Plan the Secure Store Service (SharePoint Server 2010)

  • Article

 

Applies to: SharePoint Server 2010

In Microsoft SharePoint Server 2010, the Secure Store Service replaces the single sign-on (SSO) feature of Microsoft Office SharePoint Server 2007. The Secure Store Service is a claims-aware authorization service that includes a secure database for storing credentials.

In this article:

  • About the Secure Store Service

  • Secure store service preparation

  • Target applications

  • Secure store service mappings

  • Secure store service and claims authentication

About the Secure Store Service

The Secure Store Service is an authorization service that runs on an application server. The Secure Store Service provides a database that is used to store credentials. These credentials usually consist of a user identity and password, but can also contain other fields that you define. For example, SharePoint Server 2010 can use the secure store database to store and retrieve credentials for access to external data sources. The Secure Store Service provides support for storing multiple sets of credentials for multiple back-end systems.

Usage scenarios for Secure Store include the following:

  • Excel Services   Can use Secure Store to provide access to external data sources in published workbooks. This can be used as a substitute to passing a user’s credentials to the data source, a process which often requires configuring Kerberos delegation. Excel Services requires Secure Store if you want to configure an unattended service account for data authentication.

  • Visio Services   Can use Secure Store to provide access to external data sources in published web drawings. This can be used as a substitute to passing a user’s credentials to the data source, a process which often requires configuring Kerberos delegation. Visio Services requires Secure Store if you want to configure an unattended service account for data authentication.

  • PerformancePoint Services   Requires Secure Store if you want to configure an unattended service account for data authentication.

  • PowerPivot for SharePoint 2010   Requires Secure Store for scheduled refresh of PowerPivot workbooks.

  • Microsoft Business Connectivity Services   Can use Secure Store to map the user’s credentials to a set of credentials for an external system. You can either map each user’s credentials to a unique account on the external system or you can map a set of authenticated users to a single group account.

Secure Store Service preparation

When you prepare to deploy the Secure Store Service, be aware of the following important guidelines:

  • Before you generate a new encryption key, back up the Secure Store database. You should also back up the Secure Store database after it is initially created, and again each time credentials are reencrypted. When a new key is generated, the credentials can be re-encrypted with the new key. If the key refresh fails, or the passphrase is forgotten, the credentials will not be useable.

  • Back up the encryption key after initially setting up Secure Store, and back up the key again each time it is regenerated.

  • Do not store the backup media for the encryption key in the same location as the backup media for the secure store database. If a user obtains a copy of both the database and the key, the credentials stored in the database could be compromised.

Because UNRESOLVED_TOKEN_VAL(SecureStore_2nd) is used to store sensitive information, for better security we recommend that you consider the following guidelines:

  • Run the Secure Store Service in a separate application pool that is not used for any other service.

  • Run the Secure Store Service on a separate application server that is not used for any other service.

  • Create the Secure Store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases.

Target applications

A target application is a collection of information that maps a user or users to a set of encrypted credentials stored in the Secure Store database. Target applications contain the following information that you define:

  • Whether this is an individual or group mapping.

  • What fields to store in the Secure Store database. (The default is Windows User Name and Windows Password, but additional field types can be selected, depending on the application.)

  • Users with permissions to administer the target application.

  • The individual or group to whom you are mapping the credentials.

Each target application has a unique application ID that you define that is used to reference the target application from external applications such as Excel Services or SharePoint Designer.

Secure store service mappings

The Secure Store Service supports individual mappings and group mappings. In a group mapping, every user who is a member of a specific domain group is mapped to the same set of credentials. In an individual mapping, each individual user is mapped to a unique set of credentials. Individual mappings are useful if you need logging information about individual user access to shared resources. For group mappings, a security layer checks group credentials for multiple domain users against a single set of credentials for a resource identified by an application ID that is stored in the secure store database. Group mappings are easier to maintain than individual mappings, and can provide improved performance.

Secure store service and claims authentication

The Secure Store Service is a claims-aware service. It can accept security tokens and decrypt them to get the application ID, and then perform a lookup. When a SharePoint Server 2010 Security Token Service (STS) issues a security token in response to an authentication request, the Secure Store Service decrypts the token and reads the application ID value. The Secure Store Service uses the application ID to retrieve credentials from the secure store database. The credentials are then used to authorize access to resources.

See Also

Concepts

Configure the Secure Store Service (SharePoint Server 2010)
Business Connectivity Services security overview (SharePoint Server 2010)
Plan Excel Services data sources and external connections (SharePoint Server 2010)
Plan for PerformancePoint Services security (SharePoint Server 2010)
Data authentication for Visio Services (SharePoint Server 2010)

Other Resources

Resource Center: Security and Authentication for SharePoint Server 2010