Welcome on my SharePoint 2010 blog


My name's Roy. I'm a dutch SharePoint & BI consultant/architect at Advantive B.V. At this moment I'm busy with some big SharePoint 2010 projects in The Netherlands. In all the projects I've got different roles, like: Business consultancy, Lead Consultant, Architect (logical and technical), Development and Teaching/courses.

Products where you can ask me about are: SharePoint, Visual Studio, SQL Server, PowerPivot, Analysis and Reporting Services, Visio Services, InfoPath, PerformancePoint Services, Team Foundation Server, Office line.

I love to work and to write about Microsoft SharePoint 2010 so, feel free and read/comment my Blogs!


Wednesday, October 27, 2010

Secure Store Service Application in SharePoint 2010 (and BCS example)


The Secure Store Service replaces the Microsoft Office SharePoint Server 2007 Single Sign On feature. Secure Store Service is a shared service that provides storage and mapping of credentials such as account names and passwords. It enables you to securely store data that provides credentials required for connecting to external systems and associating those credentials to a specific identity or group of identities. It is very common for solutions to try to authenticate to an external system in which the current user is known differently or has a different account for authentication. In such cases, Secure Store Service can be used to store and map user credentials required by the external system. You can configure Secure Store Service so that multiple users can access an external system by using a single set of credentials on that external system.

For example, if a user named Fred has one account on the server that is running SharePoint Server and another in a CRM application, the Secure Store mechanism enables his CRM credentials to be stored with his user profile in SharePoint Server. As a result, if he uses a Microsoft Business Connectivity Services (BCS) solution in SharePoint Server to obtain data from the CRM application, SharePoint Server looks up the Secure Store Service database on the server and provides his credentials to CRM. In in this manner, Fred automatically logs on to the CRM application without having to log onto the CRM application separately.

To provide similar functionality on Microsoft Office clients, Business Connectivity Services provides a Secure Store provider that uses the Windows Credential Store.

In addition, SharePoint Server enhances the Secure Store Service functionality to include a pluggable secure store mechanism that enables you to use alternate secure store providers.


First make sure that the BCS service (for the example in this blog) is started and a BCS Service app is created. Also make sure that the Secure Store Service is started (Central admin --> services on server).

Go to the central administration and click under application management on "Manage service applications".

The list with available service applications becomes visible. Click in the upper left corner on: New/Secure Store Service Application.

After clicking on the link a dialog (SPDialog) appears:

I'll advise you that (for security reasons) you choose for a separate/isolated application pool for the secure store service app (sss) .

Choose a database server and name for the sss and click on OK, the sss and the sss proxy will be created. After clicking on OK you get the message to generate a key first before you can use the service application. This key will be used to encrypt credentials.

Create the key by clicking in the ribbon on <Generate new key>

The database will also be encrypted with a passphrase key, enter the key and confirm it:

Initially there are no target application in the secure store. To create one click on <New>. An new window will be loaded:

I've chosen a ID called: AdventureWorksID, this is the name of my external system that I want to connect to in my BCS solution.

There are two primary types for creating a target application:

  • Group, for mapping all the members of one or more groups to a single set of credentials on the external data source.
  • Individual, for mapping each individual to a unique set of credentials on the external data source.
I've chosen "Group" in this example. Click <Next> and the following screen will appear:

In the screen above you can add fields that are necessary for the credential part. In the <Field Name> textboxes choose you're own label that you want to choose when a sss administrator needs to enter the credentials. If you're credentials are not windows credentials, change this in your dropdown box. You can check the checkbox "Masked" if you want your text to be masked.

Click on <Next> and fill in a administrator for the target application and a member if necessary and click <OK>. You're target application is now created.

Click on your new target application and after that click on <Set credentials>

Enter your credentials in the next screen and click <OK> (notice that the labels of the field names are changed)

You also have the possibility to publish a sss when you're working with multiple farms. To do this click on the secure store service application in <manage service application screen> and click in the ribbon on <Publish>, the following screen will open:

Select the check box <Publish> and copy the urn. For an explanation how to use a service application cross farm see my blog: Metadata cross farm BLOG.

Shortened Real-time Example

Create an external content type with SharePoint Designer. Give the external content type a name and click on the link (see last link in picture below) to discover external datasources:

In the popup box fill in your external database server name and database name. After that, choose: "Secure store application Id" and fill in the ID of the target application you just created:

Click <OK>, choose your data and publish/save your external content type to the BCS metadata store.

From the SharePoint 2010 UI create a list based on the external content type you just created and your list is now available in SharePoint based on the Secure Store Credentials.

PS: @SPJanet: Hope this is a worthfull blog for you, otherwise please let me know!

1 comment:

  1. Hello ROy, Can you please help me with this question

    Maybe it can be done with secure store service but I dont know