I saw this in a code review today. The part I am wondering about is the SPWebApplication property bag to query the key for WCAM as opposed to do a clunky string SPWeb.Title comparison. Putting the keys out to standard output hasn't yielded anything particularly evident, and I'm getting frustrated with the under-the-hood, unnecessary foreach loop with a fancy shirt on (the second LINQ query against the Title property(,

Does anyone know the key for WCAM?

Related posts

• No related posts.

http://www.binarywave.com/blogs/rajesh/Lists/Posts/Post.aspx?ID=4

which for the most part is accurate. But this looked like a lot of work.

Reflecting on how a majority of the security assignment stuff happens, the AvlInc.aspx page out of the Layouts directory is the primary workhorse. While modifying such pages out of the 12 hive isn’t technically the best route in terms of surviving updates and service packs, proper noting of the customization to re-integrate back was fine for my requirement.

That being said, after you get a custom picker working ala using inheritance for requisite SimpleQueryControl, PickerDialog, EntityEditorWithPicker classes to override the abstract inherited members with your own behavior, even if you replace the default picker on the page it will not work since the page is querying for a picker with id “userPicker”. You won’t be able to simply change your custom control to this id and expect it to work because the base type casting will not be supported, thus will throw a nasty error.

The easiest way around it is to toggle the visibility of the primary, OOB picker on the page to not visible, and then create your own code behind page for the AclInv.aspx. This will allow you to interrogate the accounts in the custom picker, copy them to the OOB picker, and then submit the changes (as a note, I am only concerned with one account being in the picker at a time). Once this is done change the page to look at your custom page for it’s code behind. In order to copy the accounts, you have to override the default Validate logic since you are trying to catch the account changes on the button click. To get the control on the page, you are not going to be able to use the orthodox FindControl method, but rather have to recursively search for the control using the Page root as a starting container.

Not saying this is 100% great, but as a proof of concept is accuratish.

Related posts

• Working with SharePoint Artifacts and Team Build, Copy without Compile (0)
• Windows 7 Screencast – Taskbar, OverlayImage, ProgressBar, Thumbnails (0)
• Walkthrough of enabling CRUD for SharePoint 2010 external lists using Visual Studio 2010 (0)
• Using TFS for Mixed C#/Managed C++ SharePoint Projects (0)
• Using SSL On The TFS Application Tier (0)

There can be a single service and single farm application in place. This default is used for web applications within a given farm. All sites will have access to all of the service applications deployed within that farm. There are pros and cons to this type of scenario that need to be explored. In this type of design, all of the service applications are available for all of the web applications and all of the service applications are centrally managed. The farm resources are used efficiently and the architecture is simple to deploy.

However, the service application data can’t be isolated and departments or teams aren’t able to manage service applications independently. A single service application and a single farm is a pretty common configuration. That should be the initial set up and it works well when you want to host a variety of sites on the same farm for a given company.

This type of configuration can help you to meet goals of Optimizing resources that allow you to operate service applications on a farm and sharing content and profile data across multiple sites. They would otherwise require a process to isolate their performance so that security can be in place.

When you have a team in need of a dedicated service application, you can build an architecture that uses one or more customized groups of service applications. There are specific steps that you must take in order for this to function properly. They include:

• Deploying specific service applications for dedicated use. This can be for one or more teams of the organization.
• Make sure that the dedicated service applications aren’t part of the default group settings.
• Create at least one web application that uses a custom group of service applications. The SharePoint Administrator can choose the service applications that will be included in any customized group.

It is possible to create more than one custom service application group. Those that are deployed to be used for a specific purpose can also share the same application pool. You do have the option of deploying a separate application for each of them if you would like to do so.

It is possible for a service application group to have multiple Managed Metadata Service applications. The sites found within the web application are able to display social tagging and taxonomy. There are also other features available that come from Managed Metadata Service applications. Under this architecture, service data can be isolated and the ability to accommodate many organizational goals in the same farm. The configuration of sites for the use of a subset of service applications and teams can manage the service applications that are dedicated for their use. However, this environment is complex when it comes to configuration and management and can take a great deal of farm resources to support multiple instances of service applications and that can reduce overall performance.

