How to: Use Credentials from the Secure Store Service to Connect to the External System

  • Article

Applies to: SharePoint Server 2010

When creating an External Content Type, you need to specify the authentication mode that users should use to connect to the external data source that the external content type is based on. In the How to: Create External Content Types topics, you used Pass-Through authentication, which is the simplest type of authentication to set up. When you use pass-through authentication, you simply authenticate as the identity of the end user. However, as you saw in the How to: Use Secure Store Service to Connect to an External System topic, you might need to use credentials from the Secure Store Service to authenticate to the external data source. This topic describes how to use credentials from the Secure Store Service to connect to an external data source when creating an external content type in Microsoft SharePoint Designer.

There are three types of authentication modes available when you use Secure Store Service with Microsoft Business Connectivity Services (BCS):

  1. Windows Credentials (Connect with Impersonated Windows Identity): Microsoft SharePoint Server 2010 authenticates by using Windows credentials from its default Secure Store Service. Example: The backend gives access only to a Windows group account called domain\stusers, and all users connecting to this backend that are members of this group can connect by using the domain\stusers credentials.

  2. Credentials (Connect with Impersonated Custom Identity): In Credentials mode, for external systems of type database, SharePoint Server 2010 authenticates by using database credentials from its default Secure Store Service. SharePoint Server 2010 adds the database credentials to the connection string and transmits the credentials to the database server. Example: The database gives access only to a non-Windows account called stdbuser, and all users connecting to this backend need to use the stdbuser credentials.

    In Credentials mode for Web services and WCF endpoints, SharePoint Server 2010 authenticates Web services and WCF endpoints by using credentials other than those from Windows authentication from its default Secure Store Service. These credentials are used for basic or digest authentication, depending on the configuration of the Web services server. Because basic and digest authentication do not adequately protect credentials, you should use SSL or IPSec, or both, to secure communication between the Web services server and the server running the Business Data Connectivity (BDC) service.

Prerequisites

  • A target application for the Northwind database in the Secure Store Service.

  • Windows group account called stusers.

To Create a New External Content Type Using Credentials from the Secure Store

  • Follow the steps outlined in How to: Create an External Content Type Based on a SQL Server Table to create a Customer external content type from the Northwind database, except, to add a connection to the External Data Source, do the following additional steps:

    1. Select the existing connection to Northwind in the Data Source Explorer, and then click Remove Connection. This removes the old connection.

    2. Click Add a Connection. Enter the Microsoft SQL Server name and the database name.

    3. Then, instead of accepting the default Connect with User’s Identity, select Connect with Impersonated Windows Identity and enter the target application for Northwind in the Secure Store Application ID field as shown below. Click OK. You will be prompted to provide the domain\stusers credentials. Business Connectivity Services stores these credentials on the Windows Credentials Manager on the client and will look it up when needed in the future without prompting you again.

      SQL Server connection properties

    4. Follow the rest of the steps as outlined to How to: Create an External Content Type Based on a SQL Server Table to create the Customer external content type.

To Modify an Existing New External Content Type to Use Credentials from Secure Store

  1. Launch SharePoint Designer, and then open the SharePoint site that contains the external content type.

  2. In SharePoint Designer, click External Content Types on the left navigation. This displays all external content types that are defined in that site's service application's BDC metadata store. Select the Customer external content type.

  3. On the ribbon, click Edit Connection Properties. This displays the Connection Properties dialog box.

  4. Select Impersonate Windows Identity from the authentication mode drop-down list and enter the target application ID for Northwind in the Secure Store Application ID field. These settings apply only on the server. To use Secure Store Service on the client, click the Client tab in the Connection Properties dialog box. Again select Windows Credentials from the authentication mode drop-down list and enter the target application for Northwind in the Secure Store Application ID field. Notice that you need to make similar changes in the Search tab for external data search.

  5. Click OK to save the changes. You will be prompted to provide the domain\stusers credentials. Business Connectivity Services stores these credentials on the Windows Credentials Manager on the client and will look it up when needed in the future without prompting you again.

  6. Note that if the external data source uses non-Windows credentials, you select the RdbCredentials (for databases) and Credentials (for WCF and Web Services) option from the authentication mode drop-down list. The remaining steps are identical.