MCT USE ONLY. STUDENT USE PROHIBITED Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-15 • Describe the design options for BCS security. • Explain planning options for authentication when using the Secure Store Service. • Describe how to prevent the double-hop issue. MCT USE ONLY. STUDENT USE PROHIBITED 11-16 Designing a Microsoft® SharePoint® 2010 Infrastructure Overview of Business Connectivity Services Key Points BCS is a foundation component for data integration in SharePoint 2010. It is one of the few service applications that are embedded in Microsoft SharePoint Foundation 2010. The terminology for BCS is potentially confusing for those who have experience of the Office SharePoint Server 2007 Business Data Catalog (BDC). BCS is described by using the following terms and acronyms: • Business Connectivity Services. The overall name for the service. • Business Data Connectivity (BDC). The runtime that enables connectivity to external data sources. • External Content Type (ECT). An entity that is consumed through BCS. • External List. A SharePoint 2010 list that is specifically designed to deliver data from external systems. MCT USE ONLY. STUDENT USE PROHIBITED Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-17 BCS Overview BCS is a set of features that enable you to connect through SharePoint 2010 to a range of external data sources. You can render this external content into SharePoint visualizations such as external lists or Web Parts. You can connect to data sources that include, but are not limited to: • SQL Server databases • SAP applications • Web services (including Windows® Communication Foundation (WCF) Web services) • Custom applications • SharePoint Web sites BCS uses a standard set of interfaces that makes it possible for both users and developers to create business applications in SharePoint 2010. A key tool for users is Microsoft SharePoint Designer 2010, which enables them to develop solutions without the need to write programming code. For more sophisticated development, there is Microsoft Visual Studio® 2010, with its SharePoint 2010 add-ins. SharePoint Designer 2010 is a powerful tool that you can deploy to users who need to develop and deploy business solutions. These may not be defined as BI solutions, but if the solutions are designed to help information workers to become more productive, you should treat them as BI solutions. Note: If your design includes provision of self-service development through SharePoint Designer 2010, you should ensure that you include the use of sandboxed solutions in your development standards. These enable you to restrict resources that any application that runs in your SharePoint 2010 environment uses. In a broader BI context, BCS provides external data access to Microsoft Office tools such as Excel 2010. It does this through a runtime environment in which solutions that include external data are loaded, integrated, and executed in supported Office client applications and on the Web server. MCT USE ONLY. STUDENT USE PROHIBITED 11-18 Designing a Microsoft® SharePoint® 2010 Infrastructure Additional Reading For more information about using SharePoint Designer 2010 with BCS, see http://go.microsoft.com/fwlink/?LinkID=200901&clcid=0x409. For more information about sandboxed solutions, see http://go.microsoft.com/fwlink/?LinkID=201241&clcid=0x409. MCT USE ONLY. STUDENT USE PROHIBITED Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-19 Planning BCS Security Key Points The security architecture of BCS is primarily involved in integrating authentication with external systems. Authentication BCS is designed to integrate with external data sources, which means that you must ensure that you can pass authentication credentials from the user to the external platform. The two methods of authentication that are available in BCS are: • Claims-based authentication • Credentials-based authentication Authentication of BCS Access with Claims If you are planning for SharePoint 2010 BCS with a claims-aware data source, you may want to enable your Web application for claims-based authentication. For BCS authentication, your solution uses the SharePoint 2010 Security Token Service (STS). This service is preconfigured on a farm and authenticates users or functions, MCT USE ONLY. STUDENT USE PROHIBITED 11-20 Designing a Microsoft® SharePoint® 2010 Infrastructure such as a Web service, to SharePoint. The service is a broker for SharePoint 2010 and supports multiple authentication providers for applications based on both ASP.NET and WCF. The process for claims-based authentication is as follows: 1. The user accesses an application that is configured for claims authentication, such as an external list. The list access triggers an authentication request. 2. The list requests a security token from the STS. 3. The STS issues a token that contains a set of claims based on the user identity, and a target application identifier, which is returned to the list. 4. The list passes the security token to the Secure Store Service. 5. The Secure Store Service reads the user information and sends credentials to the external data source. 6. The external source reviews the credentials and, if the claims are appropriate, sends the data to update the list. Authentication of BCS Access with Credentials BCS supports the following credential authentication options: • Windows authentication: • Windows Challenge/Response (NTLM) • Microsoft Negotiate • Authentication other than Windows: • Forms-based • Digest • Basic Authentication Modes You must ensure that application developers are aware of the options for authenticating data access from the BCS. You must associate each with an authentication mode, which is associated with an external content type. There are two methods of passing this information to the target data source: • Pass the credentials directly to the target. MCT USE ONLY. STUDENT USE PROHIBITED Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-21 • Map the credentials to an account in the Secure Store Service. The modes that are available include: • PassThrough. Passes the credentials of the logged-on user to the external system, which means that the user credentials must exist on the target system. • RevertToSelf. Maps the user credentials to the BCS application pool account and sends those credentials to the target system. • WindowsCredentials. Can