Sunday, December 20, 2009

Secure Store Service - Configuration ( SharePoint 2010 )

This blog is written for Beta release of SharePoint 2010. As of Beta, Secure Store Service is available on SharePoint 2010 but is not available on SharePoint Foundation.

Secure Store Service (SSS) adminsitration can be done through the central administration of SharePoint. Central adminstration can be started from the Start > Microsoft SharePoint 2010 Products > SharePoint 2010 Central Adminstration ( see image 1 ).

In the Central Administration page, click Manage services on server (within System Settings block ) to load the Services on Server administration. Make sure the Secure Store Service is in Started mode. If the service is not in Started mode, click on Start link for Secure Store Service. This would start the Secure Store Service.

SharePoint 2010 can host mutliple applications of  the same type within a farm. Secure Store Service is actually a Shared Service in SharePoint. In the Central Administration, click Manage service applications ( within Application Management block ) to load the service applications page. It shows all the Shared Services Application ( and Shared Services Application Proxy ) within the farm. To create a new Secure Store Application, click on New button and then select Secure Store Service ( see image ). If you have installed SharePoint in standalone mode, there should already be a Secure Store Application with the name "Secure Store Service" running.

In the Create New Secure Store Service Application dialog box, choose appropriate name for your secure store. When creating a secure store, you will need to choose a database server and database where secure store will store its information. Secure Store Service will automatically create database for secure store application . Secure Store Service supports both Windows authentication and SQL authentication for database creation. It is recommended that you use Windows authentication. When windows authentication is used, make sure the farm administrator has DB create permission on the database server.

You will also need to choose a web application pool which secure store will use to host its service. You can choose one of the existing application pools or create a new application pool. For secure store, it is recommended that you always choose a new application pool. When creating a new application pool, choose a managed account which will be the owner of the application pool. Since secure store stores confidential information, always choose a managed account which is a non-interactive account ( account that does not have login privileges ). The account that is used in secure store application pool can decrypt confidential information from secure store database, so you should be very careful in choosing the account. Click OK to create the application.

Once the secure store application has been created ( or pre-existing application with Standalone installation ), you will need to set a passphrase for the application. This done by clicking on the application link ( Central Administration > Manage service applications ). This will bring the secure store application adminstration page.

Click on "Generate New Key" to generate a new key for secure store application. Every secure store application needs a key to encrypt/decrypt the stored information in database.

When generating a new key, you will need to supply a pass phrase. Pass phrase is used by secure store to protect the key itself. Pass phrase must be atleast 8 characters long, must contain atleast one numberal, one capital alphabet and one special character. This pass phrase is not stored in the secure store, so make sure that you keep a copy of the pass phrase securely.

Now Target applications can be created on secure store. Target application is a secure store concept where the credentials of the users can be grouped together. Within target application you define what kind of information will be stored. For example, you may want to club all user connecting to CRM in one target application.

To start with, you need to define the target application. Fill the information for target application as asked by the screen. Click Next. On the next page, you can define what user information will be stored in the target application. For example, for CRM target application, we will be storing user name, password, system number, client number and language. To add a new field type, click on the "Add Field" link. At the user input time, if you want to mask any field, check the mask checkbox corresponding to the field.

Each target application can be managed by its own administrator. The next page asks you to define an administrator for the target application.

Click OK to finish the creation of the target application. At this time the target application is ready to be consumed by applications such as web-part, external list, etc.

Farm administrator ( or target application administrator ) can now set user credentials/information for this particular target application. To set the user credentials, right click on the target application ( see next image ) to bring the entry form.

The next page will ask you to enter the user credentials for CRM.

Enter the CRM credentials on this page and click OK. This would save the credentials for the Credential Owner ( jardula\usera in the above page ). Note, the credential can be retreived by any application that runs on behalf of the credential owner.

Secure Store does not display the list of the credentials owner for a target application for security reasons. So in other words, there is no way to figure out if a credential has been set for a particular credential owner through Secure Store UI.


lanry smith said...

Such a great posting about Share point. I found many solutions on Network monitoring software. You can also try this.

Anonymous said...

Great article!

Here you can find a nice blog article about SharePoint Secure Store Service used in SAP applications:

Anonymous said...

Great article!

Here you find another solution using secure store services with SAP und ERPConnect:

Anonymous said...

Hi, Thanks for such nice Post, I have created SSS with the help of this post but do not know what is next, Ex. I have web-part to display outlook web access but It is asking to login again ( I do not want to make any changes in exchange server like all window authentication ) Please help me to know how to allow web-part to get credential from SSS?

Anonymous said...

Hi, Thanks for such nice Post, I have created SSS with the help of this post but do not know what is next, Ex. I have web-part to display outlook web access but It is asking to login again ( I do not want to make any changes in exchange server like allow window authentication ) Please help me to know how to allow web-part to get credential from SSS?

Ramii said...


I was able to create secure stored service with new app pool.

when i tried to generate the key it says.

Cannot complete this action as the Secure Store Shared Service is not responding. Please contact your administrator.
In the Event Log
An exception occurred when trying to issue security token: The HTTP service located at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas is too busy

Under Local Security Policy on the Servers --> granted both “Logon as Service” and “Logon as Batch” permissions for all users
Secured Stored Services is running
(2) Also am Not able to delete previously created App pool for Secured Stored Services - it says object reference not set to an instance of an object, when tried with powershell)

(3) Also Farm administrator has DB create permission on the database server.

Appreciate if you can help.


Prologic Corporation said...

This is a good article & good site.Thank you for sharing this article. It is help us following categorize:
healthcare, e commerce, programming, multi platform,inventory management, cloud-based solutions, it consulting, retail, manufacturing, CRM, technology means, digital supply chain management, Delivering high-quality service for your business applications,
Solutions for all Industries,
Getting your applications talking is the key to better business processes,
Rapid web services solutions for real business problems,
Web-based Corporate Document Management System,
Outsourcing Solution,
Financial and Operations Business Intelligence Solution,

Our address:
2002 Timberloch Place, Suite 200
The Woodlands, TX 77380