Plan Business Connectivity Services client integration (SharePoint Server 2010)
Applies to: SharePoint Server 2010
Summary: Microsoft Business Connectivity Services offers users many ways of interacting with external systems from their Microsoft Office 2010 client applications. This article discusses how users can take external data offline to Microsoft Outlook 2010 and Microsoft SharePoint Workspace 2010.
When a user clicks the Connect to Outlook or Sync to SharePoint Workspace button on an external list, a ClickOnce application deployment package is created and installed on the client computer. This enables users to work with external data as native Outlook Item types (for example, Contacts, Tasks, and Appointments) in Outlook and as lists in SharePoint Workspace. Depending on their permissions, users can perform read and write operations on the external data, even when they are working offline or if the external system connectivity is slow, intermittent, or unavailable. The external data is synchronized when connection to the server becomes available.
The ability to take external lists offline takes advantage of the native capabilities of Business Connectivity Services, Microsoft SharePoint Server 2010, and Office 2010 applications. You can build more advanced Business Connectivity Services solutions that use customizing features or code.
For more information about advanced Business Connectivity Services solutions, see Building Solutions with Business Connectivity Services (https://go.microsoft.com/fwlink/p/?LinkID=202359).
In this article:
Prerequisites
Installing deployment packages
Security considerations
Prerequisites
The server must have Microsoft SharePoint Server 2010 with an Enterprise client access license (CAL) installed. The client computer must have Microsoft Office Professional Plus 2010 installed.
The following list describes additional client computer requirements:
Internet Explorer The deployment mechanism uses ActiveX controls. Because Internet Explorer is the only browser that supports ActiveX controls, taking external lists offline is supported only in Internet Explorer. If you use another browser, such as Firefox, the Connect to Outlook and Sync to SharePoint Workspace buttons are disabled.
Microsoft .NET Framework 3.5 The Microsoft .NET Framework 3.5 or a later version must be installed on the client computer.
Business Connectivity Services By default, the Business Connectivity Services feature is installed when Office Professional Plus 2010 is installed. If the .NET Framework 3.5 is not installed when a user installs Office, Business Connectivity Services will not be installed. After the .NET Framework 3.5 is installed on the client computer, the Business Connectivity Services feature is installed when the user first takes an external list offline, and then the deployment package is installed. If the Business Connectivity Services feature was disabled by the user, the user must update his or her Office installation and enable the Business Connectivity Services feature. The Business Connectivity Services feature is available in the Office Shared group.
Installing deployment packages
The following sections discuss settings that can affect deployment package installations.
ClickOnce applications and trust-prompt behavior
The deployment packages are ClickOnce applications. All the rules, regulations, and limitations that govern general ClickOnce applications apply to the deployment packages also. The ClickOnce security model relies on trusted publishers and user prompting to determine whether a ClickOnce application will be installed on the client computer. ClickOnce applications are signed with a certificate that identifies the publisher. The certificates provide the following basis for making trust decisions:
If the ClickOnce application is signed by a trusted publisher, the application will automatically be installed. The user is not prompted.
If the ClickOnce application is not signed by a trusted publisher, ClickOnce does not automatically trust the application. The user is prompted to confirm that he or she wants to install the application.
Note
By default, Business Connectivity Services uses a self-signed certificate to sign its deployment packages. Because the certificate is self-signed, it is not from a trusted certification authority (CA).
However, trust prompting can be affected by other settings, such as the Internet Explorer security zone that the ClickOnce application is being installed from. The following table lists example paths and URLs, their corresponding security zones, and the default trust-prompt behavior.
| ClickOnce application URL or path | Security zone | Default trust-prompt behavior |
|---|---|---|
C:\Contoso\Clientsolution\Customer.vsto |
My Computer |
Allow user prompting. |
http://contoso/clientsolution/customer.vsto |
Local intranet |
Allow user prompting. |
\\contoso\clientsolution\customer.vsto |
Local intranet |
Allow user prompting. |
http://fabrikam.contoso/clientsolution/customer.vsto |
Internet |
No user prompting allowed unless the application is signed by a certificate that is issued by a trusted CA. |
https://www.contoso.com/clientsolution/customer.vsto |
Internet |
No user prompting allowed unless the application is signed by a certificate that is issued by a trusted CA. |
\\172.16.4.1\clientsolution\customer.vsto |
Internet |
No user prompting allowed unless the application is signed by a certificate that is issued by a trusted CA. |
The following list describes some things that can be done to stop deployment failures that are caused by default trust prompts.
Sign the deployment packages with a trusted certificate By default, Business Connectivity Services uses a self-signed certificate to sign its deployment packages. As a result, users will either be prompted to confirm that they want to install the application, or the deployment package will fail to install with no user prompts (if the external list resides in the Internet security zone). To resolve these issues, you can provide a certificate issued by a trusted CA that can be used to sign the deployment packages. For more information about how to provide a trusted certificate, see How to: Get Rid of the Publisher Cannot Be Verified Alert When Taking External Lists Offline (https://go.microsoft.com/fwlink/p/?LinkID=202362).
Users can add the SharePoint site to their list of trusted sites in Internet Explorer Adding a site to the Internet Explorer list of trusted sites changes the deployment package security zone to the Trusted zone. The Trusted zone allows user prompting. If you have a deployment package that is not signed with a trusted certificate and resides in the Internet security zone, adding the site to the list of trusted sites gives the user the opportunity to decide whether to install the deployment package.
Note
This action should be taken only for sites that the user can trust.
Internet Explorer Enhanced Security Configuration Internet Explorer Enhanced Security Configuration restricts the ability of users to browse Internet and intranet Web sites. This can cause deployment packages to fail to install without any errors displayed. As a workaround, you can do any of the following:
Sign the deployment packages with a trusted certificate.
