Secure Store Service - Configuration ( SharePoint 2010 )

This blog is written for Beta release of SharePoint 2010. As of Beta, Secure Store Service is available on SharePoint 2010 but is not available on SharePoint Foundation.

Secure Store Service (SSS) adminsitration can be done through the central administration of SharePoint. Central adminstration can be started from the Start > Microsoft SharePoint 2010 Products > SharePoint 2010 Central Adminstration ( see image 1 ).

In the Central Administration page, click Manage services on server (within System Settings block ) to load the Services on Server administration. Make sure the Secure Store Service is in Started mode. If the service is not in Started mode, click on Start link for Secure Store Service. This would start the Secure Store Service.

SharePoint 2010 can host mutliple applications of  the same type within a farm. Secure Store Service is actually a Shared Service in SharePoint. In the Central Administration, click Manage service applications ( within Application Management block ) to load the service applications page. It shows all the Shared Services Application ( and Shared Services Application Proxy ) within the farm. To create a new Secure Store Application, click on New button and then select Secure Store Service ( see image ). If you have installed SharePoint in standalone mode, there should already be a Secure Store Application with the name "Secure Store Service" running.

In the Create New Secure Store Service Application dialog box, choose appropriate name for your secure store. When creating a secure store, you will need to choose a database server and database where secure store will store its information. Secure Store Service will automatically create database for secure store application . Secure Store Service supports both Windows authentication and SQL authentication for database creation. It is recommended that you use Windows authentication. When windows authentication is used, make sure the farm administrator has DB create permission on the database server.

You will also need to choose a web application pool which secure store will use to host its service. You can choose one of the existing application pools or create a new application pool. For secure store, it is recommended that you always choose a new application pool. When creating a new application pool, choose a managed account which will be the owner of the application pool. Since secure store stores confidential information, always choose a managed account which is a non-interactive account ( account that does not have login privileges ). The account that is used in secure store application pool can decrypt confidential information from secure store database, so you should be very careful in choosing the account. Click OK to create the application.

Once the secure store application has been created ( or pre-existing application with Standalone installation ), you will need to set a passphrase for the application. This done by clicking on the application link ( Central Administration > Manage service applications ). This will bring the secure store application adminstration page.

Click on "Generate New Key" to generate a new key for secure store application. Every secure store application needs a key to encrypt/decrypt the stored information in database.

When generating a new key, you will need to supply a pass phrase. Pass phrase is used by secure store to protect the key itself. Pass phrase must be atleast 8 characters long, must contain atleast one numberal, one capital alphabet and one special character. This pass phrase is not stored in the secure store, so make sure that you keep a copy of the pass phrase securely.

Now Target applications can be created on secure store. Target application is a secure store concept where the credentials of the users can be grouped together. Within target application you define what kind of information will be stored. For example, you may want to club all user connecting to CRM in one target application.

To start with, you need to define the target application. Fill the information for target application as asked by the screen. Click Next. On the next page, you can define what user information will be stored in the target application. For example, for CRM target application, we will be storing user name, password, system number, client number and language. To add a new field type, click on the "Add Field" link. At the user input time, if you want to mask any field, check the mask checkbox corresponding to the field.

Each target application can be managed by its own administrator. The next page asks you to define an administrator for the target application.

Click OK to finish the creation of the target application. At this time the target application is ready to be consumed by applications such as web-part, external list, etc.

Farm administrator ( or target application administrator ) can now set user credentials/information for this particular target application. To set the user credentials, right click on the target application ( see next image ) to bring the entry form.

The next page will ask you to enter the user credentials for CRM.

Enter the CRM credentials on this page and click OK. This would save the credentials for the Credential Owner ( jardula\usera in the above page ). Note, the credential can be retreived by any application that runs on behalf of the credential owner.

Secure Store does not display the list of the credentials owner for a target application for security reasons. So in other words, there is no way to figure out if a credential has been set for a particular credential owner through Secure Store UI.

Secure Store Service - Installation

Installation

Secure Store Service installation is done by installing SharePoint 2010. SharePoint can be installed in Standalone mode and Server Farm mode. Secure Store Service is available in both Standalone and Farm configuration.
In standalone configuration, SharePoint 2010 server is installed on one physical machine. Standalone configuration does not allow adding of new servers and thus has limited scaling. This configuration is best for development, test and demo purposes.