An architecture that includes multiple service application groups works very well for any company that has several times that can use specific data. It is also a format that works well for partnerships. When you have multiple groups of service applications configured, it allows for teams to be able to have control over those that are isolated for their use.

Under this type of design, there are several service applications that can be deployed for dedicated use by a team. They include:

• Excel Services – Allows for the optimization of performance for a given team. It allows for sensitive data to be isolated.
• Business Data Connectivity – Teams are able to customize their own line of business data systems. They can isolate that data from the other aspects within the organization.
• Managed Metadata – Allows a team to manage their keywords, hierarchies, and taxonomy. With SharePoint 2010 the results of multiple Managed Metadata service applications are combined. They can be shared across many areas of a given organization.

It is also possible for a committed server to be leveraged, you have a server that is dedicated to being a host for service applications within an organization. There are several types of farms that can use these services from the enterprise services farm that has been implemented. When all of the service applications are remote, you will have a published content only farm. This can be deployed without any local service applications in place. All of the service applications are being consumed from a separate farm. This type of configuring works very well for published content. This reduces the efforts from administration that are required to host a farm for published content. This also allows the organization to benefit from centrally managed service applications. This is a good type of configuration to follow if your organization has profiles, search, metadata, and centrally managed resources you want to integrate. The resources within the farm for hosting the content need to be optimized. This is in place of running service applications. /p>

Extended on this concept, a combination of local and remote service applications can be used. They are optimized so the service applications can’t be shared across all of the locally hosted farms. This pertains to the client related service applications as well. All of the cross farm service applications are consumed from an enterprise service farm. Such farms are able to consume services from more than one remote farm. The Managed Metadata service comes from a specialized department farm. It is integrated with the automated management of social tagging and taxonomy for that department. When there are multiple Managed Metadata service applications in place, one of them has to be designated as the primary service application. This is what will be used for hosting the corporate taxonomy. All of the other uses of the service application are considered as secondary. They have to provide additional data to the primary service application data. When you have web parts by default then the data comes from the multiple Managed Metadata service applications.

The configuration that is recommended when optimizing the administrative and farm resources on the enterprise level for hosting services and optimizing resources on the farm level to host collaborative sites. Also, when integrating organizational wide metadata, search, profiles, and resources that are centrally managed and integrating along with the metadata that is created by a specialized team

A mix of local and remote service applications can be used for organizations that have specialized departments. This allows an architect to ensure the ability to manage service applications through automation and Ensure data is isolated. Furthermore, it also allows centralized management of the service applications and the team is able to manage its metadata from the rest of the organization. This is a best practice design when the requirements mandate ensuring that specific service data is isolated and able to be managed separately from the rest of the organization and allowing a specialized team to manage their own metadata.

There are times when you may want to deploy specialized service farms. They help to optimize farm resources for specific types of service applications. This can make it possible to scale up hardware for optimizing performance as it relates to the specific service application.

There is a primary service application that may require a dedicated farm to be used for search. This is because search has a unique performance as well as requirements for capacity. When the search service application is offloaded to a dedicated farm, those resources have to be optimized for all of the other cross farm service applications.

The service applications can be shared across any farm with cross organization farms. They aren’t limited to only the entries service farms. There are some scenarios where you may want to consider doing so. They include:

• Providing enterprise wide service applications but you won’t need a dedicated enterprise service farm
• In order to share resources across farms while avoiding duplication of service applications that have been previously deployed

Related posts

• Windows 7 Screencast – Taskbar, OverlayImage, ProgressBar, Thumbnails (0)
• Why Microsoft Data Protection Manager Will Replace Your SharePoint Tape Backups (0)
• When Best Practices Aren’t Best Practices (17)
• What is Port Scanning and What Types of Port Scans Are There? (0)
• What is ISA server, and what does it have to do with SharePoint? (0)

Configuration of trusted farms ensures all of the farms that use exchanges can trust each other. Certificates have to be exported to a file. Make sure you back up that file before you connect to any of the cross farm services. Publishing service applications must be done before you will be able to successfully share it across farms. Connecting cross farm service applications provides a connection must be made to a service that is published by a remote farm. This will require the URL to be entered of the published service. This is going to be displayed when you publish it. The connection on the local farm has to be created so that it can be connected successfully to a service application for a remote farm.