be used for both external Web services and database access. It uses a Secure Store Service to map the user’s credentials to a set of Windows credentials on the external system. • Credentials. Can be used for external Web services. It uses the Secure Store Service to map the user’s credentials to a set of credentials that a source other than Windows supplies. These must be known to the target system, which uses a basic or digest authentication. • RdbCredentials. Can be used for external database access. It uses the Secure Store Service to map the user’s credentials to a set of credentials that a source other than Windows supplies. These must be known to the target system, which uses a basic or digest authentication. You should plan to use the latter two options with Secure Sockets Layer (SSL) or IPSec security protocols. Permissions You can associate BCS permissions with an individual account, group account, or claim with one or more permission levels on an object in a metadata store. When you plan a permissions strategy, you should give specific permissions to each user or group that needs it, in accordance with the principle of least privilege. MCT USE ONLY. STUDENT USE PROHIBITED 11-22 Designing a Microsoft® SharePoint® 2010 Infrastructure Planning Data Access Security by Using the Secure Store Service Key Points The Secure Store Service is a service application that enables access to external data sources. It provides a store of credentials through which an active user can gain access to an external data source through impersonation. This impersonation functionality maps BI service applications, users, and credentials through use of a target application. This is a set of metadata that lists the users who have access to the credentials that a BI application uses to access external data. The metadata and credentials are stored in an encrypted Secure Store Service database in SharePoint 2010. The stored settings include: • Administrators. This lists the target application administrators. These can be administrators or users to whom you delegate administrative rights to the Secure Store Service target application. MCT USE ONLY. STUDENT USE PROHIBITED Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-23 Note: PerformancePoint Services automatically configures administrators for target applications that are configured through it. • Members. This lists users or Active Directory® directory service groups for whom the Business Intelligence Service Application impersonates credentials. Note: For target applications that are configured through PerformancePoint Services, PerformancePoint Services specifies the service account that the PerformancePoint Services application pool uses as a member. • Credentials. This lists the target application credentials, which consist of an Active Directory account with direct access to data sources. You must grant this account access to the data source outside SharePoint 2010, in line with the principle of least privilege. This account is impersonated to provide data access to users. Farm administrators can configure all of these through the Secure Store Service for Excel Services and the Visio Graphics Service. However, PerformancePoint Services is configured through the PerformancePoint Service Application Settings. Excel Services and the Visio Graphics Service You can design two methods for use of the Secure Store Service for Excel Services and the Visio Graphics Service: • Specified target application. The workbook or drawing specifies the target application. The Secure Store Service uses the associated credentials when a user requests data access. • No specified target application (unattended service account). Again, the workbook or drawing specifies this. However, with this option, the Secure Store Service uses the unattended service account credentials that are specified in the Global Settings for the service application. PerformancePoint Services PerformancePoint Services cannot specify a specific Secure Store Service target application. It only uses the Secure Store Service by specifying the unattended service account. MCT USE ONLY. STUDENT USE PROHIBITED 11-24 Designing a Microsoft® SharePoint® 2010 Infrastructure Data Connection Files Excel, Visio, and PerformancePoint Services all use data connection files to specify authentication information. For Excel Services and the Visio Graphics Service, this is an Office Data Connection (ODC) file. For PerformancePoint Services, it is a PerformancePoint Services Data Connection (PPSDC) file. Excel Services Connections For Excel Services, you must plan and specify the ODC connection before you load the workbook. The settings include: • Integrated Windows authentication. Integrated Windows authentication with Kerberos delegation to authenticate each user. • Secure Store Service Identifier (SSS ID). The specific Secure Store Service target application that is used for data access. • None. The credentials that are specified in the connection string or the unattended service account. Note: You can only edit these settings by opening the worksheet or ODC file in Excel 2010. Visio Graphics Service Connections For the Visio Graphics Service, you can use either embedded connection information or connection information in an ODC file: • Embedded connection. This requires you to specify that users connect to an external data source when they create Visio drawings, which stores the connection directly in the file. When a user accesses the drawing, the Secure Store Service uses the unattended service account. • ODC connection. This uses an existing ODC file that is specified in the drawing. When you publish the drawing, the Visio Graphics Service maintains the link to the ODC file and uses the connection information. . that are available in BCS are: • Claims-based authentication • Credentials-based authentication Authentication of BCS Access with Claims If you are planning for SharePoint 20 10 BCS with a. Planning a SharePoint 20 10 Implementation of a Business Intelligence Strategy 11 -23 Note: PerformancePoint Services automatically configures administrators for target applications that are. functionality maps BI service applications, users, and credentials through use of a target application. This is a set of metadata that lists the users who have access to the credentials that a BI application