In server farm configuration, SharePoint 2010 server can be installed on multiple machines. Server farm configuration allows choosing separate SharePoint database server, web front ends (WFE) and backend (application servers). This configuration also allows adding web front ends and backend to the existing farm.

Requirements

The basic software requirement for SharePoint 2010 is
•    64-bit Windows Server 2008 or 64-bit Windows Server 2008 R2.
•    64-bit SQL Server 2008 or 64-bit SQL Server 2005

To get a complete list of hardware and software requirement visit http://technet.microsoft.com/en-us/library/cc262485%28office.14%29.aspx

Prerequisites Installer

SharePoint 2010 installation comes with a prerequisites installer. To execute the prerequisites installer, double click OfficeServer.exe (Beta release can be downloaded from http://sharepoint2010.microsoft.com/)
This would bring the SharePoint Server 2010 installation screen (figure 1). On the installation screen, click “Install software Prerequisites” link.

Figure 1: SharePoint Server 2010 Installation Screen

Clicking on the “Install software prerequisites” link will display the preparation tool. It displays the list of the software the prerequisites tool will install. Click on Next button.

Figure 2: Prerequisites Installer (Preparation tool)

This would bring the license agreement screen (figure 3). Agree to the license terms (by checking the checkbox) and click Next.

Figure 3: License Agreement

This would install all the perquisites for SharePoint 2010. If there is any error in installing the prerequisites, the tool will display a link to the log file (figure 4).

Figure 4: Error reporting in prerequisites installation

Once the prerequisites have been installed, actual installation of the SharePoint server can be started. Click on “Install SharePoint Server” link (figure 1). It will bring the “Product Key” screen. Enter the product key for SharePoint sever and click continue button (figure 5).

Figure 5: Screen to enter product key

Product key for Beta can be obtained from http://technet.microsoft.com/en-us/evalcenter/ee391660.aspx
Agree to the Microsoft Software License Terms in the next screen by checking the checkbox and click continue button (figure 6).

Figure 6: Agreement to software license and terms

At this time the installer will present you an option to install SharePoint in “Standalone” or “Server Farm” configuration (figure 7).

Figure 7: SharePoint Installation Configuration

Standalone Installation

To install SharePoint 2010 in standalone mode, click the Standalone button. This will start the installation (figure 8) in standalone mode. The installation process can take a while to finish depending on the machine configuration.

Figure 8: SharePoint installation in progress

When the installation is done, it gives an option to run the configuration wizard (figure 9). Configuration Wizard must be run before the SharePoint is useable. Click on Close button to continue the installation.

Figure 9: Configuration wizard

If the checkbox was unchecked and the installation did not continue, the configuration wizard can be started from the Windows Start menu (figure 10). Configuration Wizard can also be used to repair SharePoint installations.

Figure10: Starting configuration wizard

The installation will continue with configuration wizard. The first screen will be a welcome screen, click on Next button to continue.

Figure 11: Welcome screen

SharePoint configuration wizard stops few services in the installation process. It will warn about the services that will be stopped before the installation can continue. Click Yes.

Figure 12: Warning for services being stopped

NOTE: If the configuration wizard was started to repair SharePoint, make sure no one is using the SharePoint; otherwise the site will unavailable till the repair is complete.

When the configuration wizard resumes, it will complete its entire task. Depending on the machine’s configuration, wizard may take several minutes to complete.

Figure 13: Configuration Wizard Continues

At the end of the process, the wizard will display a configuration successful screen.

Figure 14: Successful Configuration

Click on the finish button. The configuration wizard will close and open the explorer to select the template for the site. Chose the template based on the requirement.

Figure 15: Template Selection

When the template has been applied for the site, SharePoint gives an option to set up groups for the newly created site.

Figure 16: Setup Groups

At this time installation and configuration of the site is complete. SharePoint will automatically redirect to the site’s home page.

Figure 17: Site Welcome

In standalone configuration a Secure Store Service is running by default and there will also be a Secure Store application running (default name for the Secure Store is “Secure Store Service”). To check Secure Store Services status, open the SharePoint central administration.

Figure 18: Central Administration

 Click on “Manager services on the server” link to check the services status (this link is within System Settings block). The “services on server” page contains the services status from where a particular service can be started or stopped. Make sure Secure Store Service is in started status (figure 19).