Should there be two domains where the server farms are located, the User profile service application will require both of them to trust each other. With the Business Data Connectivity and Secure Store Service the domain of the publishing farm has to trust that of the consuming farm. None of the cross farm service applications are going to work if there isn’t a trust requirement in place for the two domains.

It is possible for certain service applications to access external data sources. This occurs through the access of a delegated Windows identity that will place some additional requirements on a given environment. These types of service applications have to be in the same domain as the SharePoint Server 2010 farm. This is where the service applications are housed. The other option is for the service application to be configured using the Secure Store Service.There are plenty of different service applications that can be found across the external data. They use a delegated Window identity. This includes:

• Excel Services
• InfoPath Forms Services
• PerformancePoint Services
• Visio Services

The service applications used to access external data sources must have a delegated Windows identity. Otherwise it has to be configured for the use of the Secure Store Service. This will store and maintain the credentials of a user or a service. When service applications are used to store credentials, they have to be authenticated before the data can be accessed.

If the external data sources aren’t within the same domain then authentication for the external data sources will fail unless you use the Secure Store Service. Farm servers can be split between two different domains but the application servers have to be found in the same domain as the external data sources.

There are several service applications and products that don’t have those requirements. They include:

• Access Services
• Business Data connectivity Services
• Microsoft Business Connectivity Services
• Microsoft Project Server 2010
• Microsoft SQL Server PowerPivot for Microsoft SharePoint
• Microsoft SQL Server Reporting Services

Related posts

• PerformancePoint Security Best Practices In SharePoint 2010 – A Primer (0)
• Excel Services Security Best Practices – Common Security Settings (0)
• Excel Services Security Best Practices – Authentication And Accounts (0)
• Update to SharePoint Server 2010 for Internet Sites (0)
• SharePoint Case Study: Mining Industry SharePoint Dashboard Implementation (0)

When service applications are deployed from a farm there are a couple of different methods that can be used.
They include the use of Windows PowerShell, adding services one at a time through the Manage Service Applications page, and choosing services for running the SharePoint Products Configuration Wizard.

The infrastructure of the services has been updated so that there is more control over the types of services that have been deployed. There is also control over the types of service applications that have been shared. Only the service applications that are necessary for a farm can be deployed. The various web applications can be configured so that they only use certain service applications. This is better than them using all of the various services that have been deployed. Service applications can be shared across various web applications that are within the same farm. All of the service applications that are included in a default group will remain unless you change them. There are settings for service applications that can be created. You can add or remove service applications in that default group any time you want to.

The creation of web applications allow you to select the default group you want or to create one that is customized. If you want to customize your service applications you can do by selecting those that you want to be part of the web application. When custom groups are created in Central Administration, they can’t be used for all of your web applications. When you select custom to create a web application you will limit them to only that specific web application you happen to be using. Each of the service applications has a single Internet Information Services website. This is the default setting and you won’t be able to change it. However, you do have the option of customizing how it is configured for various application groups.

There are several characteristics of a farm that you need to be familiar with. Web applications will connect to the default group or a custom group of service applications. All of the service applications will be found within the same Internet Information Services website. Service applications are in a group as defaults or customized. However, not all of the service applications have to be placed into one of those groups. They can be used by a single web application if you wish.

It is possible for service applications to be deployed to different applications pools. This results in process isolation occurring. If you want to optimize how your farm performs then it is recommended that you deploy service applications to only one application pool. In order for that isolation to occur with a service application, you need to create a new application for the pool service application.

While creating a service application there is a connection for the service application that is being created at the same time. There is a connection that is a virtual entity for connecting to web applications. With Windows PowerShell these connections are known as proxies. A proxy will be at the end of the type description for a connection which is through the Manage Service Application in Central Administration. Some of these connections may include settings that you can modify. This includes the Managed Metadata service application, Term Store Administrators, and Default Language.

