid.
![clip_image011[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0114.png "clip_image011[4]")
Above: to do that, click the custom actions and select “Set Permissions”
![clip_image012[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0124.png "clip_image012[4]")
Above: Do your business here by adding the users you want to have access. Here note that Hardeep doesnt have access while he IS a member of the Security Group.
![clip_image013[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0134.png "clip_image013[4]")
Above: Once done, now we can create our External List by choosing our ETC recently created.
![clip_image014[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0144.png "clip_image014[4]")
Above: Commit to the System and cross your fingers…. Voilla!
Part 3: UAT
![clip_image015[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0154.png "clip_image015[4]")
Above: Logged on as Me…
![clip_image016[4]](http://fabiangwilliams.files.wordpress.com/2010/04/clip_image0164.png "clip_image016[4]")
Above: Logged on as Hardeep
Conclusion
Hopefully this helps you understand the mechanism of SSS, alot more can be done in Code using Visual Studio, have full all. Your comments and reposts are welcomed.
Just want to say what a great blog you got here!
I’ve been around for quite a lot of time, but finally decided to show my appreciation of your work!
Thumbs up, and keep it going!
Cheers
Christian, iwspo.net
I appreciate the feedback, please spead the word… more blogs to come
Beautiful start to finish on SSS, Fabian. First complete post on the topic I’ve seen to date.
Thanks Scott, i have been traveling soo much that i havent posted in a while but i will this weekend on Managed Metadata, Term Store etc.. stay tuned.. appreciate the feedback, spread the word
Thank you very much for posting this! Fantastic walkthrough.
Hi Fabian! how do you do this when modeling with Visual Studio? When I edit the BDC model XML manually and add the SecondarySsoApplicationId and SsoProviderImplementation properties, and then deploy, i keep getting an error in the logs saying “The property with name ‘secondaryssoapplicationid’ is missing on the lobsysteminstance”.
Phil, maybe i dont understand what you are saying, when I do my BCS in Visual Studio I use LINQ to SQL to make my data connectivity, that handles my security context to the Data Store, are you saying you want to use another Data Connectivity method ( Secure Store Object Model) to do that? and how?
Hi Fabrian, Do you know any solution for Code Based (Visual Studio) access using Secure Store. I have implemented BCS model using Visual Studio with Linq to SQL to access database, but i wanna use Secure Store credentials in my Linq to SQL connection. Thanks
you can certainly code agianst it, I dont have anything i can share with the public on that one mate, but it could be out there.
Hi fabiam
Any ideas as to how I can re-create the Secure Store Service Proxy. it seems that in our farm, someone removed it.
Thank you
there are powershell commands for that, see Spence Harbar blog.. or Darin Bishop, or Todd Klindt
Great explanation with easy to follow steps.
Job well done.
By the way, I linked to this blog from my site.
Thank you Tony, please feel free to spread the word however you see fit… Cheers mate
Followed the instructions, getting an error when trying to view the external list:
soap:ServerException of type ‘Microsoft.SharePoint.SoapServer.SoapServerException’ was thrown.An error has occurred.
Server application event log says:
Secure Store Service Error
The Microsoft Secure Store Service application Secure Store Service failed to retrieve credentials. The error returned was ‘Access is denied.’. For more information, see the Microsoft SharePoint Products and Technologies Software Development Kit (SDK).
Any help would be greatly appreciated.
Thanks
Chris
Ok, well if you went all the way through and got that error then i would first check the permissions on the ETC in CA. Make sure the user that is logged on has the requisite permission at the ETC level regarless of what he/she has on the LOB system.
Fabian ,You are the best …
It take a community, thanks for the accolade.
How do you store a SQL Server Account and Password in the Secure Store (instead of an AD account)?
Its the same process except it is not a Windows UserName and Password
Is there a way to setup a series of tables, or do they have to be done one by one? I have a database with a lot of lookup tables, and setting this up for each table seems a bit daunting….is there an easier way?
Im not sure i understand your question, please rephase with more detail if you can.
Hi Fabian,
Thanks for a great post!
I went through your steps and created everything.
One thing I do not completely understand:
If I understand correctly you have to add users/set permissions on two occasions, right?:
1. in the user group (AD)
2. for the External Content Type (Central Admin)
However, only the latter seems to be of relevance.
For if I remove the logged in user from the AD group he has still access to the External List?!
Therefore: what is the relevance of adding the user to the AD group?
Cheers,
Waldemar
Can I configure it if I don’t have Active Directory?
I’m using windows administrator account to connect to database. I added Windows user account which I use to log in to a SharePoint site.
In SSS, I set Target Application Type to Group. I added All Users (windows) to Members (later I also added All Authenticated Users).
Finally, I set my Target Application Credentials to windows administrator because this is the account which has access to my database.
When I try to add connection in SharePoint Designer, I get an error: Access denied by Business Data Connectivity.
Do you know how to fix it or there’s no way without AD?
Hello,
Great post – I have been looking at a lot of blogs over the last two days and this is the best one on the subject.