Figure 19: Services on SharePoint

In the standalone install, SharePoint will create a default Secure Store Service application with the name “Secure Store Service”. This application can be viewed from Central Administration page (figure 18), by clicking on “Manage service applications” (Application Management block).

Figure 20: Service Applications on SharePoint

The default Secure Store application will be in Started status.

Secure Store Service - Introduction

Secure Store Service is a shared service in SharePoint 2010 that provides functionality to store credentials [1] securely and associate the credential to a specific identity or group of identities. The main objective of the service is to help SharePoint components and/or custom web-part perform Single Sign-On (SSO)[2].

Consider a scenario where a web-part needs to authenticate with external system (such as database). Off course the web-part can ask the user credential when it loads to authenticate. Although it works fine, the user experience will not be that good. The user experience can be enhanced if the web-part stores the credential. To store the credential, web-part would need a secure storage and would have to provide functionality to manage the credential.

What happens if the user does not have access to the credentials? Instead the credentials are managed by the system administrators? How would the web-part deal with expired credentials?

A simple requirement of web-part authenticating with external system can become an extensive feature. This is where Secure Store can be utilized. SharePoint components such as Business Connectivity Services (BCS), Excel Service, Performance Point Service, Search and other services also use Secure Store to solve authentication issues with external system.

Secure Store Service replaces Microsoft Office SharePoint Server 2007 (MOSS 2007) Single Sign-On feature. The name has rightfully changed from Single Sign-On to Secure Store, as this service does not provide the Single Sign-On functionality. Secure Store is available in SharePoint 2010 and SharePoint 2010 Search however is not available in SharePoint Foundation.

Footnote
[1] Credential: An information (such as username, password) that is verified when presented to a system before the system allows access to its resources.
 
[2] Single Sign-On: A user can log in once into a system and can gain access to all systems (that he/she has access to) without being prompted to log in to all the systems.

Shared Services in SharePoint 2010

Shared Service Provider (SSP) in SharePoint 2007 has been replaced by Shared Services in SharePoint 2010. SSP in SharePoint 2007 was confusing and had its share of limitations which SharePoint 2010 seems to solve by introducing Shared Services.

Key differences between SSP and Shared Services

SSP in 2007	Shared Services in 2010
MOSS only	Available in WSS
Different services shared the same db	Services can have its own db
Internal to MOSS	Public APIs to create own Shared Services
Only one application of service	Multiple instances of service allowed
Restricted to the farm	Cross farm support

SharePoint 2010 provides the following Shared Services ( not an exhaustive list )

Access Services : Allows viewing, editing, and interacting with Access databases in a browser.
Business Connectivity Service : Provides read/write access to external data from line-of-business (LOB) systems, Web services, databases, and other external systems. Also available in SharePoint Foundation.
Managed Metadata Service : Provides access to managed taxonomy hierarchies, keywords, social tags and Content Type publishing across site collections.
Secure Store Service : Provides capability to store data (e.g. credential set) securely and associate it to a specific identity or group of identities.
State Service : Provides temporary storage of user session data for Office SharePoint Server components.
Usage and Health data collection : This service collects farm wide usage and health data and provides the ability to view various usage and health reports.
Visio Graphics Service : Enables viewing and refreshing of published Visio diagrams in a web browser.
Web Analytics Service Application : Enable rich insights into web usage patterns by processing and analyzing web analytics data .
Word Conversion Service Application : Provides a framework for performing automated document conversions

SharePoint 2010 and BDC

Very excited about BDC ( now renamed Business Data Connectivity ) in SharePoint 2010 (http://sharepoint.microsoft.com/2010/Sneak_Peek/Pages/default.aspx).

BDC Model Schema in SharePoint 2010 - http://msdn.microsoft.com/en-us/library/dd921790.aspx

Few exicting new things from BDC
- Full CRUD ( Create, Read, Update and Delete ) support (http://msdn.microsoft.com/en-us/library/dd963707.aspx)
- Support for .NET assemblies :) ( http://msdn.microsoft.com/en-us/library/dd774467.aspx )
- Now supports WCF ( http://msdn.microsoft.com/en-us/library/dd953870.aspx )

Watch for this space.

