Sunday, December 20, 2009

Secure Store Service - Configuration ( SharePoint 2010 )

This blog is written for Beta release of SharePoint 2010. As of Beta, Secure Store Service is available on SharePoint 2010 but is not available on SharePoint Foundation.

Secure Store Service (SSS) adminsitration can be done through the central administration of SharePoint. Central adminstration can be started from the Start > Microsoft SharePoint 2010 Products > SharePoint 2010 Central Adminstration ( see image 1 ).

In the Central Administration page, click Manage services on server (within System Settings block ) to load the Services on Server administration. Make sure the Secure Store Service is in Started mode. If the service is not in Started mode, click on Start link for Secure Store Service. This would start the Secure Store Service.

SharePoint 2010 can host mutliple applications of  the same type within a farm. Secure Store Service is actually a Shared Service in SharePoint. In the Central Administration, click Manage service applications ( within Application Management block ) to load the service applications page. It shows all the Shared Services Application ( and Shared Services Application Proxy ) within the farm. To create a new Secure Store Application, click on New button and then select Secure Store Service ( see image ). If you have installed SharePoint in standalone mode, there should already be a Secure Store Application with the name "Secure Store Service" running.

In the Create New Secure Store Service Application dialog box, choose appropriate name for your secure store. When creating a secure store, you will need to choose a database server and database where secure store will store its information. Secure Store Service will automatically create database for secure store application . Secure Store Service supports both Windows authentication and SQL authentication for database creation. It is recommended that you use Windows authentication. When windows authentication is used, make sure the farm administrator has DB create permission on the database server.

You will also need to choose a web application pool which secure store will use to host its service. You can choose one of the existing application pools or create a new application pool. For secure store, it is recommended that you always choose a new application pool. When creating a new application pool, choose a managed account which will be the owner of the application pool. Since secure store stores confidential information, always choose a managed account which is a non-interactive account ( account that does not have login privileges ). The account that is used in secure store application pool can decrypt confidential information from secure store database, so you should be very careful in choosing the account. Click OK to create the application.

Once the secure store application has been created ( or pre-existing application with Standalone installation ), you will need to set a passphrase for the application. This done by clicking on the application link ( Central Administration > Manage service applications ). This will bring the secure store application adminstration page.

Click on "Generate New Key" to generate a new key for secure store application. Every secure store application needs a key to encrypt/decrypt the stored information in database.

When generating a new key, you will need to supply a pass phrase. Pass phrase is used by secure store to protect the key itself. Pass phrase must be atleast 8 characters long, must contain atleast one numberal, one capital alphabet and one special character. This pass phrase is not stored in the secure store, so make sure that you keep a copy of the pass phrase securely.

Now Target applications can be created on secure store. Target application is a secure store concept where the credentials of the users can be grouped together. Within target application you define what kind of information will be stored. For example, you may want to club all user connecting to CRM in one target application.

To start with, you need to define the target application. Fill the information for target application as asked by the screen. Click Next. On the next page, you can define what user information will be stored in the target application. For example, for CRM target application, we will be storing user name, password, system number, client number and language. To add a new field type, click on the "Add Field" link. At the user input time, if you want to mask any field, check the mask checkbox corresponding to the field.

Each target application can be managed by its own administrator. The next page asks you to define an administrator for the target application.

Click OK to finish the creation of the target application. At this time the target application is ready to be consumed by applications such as web-part, external list, etc.

Farm administrator ( or target application administrator ) can now set user credentials/information for this particular target application. To set the user credentials, right click on the target application ( see next image ) to bring the entry form.

The next page will ask you to enter the user credentials for CRM.

Enter the CRM credentials on this page and click OK. This would save the credentials for the Credential Owner ( jardula\usera in the above page ). Note, the credential can be retreived by any application that runs on behalf of the credential owner.

Secure Store does not display the list of the credentials owner for a target application for security reasons. So in other words, there is no way to figure out if a credential has been set for a particular credential owner through Secure Store UI.

Tuesday, December 15, 2009

Secure Store Service - Installation


Secure Store Service installation is done by installing SharePoint 2010. SharePoint can be installed in Standalone mode and Server Farm mode. Secure Store Service is available in both Standalone and Farm configuration.
In standalone configuration, SharePoint 2010 server is installed on one physical machine. Standalone configuration does not allow adding of new servers and thus has limited scaling. This configuration is best for development, test and demo purposes.

In server farm configuration, SharePoint 2010 server can be installed on multiple machines. Server farm configuration allows choosing separate SharePoint database server, web front ends (WFE) and backend (application servers). This configuration also allows adding web front ends and backend to the existing farm.


The basic software requirement for SharePoint 2010 is
•    64-bit Windows Server 2008 or 64-bit Windows Server 2008 R2.
•    64-bit SQL Server 2008 or 64-bit SQL Server 2005

To get a complete list of hardware and software requirement visit

Prerequisites Installer

SharePoint 2010 installation comes with a prerequisites installer. To execute the prerequisites installer, double click OfficeServer.exe (Beta release can be downloaded from
This would bring the SharePoint Server 2010 installation screen (figure 1). On the installation screen, click “Install software Prerequisites” link.