Question: It appears that when you use Secure Store that users are only granted Read access to the database. Do you know of a way to give them Edit as well? We wold like to have some of our users edit the SQL data by editing the External List items (the way you can if you use User Identity).
Thanks,
Matt
Hello,
i gone through the video and its having really a great demonstrration !!! Actually i was having one query regarding single sign on in sharepoint 2010.I have done following steps from my side
1) I created asp.net membership provider database and added users in it
2) Created a dot net web application where I have specified connection string for asp.net membership provider databaseand custom provider. I am able to get log in to dot net site using user that I created in asp.net membership provider database.
3) I enabled form based authentication for sharepoint site so that I can be able to get login with users of membership provider database.
Issue:
I need a single sign on for both application for instance if I get login first in sharepoint site and then I go to dot net site it should not ask credentials and vice versa.If i get logout from any application it should ask credential for any applications.
In SharePoint 2010 the new name for SSO is SSS: Secure Store Service.
SSS is a claims-aware authorization service that includes a secure database for storing crdentials..
that are associated with application IDs…..
Application ID : is your token to access the external application, the token might represents one/group of users….
These application IDs can be used to authorize access to external data sources.
I tried with SSS and added target application which was membership provider in my case i simply added membership provider group in “Target Application Administration”.however its not working.Its not enable single sign on for both application.Do you have any idea to accomplish this task ?
Please let me.I am egarly waiting for your reply.
Thanks,
Dipti Chhatrapati
Hi Fabian,
Great Article! Throws more light on the SSS. Can you please explain for the Outlook Web APP Access.
FabianPlayPen is created automatically while setting up the Target Application?
I have DMZ SP2010 website where Claims & FBA is congigured. Need Option to employees login from outside to automatically loggedinto OWA Webparts. I am trying SSS for integrating Outlook.
Which database would I get populated with all the employees from AD of the company to get authenticated to the outlook web app webpart signed on?
I am newbie and any help is greatly appreciated.
Hello Fabian,
Thanks for your such great contribution.
I have followed each and every step of your blog.Not just your blog but I have tried 100 different ways to create External
list in BCS,but I am getting following error again and again I really need your help, I have tried almost error thing to create
External list on BCS form Google and Bing Search but all my efforts are in vain….
Still I am getting following error
“Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Microsoft SharePoint Foundation-compatible HTML editor such as Microsoft SharePoint Designer. If the problem persists, contact your Web server administrator.
”
I am just trying to get 100 odd records so, I don’t think this is “throttling” issue.
I hope you get time to help me. Thanks
Fabian,
Is there a way to only return items from the SQL table where the UserName in SharePoint equals a UserName field in the SQL table. I only want to return values related to the logged in user. Any help would be appreciated.
yes, you can use BCS Filters or you can create a GetList method just for that there is no limit on how many Get List you can create
Excellent one! Mind share somethign on how to deploy the TargetAPPID to otehr server by using PWErShell? Thanks.
I was looking for this information on many blogs but by far this was the most complete one could over get…Excellent….
Many Thanks,
Ricky A
you are quite welcome
You should have added the first screen that when you create it for the first time, you must create a key
ahh, ok sorry about that, Ill update the post accordingly
Hi,
easy to understand… thanks a lot to making my understanding clear..
no problem at all
Thank you very much! This was very useful.
you are quite welcome
Thanks
You are quite welcome
Question – does the service account for the Secured Store Target Application must be in AD (on a domain), or can it be something that was created within SQL Server Management Studio (not on a domain)?
it depends on the scope /size of farm, if this is a multi server farm that need IPC the service account should be a domain account, if you have a single server farm, you can get away with a local account, but no, not a sql account
Yes, you can use sql account involved with Secure Store ID and it has nothing to do with farm type. Tricky part is you need choose Impersonate Custom Identity for Authentication Mode in ECT creation. Or you may create ID but later it won’t connect it to the data source.
Good to know, I have never used it myself, I wasnt aware, thanks for sharing.
I have a multi-server farm and tried using both AD (on a domain) and SQL (not on a domain) accounts. Both work but only with a username/password upon a login prompt. After clicking “Add Connection” and providing the “SQL Server Connection” info, you mentioned that “Here you may or may not get challenged for credentials when you click OK. The credentials you put here are or should be your own; assuming that you are in that Security Group that will be mapped to the Impersonated User. If not, then you need an account in that Security Group List.”
I am getting challenged and don’t understand why. In “Set Credentials for Secure Store Target Application (Group)”, “Credential Owners” is set to “All Authenticated Users”, so I should NOT be challenged. What’s more strange is that once I provide my username/password, my SPDeisgner never challenges me again (even after deleting the connection and re-starting the Desinger). Where does my crendential get stored after the initial challenge?
Having read this I thought it was rather enlightening.
I appreciate you taking the time and energy to put this short
article together. I once again find myself spending a lot of time both reading and posting comments.
But so what, it was still worthwhile!
Thank you, I hope you are also enjoying the SharePoint 2013 content as well.
Excellent post. I’m facing some of these issues as well..
Fabian. I must commend on you post,but i am having issue doing a wildcard filtering on the list. How do I achieve this?.