When you directly manage service applications in Central Administration you can manage and monitor them from a remote location. They can also be managed and scripted through Windows PowerShell. There are some service applications that are shared among many farms. Others though can only be shared in a singular fashion with a given farm server.

Computing intense service applications that operate within a central farm. This is done to minimize the overhead costs relating to administration. This is also to help keep everything operating efficiently, even as the requirements of the farm grow. If you use service applications to support sharing across farms, they should be controlled by a central farm. Then they can be consumed from that core location. For each of the web applications that will be configured, use service applications from different farms.

Related posts

• Use LINQ To Get Central Administration Web Applications (0)
• SharePoint MySites and Pluggable Authentication Providers (0)
• SharePoint Claims Based Authentication Architectures Explained – Part 2 – Claims Architecture Priming (1)
• Dual San’s and SharePoint Search (Solution) (0)
• Your First InfoCard WebPart (CardSpace WebPart Example) (1)

With SharePoint Server 2010 you will get a set of services that allow you to share them throughout your web applications. These are what is commonly referred to as service applications. They can be shared among farms, across various web applications, and they reduce the amount of resources it takes to provide various services.

There are many service applications included with SharePoint 2010 for you to take advantage of. They include:

• Access Services – This allows a user to view, edit, and interact as they use the Access 2010 database with a web browser.
• Business Data Connectivity Service – Allows for the line of business data systems to be accessed.
• Excel Services Application – Allows a user to view and interact with Excel 2010 files when using a web browser.
• Managed Metadata Service – This is used to manage the various hierarchies, social infrastructure, and keywords. It also allows for the publishing of the content across various collection sites.
• Microsoft SharePoint Foundation Subscription – There are multiple functions for service applications. They are used to track ID’s and settings for services that are in a given mode. They are deployed only through the Windows PowerShell.
• PerformancePoint Service Application – This allows the capabilities of PerformancePoint to be implemented.
• Search Service – Allows for the content to be crawled, indexed, and then allows for users to get results through search queries.
• Secure Store Service – This allows for authentication to occur with a single sign on for multiple services.
• State Service – This provides a storage location temporary in nature for data within the components of SharePoint Server.
• Usage and Health Data Collection Service – Wide usage and health data is collected from the farms. This allows the user to be able to view many different reports about usage and health.
• User Profile Service – This adds support for websites, profile pages, social computing features, and social tagging.
• Visio Graphics Service – This allows users to view and refresh diagrams in web browser that have been published in Visio 2010.
• Web Analysis Service – Offers interfaces for web services.
• Word Automation Services – Automated conversions of bulk documents are performed.
• Microsoft Project Server 2010 – This allows hosting for one or more of the Microsoft Project Web Access platforms. It helps to schedule functions and calculations. It also helps with the interface for all data with Microsoft Project 2010.
• Office Web Apps Services (Word View Service, PowerPoint Service, and Excel Calculation Services) – These Office Web Apps are part of Microsoft Office 2010 Suites. They are companion resources that work with Microsoft World 2010 and Microsoft OneNote 2010. They are also all stand alone applications that offer multiple platforms through a single browser. Therefore documents can be created that are the same as those made with a desktop application that corresponds with it. Associated services are used to create documents that you can view or edit with a web browser.

Related posts

• Writing Object Use to Standard Output (1)
• Working With The ASP.NET Provider Database (5)
• What is a Property Bag? (2)
• WebPart Exception Handling Standards (7)
• Using the KeywordQuery Class to Get a List of Departments (2)

With a trusted data connection library, documents are safe for users to access through .odc files. These libraries are in place to help with securing and managing the data connections for the workbooks that will be accessible on a given server that is using Excel Calculation Services. There is a list of trusted data connection libraries that are designated for specific workbooks that will be accessed. Should the date connection be linked from a workbook that is accessible with a server running Excel Calculation Services then the server will check the connection information and compare the list of trusted data connection libraries in place. As long as it is listed then the connection will be attempted with the .odc file. If not that it will be terminated.

