The Secure Store Service provides a
more flexible solution to the problems partially addressed Single Sign-On (SSO)
in MOSS 2007. It allows for the secure storage of usernames and passwords for shared
resources and the mapping of users to specific access identities. It is
commonly used for access to data for Business Connectivity Services, Excel
Service Applications and Visio Service Applications.
Microsoft have some really good
documentation on this topic. Their planning guide is http://technet.microsoft.com/en-us/library/ee806889.aspx and their own more detailed configuration guide is http://technet.microsoft.com/en-us/library/ee806889.aspx.
However, for many (especially for
dev and piloting) this provides a quick guide to getting it up and running.
You should check that you are a Service
Application Administrator for the instance of the Secure Store Service you
will be configuring.
The first step is to initialize the
Secure Store Service:
- From Central Administration, choose Manage
service applications from the Application Management group:
- Click on the Secure Store Service link (either
is OK – they both link to the same place):
- If this is the first time the Secure Store Service has
been accessed, you will need to Generate New Key (from the ribbon):
- To generate a new key you must provide a passphrase.
This is used for encrypting information stored in the secure store so it
is wise to choose a strong passphrase. There is no way (at least that I
know) of recovering the passphrase, so do not forget it!
At this point the Secure Store
Service is ready for you to start adding the target applications that you want
to store credentials for. For each application you want to access, do the following:
- Click on the New target application ribbon
button:
- Complete the Target Application Settings using
the notes below:
- The target application id is the unique name of the
application (and cannot be changed), although the display name can.
- Contact e-mail is pretty self explanatory.
- Then we get to the Target Application Type. The
first choice to make is either:
- Individual – meaning that each user connecting to
SharePoint will be mapped to a unique set of credentials to connect to
this target applications; or
- Group – meaning that all users connecting to
SharePoint in a specific group will be mapped to a shared set of
credentials to connect to this target application.
- Now we need to decide whether the type should be
normal, Ticket, or Restricted. Maybe its just me, but I
found the on-screen help not very useful and online help took a few
seconds longer than usual to find. Essentially, these options have the
following meaning:
- Ticket
– this applies to target applications who support ticket (or “claim”)
based authentication. Claims based identity management is a big theme in
Microsoft.NET 3.0 and if you want a primer in this topic please see http://msdn.microsoft.com/en-us/magazine/cc163366.aspx;
- Restricted
– allows you to provide implementation specific additional authentication
in the target application;
- Normal – this is the more traditional method of
providing authentication credentials (username, password and maybe other
information) with each connection.
- I am interested at this point in a connection to SQL
Server, and a single set of Windows logon credentials for all users is
what I’m after, so I choose Group, and click Next.
- Next I’m prompted to specify the authentication field
names and type. The default of Windows User Name and Windows Password is
exactly what I need, but if you are connecting to a target application
that needs more information you can add fields of various types to this
target application:
- I’ve chosen to have a single set of credentials for a
group of SharePoint users, so next I need to specify who can administer
this target application and who are the members of the group of users that
will use these credentials:
Note that in Administrators and Members I can use the new People and Groups picker dialog, which is a big improvement on the 2007 version:
- Finally,
click OK and you’re done: target application created.
No comments:
Post a Comment