Thank you.
if you are going to do this via external content types and associations, you can use this post here from the good guys at lightning tools http://lightningtools.com/business_connectivity_services/creating-comparison-and-wildcard-filters-for-bcs-in-sharepoint-designer-2010/
very good article for those who don’t know ” abcd ” abour secure stroe service in sharepoint
Thank you.
Hi Fabian, wish I had found your blog 9 months ago when I was setting this up for our application as it probably would have saved me some time. I have SSS setup and working with my BCS app since March. Recently I’ve got some complaints about performance so I fired up the developer dashboard and shockingly found that the SSS call to GetRestrictedCredentials is the main culprit (i.e. if my total Page Request is ~16 seconds, 15 of those are attributed to the SSS GetRestrictedCredentials call). Literally just started investigating and found your blog, thought it might be worthwhile to see if you had any similar issues or thoughts around why the SSS call might be so slow. Thanks!
Actually I don’t without more information but you can probably put some traces on both SQL (Profile) and on your Network to see why. also try Browsers like Firefox / Chrome and use extensions to see if anything pops up there.
In SP2010 designer I keep getting “The Buisness Data Connectivity Metadata Store is currently unavailable”. Per other docs I found I made sure my /headerLimits were removed from the ApplicaitonHost.Config file I ALSO made sure the Business Data Connectivity Service and Managed Metadata Web Service were started (which is not listed in this doc).. What gives?.. I also tried from designer running from XP and Win7.. Still get the same error.. ??
Ive seen this before where folks are targeting a host header URL rather than the NetBIOS Server name, have you tried going directly to the NetBIOS name if that is an option for you? When I had no choice in the matter I changed my Authentication for the Web App to Kerberos and it fixed my issue then.
I found I didnt have the BDC service and hence the backend BDC Db setup, so SP Designer2010 had no place to store all those settings. I didnt do an out of the box install so it just wasent there already (ie I used AutoSPInstaller and disabled the install early on).
I had to go to CA > Manage Service Application > “New” > and make a new “Business Data Connectivity Service” this sets up the backed Db which this document sorta assume I already had.
Thanks for the postback. Still once of the best recourses on the Inet.
Thank you very much, happy to help.
Fantastic explaination which I had been looking for….. keep doing the usefull work.
thank you, happy to help
Pingback: Blog Update on SharePoint BCS with full CRUD Part 1 of 3 « Fabian Williams SharePoint Blog
Pingback: Part 2 of 3-Blog Update on SharePoint BCS with full CRUD « Fabian Williams SharePoint Blog
Hello There. I found your blog using msn.
This is a really well written article. I’ll make sure to
bookmark it and come back to read more of your useful info.
Thanks for the post. I’ll definitely return.
Thank you, ive updated that post you are on, hope you found that useful.
This is really a good blog. I followed all your steps
But i am facing an issue while connecting to data source from SPD
“Can not log on with the credentials obtained from the secure store provider”
I double checked the database rights on AD account which i am using for the impersonation have db_reader and db_writer access on the database.
“Is it due to i am accessing it using VPN?”
Thanks in Advance
make sure you are doing domain/user when putting in the creds in secure store, also make sure thisr creds have permission in the metadata store in bcs ect
Hi I Have the same error and I set permission for Metadata and still not working … Any comment ?
see my earlier response
Hi fabiangwilliams ,
The issue was with the VPN. We can’t access the database using SSID by using VPN. Because it will not trust you in the domain. So i tried on the machine which is in trust with the domain and it worked.
Thanks
Glad you sorted it out, my code is solid 🙂
Pingback: SPTechCon San Francisco 2014 Highlights « Tom Resing's SharePoint Blog
Aw, this was an extremely good post. Finding the time and actual effort to
create a good article… but what can I say… I procrastinate a lot and don’t manage to get anything done.
I appreciate the help from this blog post, Fabian. My issue was in SP2013 and I had a double-hop authentication situation. I thought I had all of that rectified, but was missing another step. This blog post helped me to think in a different way to finally come up with the answer. External data renders perfectly now. Thanks!
Always good to hear that these blog post are helping folks. for that, we will reverse the 1 beer penalty for not commenting directly to the post that added value. Ill just take your Abe Lincoln money at the next Nats game mate 🙂
Hi Fabian Currently I did all of those the steps and im getting this error 🙁
message from external system ‘cannot logon with credentials obtained from secure store provider.’
Any comment about how to resolve it ?
Thanks a lots
Perla
it could be a matter of permissions possibly, can you try creating a sql user, use that as the credential mapper in Secure store and see if you have the same error. Short of that, you will have to troubleshoot on the sql side by using sql profiler to see the actual error. or look in the sql error log or inside sharepoint in the uls log
Pingback: Secure Store Application ID credentials don't work when creating ECT | DL-UAT
Pingback: Business Connectivity Services; Connecting the LOB Dots | Jeff Breece
How can I validate the data in create method and give user a custom error message? For example I have a procedure that returns a custom error message, but Sharepoint just shows a generic error message to the user.