It is possible to choose users that only have permission to view workbooks by adding them to the SharePoint Server 2010 viewers group. Another option is to create a new group which can be done when you configure View Only permissions. When users are added to such a group they will be able to open, view, interact, refresh, and recalculate workbooks. However, such users won’t be able to access the file source unless they are using Excel Services Applications. This is a type of security measure that help you to protect information. The source data will never be displayed to those users. The workbooks and workbook data objectives that are configured for View Only permissions won’t be able to be opened with Microsoft Excel 2010.The ability to configure site settings for SharePoint Server 2010 in order to control user access to workbook data through View Only permissions is a method of centrally managing those workbooks with a web browser. It is also possible to configure the settings in SharePoint Server 2010 that allows these workbooks to be refreshed as external data on a server. This process makes it easier and more secure to manage external data connections.

With Excel Calculation Services, the Excel Services Application will use the connection for an external data source. This contains everything that a server has in order to successfully connect to a data source. Elements included in this are:

• How to authenticate
• Which connection string to use
• Which query string to use
• How to collect credentials for the connection

The connections can be found either as embedded workbooks or in .odc files. The connection information is the same for both of these locations. The .odc files are smaller and they offer plain text which can be formatted to be used again. The Excel 2010 client for author and edit of the .odc files and connections can be embedded in workbooks. The Data Connection Wizard can be used to configure the settings in the Connections properties page. It is possible to export an .odc file with these settings. The Connections properties page allows for the connection information and authentication properties to be determined in Excel Services Application.

There are often links in workbooks for .odc files and then embedded into connection information. This allows the workbooks to be able to retrieve the .odc file, read information, and to connect to an external data source should the embedded connection information experience a failure. The .odc files has to be managed so that they always contain information that is current and accurate. It is possible to configure Excel Calculation Services for connecting information from the .odc file. This is done before connecting through the use of embedded information. This approach allows administrators the opportunity to deploy a set of managed .odc files that are small in size. They will be used to update connection information for various workbooks. The authors of these workbooks are able to decide which connection information that the workbook is able to use. This can be accomplished by going to open Excel 2010 and then clicking on Workbook Connections on the Data tab. A connection can be added to the workbook through Workbook Connections and then viewed through the properties of the connection that has been added. The Definition tab allows you several options, and you will select Always Use a Connection File. This is a setting that allows the workbook to retrieve a connection file from the data connection library. It can be used to connect information from a file so that it can be connected to an external source.

The presence of the data connection libraries offer a place for collections of .odc files. Administration has the ability to manage these data connections on a server. This is accomplished by creating a data connection library and .odc files that are required for workbooks to connect to a file. Workbooks can use connections directly from a data connection library. They will get updated information for a connection before they are linked with a connection to a data source again. Should the data source change then there is only one update to a .odc file for all of the workbooks connected to it to be updated when the next refresh occurs. There is also the chance to use the View Only permissions for restricting access to .odc files.

There are options for deployment to take place with workbooks that have user defined functions associated with them. Such customization allows for the ability of the Excel Calculation Services to be extended. The application has to be configured in order for such user defined functions to be applied. This type of support is configured by enabling the user defined functions located on the trusted file locations. They contain workbooks that allow access to these user defined functions. It is necessary to register user defined function assemblies.

Related posts

• PerformancePoint Security Best Practices In SharePoint 2010 – Authentication, Trusted Locations (0)
• Excel Services Security Best Practices – Common Security Settings (0)
• Excel Services Security Best Practices – Authentication And Accounts (0)
• Excel Services Security Best Practices – Trusted File Locations (0)
• Excel Services Security Best Practices – Overview Of Excel Services Security (1)

However, it is also important to point out that you can create a security issue if you have enabled subdirectories and sub sites to be trusted as soon as you create them. The Session Management section allows you to conduct configuration for settings so you can conserve your available resources. By doing so you will improve the performance and the security of Excel Calculation Services. If you have multiple users with various sessions of Excel Calculation Services open at the same time then performance will decrease. The best method for limiting this issue is to configure time out settings for sessions that are open and idle.