Custom Web Part using BDC Object Model

Sharepoint ( MOSS 2007 ) provides two BDC related web parts namely Business Data List Web Part and Business Data Related List Web Part. This blog will demonstrate writing custom web parts that read data through BDC APIs.

In this example a simple web part reads data from BDC APIs and displays it in web part panel. The custom web part (XBdc) is shown in the following figure.

Figure 1 : Custom web part reading data from BDC APIs

To create a custom web part, I will be using Visual Studio 2008 without Visual Studio .NET Extensions for SharePoint 3.0. If you download Visual Studio .NET Extensions for SharePoint, it will be a bit easier. Since extensions are not available ( as of March2009 ) for x64, I will create XBdc Web Part without using extensions.

First create a Visual Studio project of "Class Library" type. Lets name the project "XBdc" for extended BDC. The name is not important and can be anything. After creating the project add references to Microsoft.SharePoint.Portal.dll ( the dll can be found in %system drive%\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\ISAPI folder ).

Figure 2 : Class Library project in Visual Studio

You will also need to sign the assembly as the web part assembly will be deployed to GAC. For signing the assembly, load project properties and check the "Sign the assembly" checkbox and choose private key file.( see following figure ).

Figure 3 : Signing custom web part assembly

The goal of the web part is to display BDC entities in a DataGrid. For this we will need references to System.Data.dll and System.Web.dll in the project.

Implementation

XBdc web part class needs to inherit from
System.Web.UI.WebControls.WebParts.WebPart . There is another WebPart class in SharePoint, but it should be avoided for the reasons listed here. Also XBdc class will override
CreateChildControls and Render methods to attach DataGrid and populate it with BDC entities.

[System.Xml.Serialization.XmlRoot(Namespace = "http://jardalu/Samples")]
public class XBdc : System.Web.UI.WebControls.WebParts.WebPart
{
    protected override void CreateChildControls(){ ... }
    protected override void Render(System.Web.UI.HtmlTextWriter writer){ ... }
}

To use BDC APIs, we will need to use the following namespaces

using Microsoft.Office.Server.ApplicationRegistry.MetadataModel;
using Microsoft.Office.Server.ApplicationRegistry.Runtime;

For simplicity sake, only these two namespaces are used. For complete list of APIs please visit MSDN site. Also, to keep things simple the Entity Name/Lob System Instance Name/Entity columns is hardcoded in the code.

// hardcoded entity fields
private string[] headers = { "Id", "Name", "Contact", "Phone", "Address" };

Method LoadCustomersFromBdc() will read entities from BDC and create a DataTable that can be bounded to the DataGrid in the web part. In the method, LobSystemInstance and Entity is searched through ApplicationRegistry object. Once entity is found, the method instance of type Finder is loaded. MethodInstance is executed to get all the entity instances for the finder. Finally instances are added in the data table using EntityAsDataRow method. Please note BDC also provides EntityAsDataTable property to create the data table itself.

private DataTable LoadCustomersFromBdc()
{
    DataTable dt = new DataTable();
    foreach (string header in headers)
    {
        dt.Columns.Add(new DataColumn(header));
    }

    // hardcoded LobSystemInstance and Entity name
    LobSystemInstance lsi = ApplicationRegistry.GetLobSystemInstanceByName("CustomerLobSystemInstance");
    Entity entity = lsi.GetEntities()["Customer"];
    MethodInstance mi = entity.GetFinderMethodInstance();
    IEntityInstanceEnumerator enumerator = entity.FindFiltered(mi.GetFilters(), lsi);
    while (enumerator.MoveNext())
    {
        IEntityInstance instance = enumerator.Current;
        if (instance == null) continue;
        instance.EntityAsDataRow(dt);
    }

    return dt;
}

Its time now to create the DataGrid control and attach the control to Web Part ( see method CreateChildControls() )

protected override void CreateChildControls()
{
    this.grid = new DataGrid();
    this.grid.Width = new Unit(100, UnitType.Percentage);

    this.grid.HeaderStyle.Font.Size = 10;
    this.grid.HeaderStyle.Font.Bold = true;
    this.grid.AlternatingItemStyle.BackColor = Color.Gray;

    foreach (string header in headers)
    {
        BoundColumn column = new BoundColumn();
        column.HeaderText = header;
        column.DataField = header;
        this.grid.Columns.Add(column);
    }
    this.grid.AutoGenerateColumns = false;

    this.Controls.Add(this.grid);
    base.CreateChildControls();
}

Finally DataGrid is bond to the BDC entities

protected override void Render(System.Web.UI.HtmlTextWriter writer)
{        
    this.grid.DataSource = this.LoadCustomersFromBdc();
    this.grid.DataBind();

    this.grid.RenderControl(writer);
}

Once the custom Web Part is compiled, its time to hook it up in the SharePoint. Before hooking the XBdc Web Part, we will upload the "Customer" application definition file as the custom Web Part has hardcoded entity/lob system instance names ( see accompaning source code for model file and LOB code ).