Users can add the SharePoint site to their list of trusted sites in Internet Explorer.
Turn off Internet Explorer Enhanced Security Configuration for users.
For more information about ClickOnce applications, see ClickOnce Security and Deployment (https://go.microsoft.com/fwlink/p/?LinkId=195784).
Secure Store Service group mappings
Secure Store Service application IDs are used to map users to credential sets. Mappings are available for groups or individuals. In a group mapping, every user who is a member of a specific domain group is mapped to the same set of credentials. In an individual mapping, each individual user is mapped to a unique set of credentials.
If the external content type that is associated with an external list uses a group mapping, when users attempt to take the external list offline they are prompted for the group credentials. In most cases, users will not know the group credentials and will be unable to take the external list offline.
You can do one of the following:
Modify the external content type to use an individual mapping.
Modify the external content type to prevent users from trying to take the external list offline. Open the external content type in SharePoint Designer and set the Offline Sync for external list field to Disabled. This disables the Connect to Outlook and Sync to SharePoint Workspace buttons in the external list ribbon.
For more information about the Secure Store Service, see Configure the Secure Store Service (SharePoint Server 2010).
Sign in as Different User
When you are using Windows authentication, the Sign in as Different User feature is not supported for installing deployment packages. You cannot take an external list offline if you are logged on to a client computer by using one account and then log on to the SharePoint site by using a different user account. To take an external list offline, you must use the same user account to log on to both the client computer and the SharePoint site.
Security considerations
The following sections discuss additional measures that can be used to help secure Business Connectivity Services when you are working with rich client applications.
Secure communications
We recommend that you use Secure Sockets Layer (SSL) on all channels between client computers and front-end Web servers. This helps ensure that sensitive data is not compromised.
External list permissions
Each external list is associated with an external content type. The permissions on the external content type specify who can perform specific actions on the external content type. The Execute permission is required to execute operations (such as read or update) on an external content type and also to generate a deployment package for the external list. However, after a deployment package is created for an external list, any user who can access that external list can download and install the deployment package. In other words, a user who does not have Execute permission on the external content type, but has Read permission level on the external list, cannot see the items in the external list, but may still be able to take the external list offline. To help ensure that sensitive data is not disclosed, we recommend that you ensure that the permissions on an external list are equal to the permissions of the associated external content type.
Outlook Web Access Web Parts
Outlook Web Access Web Parts enable users to display selected content from folders in their Office Outlook e-mail account in a SharePoint site. If users have taken external data offline to Outlook, using the Outlook Web Access Web Parts can result in sharing of sensitive data. We recommend that administrators educate users to share their Outlook folders only with people whom they can trust.
Client throttle limits
Setting throttle limits on the client computer can help limit denial of service threats that are caused by a user who submits queries that return a large amount of data or take lots of processing time. You can use registry-based policy keys to set throttle limits on client computers. The supported way to manage registry-based policy keys is to use Group Policy to apply the registry policy settings.
The Business Connectivity Services policy settings are included in the Office14.adm file, which can be downloaded from Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkId=189316).
The following table describes the Business Connectivity Services registry-based policy keys that can be used to set throttle limits. The keys are located under HKEY_CURRENT_USER\Software\Policies\Microsoft\office\14.0\Common\Business Data.
Note
The following table lists only the main policy settings that can be used to set client throttle limits. To see the complete list of available Business Connectivity Services policy settings, refer to the Office2010GroupPolicyAndOCTSettings_Reference.xls file that is included on the following download page: Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkId=189316).
| Key | Type | Value | Description |
|---|---|---|---|
Synchronization\Query Instances Limit |
REG_ DWORD |
1-32,767 |
Specifies the maximum number of items that can be added to the cache by Business Connectivity Services as the result of executing a query. Some queries can return many items to be added to the cache. This increases the size of the client cache (potentially exceeding the 4-GB limit that is imposed by the Microsoft SQL Server Compact Edition database), increases the work that is required to keep the client cache synchronized, and increases the load on the external system. When the limit is reached, the processing stops. The query is marked as failed and will be retried later. The default is 2,000 items. |
Synchronization\Query Timeout |
REG_ DWORD |
1-360 (minutes) |
Specifies the number of minutes Business Connectivity Services will spend processing a single query. Some queries can take significant time before all results are retrieved and processed. During this time, no other operation can be processed. When the time-out is exceeded, the processing stops. The query is marked as failed and will be retried later. Typical values range from 3 to 10 minutes. The default is 5 minutes. |
Limits\Database\Items\Max |
REG_ DWORD |
1-2,000,000 |
Specifies the maximum number of items the database connector can return per request. Typical values range from 1,000 to 3,000 items. The default is no data limit. |
Limits\Database\Timeout\Max |
REG_ DWORD |
1-75,000,000 (milliseconds) |
Specifies the number of milliseconds to wait until an open database connection is terminated. Typical values range from 5,000 to 180,000 milliseconds (5 seconds to 3 minutes). The default is no time-out. |
Limits\Wcf\Size\Max |
REG_ DWORD |
1-1,000,000,000 (KB) |
Specifies the maximum amount of data a Web service connector can return per request. Typical values range from 512 KB to 524,288 KB (512 MB). The default is no data limit. |
Limits\Wcf\Timeout\Max |
REG_ DWORD |
1-75,000,000 (milliseconds) |
Specifies the number of milliseconds to wait until an open Web service connection is terminated. Typical values range from 5,000 to 180,000 milliseconds (5 seconds to 3 minutes). The default is no time-out. |