Figure 1: SharePoint Server 2010 Installation Screen

Clicking on the “Install software prerequisites” link will display the preparation tool. It displays the list of the software the prerequisites tool will install. Click on Next button.

Figure 2: Prerequisites Installer (Preparation tool)

This would bring the license agreement screen (figure 3). Agree to the license terms (by checking the checkbox) and click Next.

Figure 3: License Agreement

This would install all the perquisites for SharePoint 2010. If there is any error in installing the prerequisites, the tool will display a link to the log file (figure 4).

Figure 4: Error reporting in prerequisites installation

Once the prerequisites have been installed, actual installation of the SharePoint server can be started. Click on “Install SharePoint Server” link (figure 1). It will bring the “Product Key” screen. Enter the product key for SharePoint sever and click continue button (figure 5).

Figure 5: Screen to enter product key

Product key for Beta can be obtained from
Agree to the Microsoft Software License Terms in the next screen by checking the checkbox and click continue button (figure 6).

Figure 6: Agreement to software license and terms

At this time the installer will present you an option to install SharePoint in “Standalone” or “Server Farm” configuration (figure 7).

Figure 7: SharePoint Installation Configuration

Standalone Installation

To install SharePoint 2010 in standalone mode, click the Standalone button. This will start the installation (figure 8) in standalone mode. The installation process can take a while to finish depending on the machine configuration.

Figure 8: SharePoint installation in progress

When the installation is done, it gives an option to run the configuration wizard (figure 9). Configuration Wizard must be run before the SharePoint is useable. Click on Close button to continue the installation.

Figure 9: Configuration wizard

If the checkbox was unchecked and the installation did not continue, the configuration wizard can be started from the Windows Start menu (figure 10). Configuration Wizard can also be used to repair SharePoint installations.

Figure10: Starting configuration wizard

The installation will continue with configuration wizard. The first screen will be a welcome screen, click on Next button to continue.

Figure 11: Welcome screen

SharePoint configuration wizard stops few services in the installation process. It will warn about the services that will be stopped before the installation can continue. Click Yes.

Figure 12: Warning for services being stopped

NOTE: If the configuration wizard was started to repair SharePoint, make sure no one is using the SharePoint; otherwise the site will unavailable till the repair is complete.

When the configuration wizard resumes, it will complete its entire task. Depending on the machine’s configuration, wizard may take several minutes to complete.

Figure 13: Configuration Wizard Continues

At the end of the process, the wizard will display a configuration successful screen.

Figure 14: Successful Configuration

Click on the finish button. The configuration wizard will close and open the explorer to select the template for the site. Chose the template based on the requirement.

Figure 15: Template Selection

When the template has been applied for the site, SharePoint gives an option to set up groups for the newly created site.

Figure 16: Setup Groups

At this time installation and configuration of the site is complete. SharePoint will automatically redirect to the site’s home page.

Figure 17: Site Welcome

In standalone configuration a Secure Store Service is running by default and there will also be a Secure Store application running (default name for the Secure Store is “Secure Store Service”). To check Secure Store Services status, open the SharePoint central administration.

Figure 18: Central Administration

 Click on “Manager services on the server” link to check the services status (this link is within System Settings block). The “services on server” page contains the services status from where a particular service can be started or stopped. Make sure Secure Store Service is in started status (figure 19).

Figure 19: Services on SharePoint

In the standalone install, SharePoint will create a default Secure Store Service application with the name “Secure Store Service”. This application can be viewed from Central Administration page (figure 18), by clicking on “Manage service applications” (Application Management block).

Figure 20: Service Applications on SharePoint

The default Secure Store application will be in Started status.

Thursday, December 10, 2009

Secure Store Service - Introduction

Secure Store Service is a shared service in SharePoint 2010 that provides functionality to store credentials [1] securely and associate the credential to a specific identity or group of identities. The main objective of the service is to help SharePoint components and/or custom web-part perform Single Sign-On (SSO)[2].

Consider a scenario where a web-part needs to authenticate with external system (such as database). Off course the web-part can ask the user credential when it loads to authenticate. Although it works fine, the user experience will not be that good. The user experience can be enhanced if the web-part stores the credential. To store the credential, web-part would need a secure storage and would have to provide functionality to manage the credential.

What happens if the user does not have access to the credentials? Instead the credentials are managed by the system administrators? How would the web-part deal with expired credentials?

A simple requirement of web-part authenticating with external system can become an extensive feature. This is where Secure Store can be utilized. SharePoint components such as Business Connectivity Services (BCS), Excel Service, Performance Point Service, Search and other services also use Secure Store to solve authentication issues with external system.

Secure Store Service replaces Microsoft Office SharePoint Server 2007 (MOSS 2007) Single Sign-On feature. The name has rightfully changed from Single Sign-On to Secure Store, as this service does not provide the Single Sign-On functionality. Secure Store is available in SharePoint 2010 and SharePoint 2010 Search however is not available in SharePoint Foundation.

[1] Credential: An information (such as username, password) that is verified when presented to a system before the system allows access to its resources.
[2] Single Sign-On: A user can log in once into a system and can gain access to all systems (that he/she has access to) without being prompted to log in to all the systems.