You can go to the Session Timeout settings to determine what intervals you wish to apply for the sessions to remain inactive before they are closed. There is the Short Session Timeout setting and the New Workbook Session Timeout. You can put information into the Maximum Request duration too. The values you place in any of these areas will help to control risk of denial of service for users. The Workbook Properties section allows you to be able to successfully configure the maximum size for workbooks, charts, or images that are opened through any Excel Calculation Services session. You want to apply such settings as performance and security can be compromised if such entities are too large. Should an application server that runs Excel Calculation Services fail or be shut down all of the open sessions on that server can be lost. If it is a standalone installation then the Excel Services Application can’t be accessed. That also means the workbooks can’t be accessed.

The External Data section allows you to determine if the workbooks will be stored in trusted file locations and then opened up in Excel Calculation Services and if they can access an external source of data. You can also decide if you want to set Allow External Data to none, trusted data connection libraries only, or trusted data connections libraries and embedded. With external data connections, they can only be accessed if they are linked from a workbook or they are embedded. Excel Calculation Services will check the list of trusted file locations before any workbook is opened. Should you select none, then the Excel Calculation Services will block attempts to access any external data source. If you want to manage data connections for several different authors then you should consider using trusted data connection libraries online. This will make it possible for all of the data connects in those workbooks to be generated by the workbook authors. They will have a trusted data connection library in place before they are able to use external data sources for access.

If you only have a few authors with workbooks then you should consider trusted data connection libraries and embedded. This will allow the authors of the workbooks to have direct connections to external data sources in their workbooks. They will have access to trusted data connection libraries even if the embedded links fail. The Warn on Refresh area of the External Data section there is the ability to decide if you want a warning to be on display before a workbook will refresh from an external data source. When you select Refresh Warning Enabled you will be able to have external data that doesn’t get refreshed automatically. Enabling the Display Granular External Data Errors gives you the option to have descriptive error messages on display. They can offer you information should you have connection problems that need fixed. This can help you with the troubleshooting aspect of the operations. You can use the Stop when Refresh on Open Fails if you want Excel Calculation Services to stop a workbook from opening up. The workbook will contain a connection that fails with Refresh on Open Data. When you select Stopping Open Enabled you will be able to have values that aren’t displayed when they are cached. Refresh on Open can be a success and if that is the case the values cached are purged. You can clear the Stop Open Enabled check box but you will risk the values in cache being displayed if Refresh on Open fails. The External Data Cache Lifetime is found in the External Data section. You have the opportunity to determine the maximum amount of time that the cached values will be available before they are considered expired.

You want to make sure you only have trusted users accessing the workbooks that are stored in the trusted locations. In order to accomplish this, make sure you enforce ACLS for all of your trusted file locations.
There are three scenarios you may consider when it comes to the deployment of the Excel Services Application with SharePoint Server 2010. They include:

• Custom
• Enterprise
• Small department

There are several guidelines that you need to take into consideration with enterprise deployment. They include:

• Never configure support for user defined functions.
• Never allow workbooks to use data embedded data connections in order to have direct access to external data sources.
• Always limit the use of data connection libraries for any external data source access that is from workbooks.
• Always restrict the size of the workbooks that are allowed to open in Excel Calculation Services.
• Be selective with the trust specific file locations.
• Never enable Trust Children for trusted sites and directories.

With a small organization you want to consider the following guidelines in regards to deployment. Always enable trust for all file location that used by any users in the department for storing workbooks. Always enable Trust Children for your trusted directories and sites. Be selective when it comes to the access users have to specific file locations if you are experiencing problems.

With a custom deployment in place there are guidelines to consider. Configure log session time outs in the settings.

• Enable Excel Calculation Services to open workbooks that are large in size.
• Create a single trusted location for your deployment.
• Don’t enable Trust Children for this specific trusted location.
• Configure large data caches.

