Microsoft
SharePoint Server 2013 provides a default feature of Secure Store Service (SSS)
which has replaced the Single Sign-On (SSO) service, a feature of Microsoft
office SharePoint Server 2007 for the storage and mapping of credentials for
use in connecting with third-party or back-end systems. Many companies have
already developed an in-house credential storage system or use a solution other
than Microsoft Secure Store Service (SSS).
Sequence
of events occurs as follows:
- A SharePoint Server 2013 user accesses a data-connected object such as an Excel Services worksheet, Visio Services diagram, or PerformancePoint Services dashboard.
- The Business Intelligence Service Application accesses the target application specified by the object.
- If the user is a Member of that target application, the credentials stored in the target application are returned and the Business Intelligence Service Application impersonates the credentials while accessing the data.
- The data is displayed to the user within the context of the worksheet, Visio diagram, or dashboard
A
Secure Store Service (SSS) is a storage area to keep all the user ids and
passwords that are used mainly in SharePoint 2013/2010 service applications. To
create a SSS, we need to use the following procedure:
- Register a managed account to
SharePoint Server 2013
- Start Secure Store Service
- Create Secure Store Application
- Encryption of Keys
- Create a target application and
set the credentials for the target application
- Enable Audit logging for Secure
Store
A. Register a managed account
- Navigate to "CA"->
"Security"
- Navigate to "General
Security" -> "Configure managed accounts".
- Navigate to "Managed
Accounts" -> "Register Managed Account".
- In the User name box, type the
name of the account.
- In the Password box, type the
password for the account.
- If you want SharePoint Server
2013 to handle changing the password for the account, select the
"Enable automatic password change" box and specify the password
change parameters that you want to use.
- Click "OK".
Power shell commands
$account =
"domain\username"
$credential = Get-Credential -Credential $account
New-SPManagedAccount -Credential $credential
B. Start Secure Store Service
- Navigate to "CA"
-> "System Settings" -> "Manage services on
server".
- Choose the server on which the
service should run by clicking the Server drop-down list, and then click
"Change Server".
- Click "Start next to Secure Store Service".
$ServiceName = "Secure Store Service"
Get-SPServiceInstance -server $env:COMPUTERNAME | where-object {$_.TypeName -eq $ServiceName} | Start-SPServiceInstance -confirm:$false > $null
Get-SPServiceInstance -server $env:COMPUTERNAME | where-object {$_.TypeName -eq $ServiceName} | Start-SPServiceInstance -confirm:$false > $null
- Navigate to "CA" -> "Application Management" -> "Manage service applications".
- In the Manage Service Applications page on the ribbon click "New", then click "Secure Store Service".
- In the Service Application Name box, type a name for the service application.
- In the Database Server box, type the instance of SQL Server where you want to create the Secure Store database.
- Select "Create new application pool" and type a name for the application pool in the text box.
- Select the Configurable option, and, from the drop-down list, select the account for which you created the managed account earlier.
- Click "OK".
$appPool = New-SPServiceApplicationPool -Name $secureStoreServiceAppPool -Account $account
$sssApp = New-SPSecureStoreServiceApplication -Name "Secure Store Service Application" -DatabaseServer "DatabaseServer" -DatabaseName "DatabaseName" -ApplicationPool $appPool -AuditingEnabled:$false
Start-Sleep -s 15
$sssAppProxy = New-SPSecureStoreServiceApplicationProxy -Name "Secure Store Service Application Proxy" -ServiceApplication $sssApp –DefaultProxyGroup
Start-Sleep -s 15
Note: Back up the database of the Secure Store Service application before generating a new key.
- Navigate to "CA" -> "Application Management" -> "Manage service applications".
- Click on the "Secure Store Service application".
- In the Key Management group, click "Generate New Key".
- On the Generate New Key page, type a pass phrase string in the Pass Phrase box, and type the same string in the Confirm Pass Phrase box. This pass phrase is used to encrypt the Secure Store database.
- Click "OK".
Update-SPSecureStoreMasterKey -ServiceApplicationProxy $sssAppProxy -Passphrase
E. Create target application and Set credential for target application
- Navigate to "CA" -> "Application Management" -> "Manage service applications".
- Click the "Secure Store Service application".
- In the Manage Target Applications group, click "New".
- In the Target Application ID box, type a unique text string.
- In the Display Name box, type a text string that will be used to display the identifier of the target application in the user interface.
- In the Contact Email box, type the e-mail address of the primary contact for this target application.
- Target Application Page URL:
- Use the default page: Any web sites that use the target application to access external data will have an individual sign-up page that was added automatically. The URL of this page will be: http:/<samplesite>/_layouts/SecureStoreSetCredentials.aspx?TargetAppId=<TargetApplicationID>
- where "<TargetApplicationID>" is the string provided in the Target Application ID box.
- Use custom page: You provide a custom web page that lets users provide individual credentials. Provide the URL of the custom page in this field.
- None: There is no sign-up page. Individual credentials are added only by a Secure Store Service administrator who is using the Secure Store Service application.
- Target Application Type: choose the target application type: Group, for group credentials, or Individual, if each user is to be mapped to a unique set of credentials on the external data source.
- Click "Next".
- Use the Specify the credential fields for your Secure Store Target Application page to configure the various fields that may be required to provide credentials to the external data source. By default, two fields are listed: Windows User Name and Windows Password.
- By default, the type of the new field is "Generic". The following field types are available:
Field
|
Description
|
Generic
|
Generic Values that
do not fit in any of the other categories.
|
User Name
|
A user account that
identifies the user.
|
Password
|
A secret word or
phrase.
|
PIN
|
A personal
identification number.
|
Key
|
A parameter that
determines the functional output of a cryptographic algorithm or cipher.
|
Windows User Name
|
A Windows user
account that identifies the user.
|
Windows Password
|
A secret word or
phrase for a Windows account.
|
Certificate
|
A certificate.
|
Certificate Password
|
The password for the
certificate.
|
- Specify the membership settings: Target Application Administrators Field, list all users who have access to manage the target application settings.
- If the target application type is group, in the Members field, list the user groups to map to a set of credentials for this target application.
- Click "OK".
$UserNameField = new-spsecurestoreapplicationfield -name "UserName" -type WindowsUserName -masked:$false
- Navigate to "CA" -> "Application Management" -> "Manage service applications".
- Select the "Secure Store Service application".
- On the ribbon, click "Properties".
- From the Enable Audit section, click to select the "Audit log enabled" box.
- To change the number of days that entries will be purged from the audit log file, specify a number in days in the "Days Until Purge" field. The default value is 30 days.
- Click "OK".
How to configure SSS in SP2013: http://technet.microsoft.com/en-us/library/ee806866(v=office.15).aspx