Uploading Customer Model

1. Compile the project CustomersLob accompanying in the source code


2. GAC the assembly using gacutil tool


3. Upload the accompaning model (customer.xml) into BDC

Registering XBdc Web Part in SharePoint

1. GAC the Web Part assembly using gacutil. Please note the public key token for the assembly.


2. Locate the virtual directory for SharePoint web site ( in the IIS Manager ). Typically the virtual directory is %system drive%\INETPUB\WWROOT\WSS\80 ( assuming web site is on port 80 )


3. In the virtual directory, edit the web.config and add XBdc custom part in SafeControls section ( choose appropriate assembly and namespace ).
   

   
   <SafeControl
   Assembly="XBdcWebPart, Version=1.0.0.0, Culture=neutral, PublicKeyToken=def61931772d3147"
   Namespace="Jardalu.Samples.XBdcWebPart"
   TypeName="*" Safe="True" AllowRemoteDesigner="True" />



4. Then browse to the WebSite, and go to Site Actions -> Site Settings -> Modify All Site Settings. Under that, click on "Web Parts" under Galleries.


5. Click on "New" in the toolbar, and find the XBdc custom webpart as shown below
   


6. Check the checkbox, go to the top, click on "Populate Gallery".


7. At this time XBdc custom web part is ready to be consumed.

Source Code

Sample with complete source code can be downloaded from here.

As-is
The source code/software is provided "as-is". No claim of suitability, guarantee, or any warranty whatsoever is provided. Source Code and executable files can not be used in commercial applications.

Implementing custom SSO Provider

Single Sign-On (SSO*) is a feature in MOSS that provides storage and mapping of credentials. BDC and SSO are two different components in MOSS, however, SSO discussions in this article is tied with BDC and how SSO is used in BDC.

Following article (http://technet.microsoft.com/en-us/library/cc262932.aspx) shows how SSO can be configured in MOSS.

Limitations of SSO:

a) SSO works when MOSS is installed in domain ( SSO does not work when SharePoint is installed in Workgroup ).
b) SSO does not work when MOSS is configured in Forms Based Authentication mode ( FBA ).
c) Master key backup is allowed only on a floppy disk (A:)
d) No localization
e) No tools for bulk upload (credentials)

Fortunately, MOSS allows us to write our own "SSO" by implementing ISsoProvider interface. ISsoProvider interface is defined in Microsoft.SharePoint.SingleSignOn namespace and Microsoft.SharePoint.Portal.SingleSignOn.dll assembly ( url: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.portal.singlesignon.issoprovider.aspx )

Implementing ISsoProvider:

Rather than iterating the implementation of the ISsoProvider, here is a walkthrough (http://msdn.microsoft.com/en-us/library/ms566925.aspx) of implementing ISsoProvider.

Registering SSO with BDC

MOSS allows only one default SSO provider ( default is SpsSsoProvider ), however BDC can work with multiple SSO providers. SSO provider for BDC is defined in BDC metadata model.

In the metadata model, register your SSO provider with the following code

<Property Name="SsoApplicationId" Type="System.String">AppId</Property>
<Property Name="SsoProviderImplementation" Type="System.String">MySsoProvider, My.SingleSignon, Version=1.0.0.0, Culture=neutral, PublicKeyToken=71e9def111e9429c</Property>

The above code assumes that your SSO provider is "MySsoProvider" and is present in "My.SingleSignOn" assembly.

Notes:
* SSO in MOSS is a misnomer. From the name, Single Sign-On, it appears that SSO will automatically log user into other systems. However, in reality, it only provides storage, retrieval and mapping of credentials. Other components ( such as BDC, Excel Services, Access Services etc. ) logs the user to other systems by retrieving user credentials from SSO.