Related posts

• Excel Services Security Best Practices – Authentication And Accounts (0)
• Excel Services Security Best Practices – Overview Of Excel Services Security (1)
• Excel Services Security Best Practices – Trusted Data Providers And Data Connections (0)
• Excel Services Security Best Practices – Common Security Settings (0)
• Update to SharePoint Server 2010 for Internet Sites (0)

It is important for the Excel Services Settings to be configured for several things. External data controls the external data connections for Excel Calculation Services. Load Balancing allows Excel Services Application sessions will be spread out across the Excel Calculation Services. Memory Utilization is the memory allocated for Excel Calculation Services. Security is where communication and web service settings are determined. The Excel Services Application is also authenticated here. Session Management maintains the sessions of behavior for the Excel Calculation Services. Workbook Cache are the settings for caching of the workbook files in memory and on disk. The use of Excel Service Settings Page can help you to configure options for a file. This access method also enables encryption for connections and methods. All of these scenarios directly affect the security of any deployment.

With impersonation you have the ability for a thread to run in the secure context. This is a good idea when you want Excel Calculation Services to authorize users to access any workbooks that have been stored in HTTP or UNC locations. This has no bearing on any workbooks that have been stored in SharePoint Server 2010 databases. Most of the server farms deploy front end web servers and Excel Calculation Services applications that run on various computers. With impersonation Kerberos delegate is restrained. When you have workbooks to open, Excel Calculation Services serves can allow that to happen from HTTP or UNC sites. However, the process account has to be used because the user account won’t be able to be impersonated.

The use of SSL for encryption for the data that will be transmitted is very important when you rely on Excel Calculation Services, data sources, client computers, or front end web servers. In order to encrypt the data while it is being transmitted, click on Connection Encryption settings and make sure it says required. If it says not required which is the default setting your data won’t be as secure as it needs to be. The Excel Calculation Services will only allow data that has been transferred between client computers and front end web servers to be done through SSL. If you don’t require encryption then you will have to configure the SSL manually. This will allow you to have encryption for the connections that occur between client computers and front end computers. However, you can have connections from front end servers and Excel Calculation Service applications that aren’t encrypted.

Related posts

• Excel Services Security Best Practices – Trusted Data Providers And Data Connections (0)
• Excel Services Security Best Practices – Authentication And Accounts (0)
• SharePoint 2010 Cross-Farm Services And External Data Sources (1)
• Excel Services Security Best Practices – Trusted File Locations (0)
• Excel Services Security Best Practices – Overview Of Excel Services Security (1)

Through claims authentication you will be able to improve security so that you can authenticate your farms, Office Business Applications, and Share Point services from various environments. With the use of Excel Service Application you can use claims based authentication for the various scenarios relating to deployment. It doesn’t matter if you are using a single server or a farm environment. Plus, the authorization and authentication of users in regards to content and resources is going to be better secured within in SharePoint Server 2010 when you have claims based authentication in place.

There can be embedded data in the workbooks that connects and links to other files. All of that information is stored in the data connection libraries. When you refresh the embedded direct data connection may be used as a method of sending a query for data to the data connection library. It can also be used to get a query to the .odc file. This contains information for the connection as well. If you want to configure the Excel Services Application to external data sources you have to choose a setting in the External Data section of the Excel Services Add Trust file Location page. This is on the SharePoint Central Administration web application.

In order to configure administrative settings for Excel Services Application you need to refer to the Manage Excel Services Authentication. The deployments of farms that are intertwined with connections are going to use SharePiont Server 2010 claims based authentication. The Excel Calculation Services will retrieve the connecting information. There are credentials in place to store or integrate the data. All of those connections have credentials that can be used with claims based authentication. The deployments can be scaled when you have multiple servers in place.

If you are talking about deployment for a standalone server, then you need to rely on claims based authentication. When you have a data connection associated with a workbook that is opened in Excel Calculation Services it is best to used stored credentials. That will result in Excel Calculation Services to retrieve the credentials it needs for validation. From there those credentials will be used to authenticate the data source. Only then will the data connection be successfully established.

There are three types of data authentication that are supported by Excel Services Applications. They include:

• Integrated Windows
• Secure Store Service
• None

It is recommended that you use Kerberos for the security configuring with Integrated Windows authentication. This is because SharePoint Server 2010 relies on a claims based authentication. All of the Excel Services Applications are also claims based. You will find that Integrated Windows authentication is exclusively in place for SharePoint Server 2010 and IIS Authentication Settings. With the use of Secure Store Service authentication a user is able to access multiple resources from various systems. They are able to do so without the need for providing their credentials to be authenticated more than once. With SharePoint 2010 the Secure Store Service includes a Window service and a database of secured credentials. The use of the plug in functions for the Secure Store Service, there is the ability to introduce the Secure Store Service provider of your choice with the Excel Services Application. It is important to note that the SharePoint Server 2010 also includes a Secure Store Service provider that is able to successfully work with Excel Services Application.

With any Secure Store Services though that you select to use with Excel Services Application, there will be credentials in place. The credential type should be in place with both Windows and other alternatives. That will allow the Excel Services Application to successfully use the Secure Store Service data base in order to authenticate before connecting and to be able to retrieve credentials. Individual mapping as well as group mapping is supported through SharePoint Server 2010. The Secure Store Service offers a set of credentials that will be used for the Application ID’s for all of the resources in the SharePoint Server 2010 Secure Store Service database.

In regards to individual mapping, there is a secure layer that will validate the credentials of a user against multiple listings for Application ID’s. This type of mapping can be useful if you need to have the log in information for an individual before they can gain access to any types of resources which are shared.

Group mapping is more commonly used though. This includes a secure layer that checks for group credentials compared to those of multiple domains. However, each user has a set of credentials that can be unique with the Application ID’s. You will find that group maps are easier to maintain than those that are individual. You will also find that you get better overall performance.

If you want to enable the Secure Store Service function for SharePoint Server 2010 you will need to create a new Secure Store Service. This takes place in the SharePoint Central Administration website.

You have the option of selecting none as the type of authentication method you would like in place as you deploy the Excel Services Application. When this occurs an inbound connection will be used to connect to the database that has been specified in the string. It is important to understand that the connection strings are passed to the database provider. They aren’t part of the Excel Services Application. When you have connection strings in place, they can specify that a requirement that has to be present is Integrated Windows Authentication. These connection strings are also able to contain the specific password and user name for a given user. When that is the case Excel Services Application will require what is equivalent to an unattended service account for the authentication method.

Should the provider of the database make the determination that the string for the connection has Integrated Windows Authentication, then the database can authorize access for that user. The connection will be established through the use of a security context relating to an unattended account.

A type of privileged account that is encrypted for security is the Unattended Service Account. This has been discussed in several other posts. The Secure Store Service for it will have credentials that are found in Excel Calculation Services. This makes it possible to replicate what has been established for a secure data connection to be completed. This is the process when the environment isn’t one which is Windows based. If the Unattended Service Account isn’t configured, then the data connection will fail. This is because the Secure Store Service can’t be authenticated from such an environment and though this method for authentication. The process of replicating the Unattended Service Account protects what is found in the SharePoint Server 2010 database.

It can’t be accessed from unauthorized connections that are using Excel Calculation Services for the task of opening external data connections. An Unattended Service Account results in external data queries operating under a low permissions account for security. This is opposed to it operating from the security of the Excel Calculation Services. It is possible to configure the Unattended Service Account as a domain account or a local computer account. It is important to make sure the configuration is the same for all of the application servers that run Excel Calculation Services. These credentials will always be cached for each workbook session. When a workbook is loaded  through the data connection using an Unattended Service Account, the account will be obtained from the Secure Store that was used. The credentials won’t be cached globally. It is possible to restrict the permissions of the Unattended Service Account so that only logging in can be accomplished on a given network.

Related posts

• Excel Services Security Best Practices – Common Security Settings (0)
• Excel Services Security Best Practices – Trusted File Locations (0)
• Excel Services Security Best Practices – Overview Of Excel Services Security (1)
• SharePoint 2010 Cross-Farm Services And External Data Sources (1)
• Secure Store Service Best Practices In SharePoint 2010 (0)