Strategize The Secure Store Service In SharePoint Server 2013

The Secure Store Service is an authorization service that runs with an application server. It provides a database that credentials can be stored in. Such credentials consist of a user identity and password. Sometimes, they also have other fields that you can choose to define for each user as well.

For example, with SharePoint Server 2013, it is possible for the Secure Store database and credentials for retrieval to be used to access external sources of data. The Secure Store Service provides support for being able to store multiple sets of credentials for various back end systems.

The following scenarios are offered through Secure Store:

  1. Excel Services Provides access to external data sources in published workbooks. This can be a substitute for passing the credentials of a user to the data source. This process will require Kerberos delegation to be configured in most instances. Excel Services also requires Secure Store for that configuration to be an unattended service account relating to data authentication.
  2. Visio Services Provides access to external data sources with published data connected diagrams. This can be a substitute for passing the credentials of a user to the data source. This process will require Kerberos delegation to be configured in most instances. Visio Services requires Secure Store for that configuration to be an unattended service account to data authentication.
  3. Performance Point Services Provides access to external data sources. Performance Point Services requires Secure Store for that configuration to be an unattended service account to data authentication.
  4. PowerPivot Requires Secure Store in order for PowerPivot workbooks to be refreshed according to a schedule.
  5. Microsoft Business Connectivity Services Able to use Secure Store for mapping the users credentials to a set of credentials for an external system. It is possible to map each user’s credentials to a unique account on the external system. The other option is to map a set of authenticated users to a single group account. With Business Connectivity Services, you can also use Secure Store to store the certificates for accessing an on premise data source via SharePoint online.
  6. SharePoint Runtime The Secure Store is used to also store credentials that are needed for communication with Azure services. Any of the user apps that require SharePoint Runtime will have a provision that they can use Azure Services.

To prepare for deploying the Secure Store Service, you will need to follow some very important guidelines:

  1. Run the Secure Store Service separately as an application pool that isn’t being used for any other services.
  2. Create the Secure Store database with a separate application server that is running SQL server. Don’t use the same SQL Server installation that you do for your databases of content.
  3. Prior to generating a new encryption key, make sure you back up the Secure Store database. You should do this as soon as you create it, and then every single time that you re-encrypt your credentials. When a new key gets generated, the credentials have to be re-encrypted. Should the key refresh fail, the credentials can be used.
  4. Don’t store the backup media for the encryption key in the same location at the backup media for the Secure Store database. When a user obtains a copy of both the database and the key, the credentials that are stored in the database can be compromised.

A target application allows for a collection of information that map users to a set of encrypted credentials. They are stored in the Secure Store database. Target applications will contain all of the following information once you have defined it:

  1. Is it an individual or group mapping?
  2. What fields will be stored in the Secure Store Database? Windows Username and Windows Password are the default but you can add extra fields in most of the applications.
  3. Which users have permission to administer the target application?
  4. What is the name of the individual or group that you are mapping credentials for?

All target applications have a unique application ID that you will define. It is used for referencing the target application from external applications. They can include SharePoint Designer and Excel Services.

Secure Store Service offers support for individual and for group mapping. With a group, every user that is a member of a specified domain group will be mapped to the same set of credentials. With individual mapping, each of the individuals will have a unique set of credentials assigned to them. Individuals mapping is used when you need login information about an individual user and their access to shared resources.

With group mapping, a security layer will map the credentials for multiple domain users. This is done against a single set of credentials. They get stored in the Secure Store database. Group mapping is easier to maintain than individual mapping. They can also offer better overall performance.

Secure Store Service offers a claims aware service for accepting security tokens. It also decrypts those tokens in order to get to the application ID. Next, it will perform the lookup. When SharePoint Sever 2013 Preview STS issues a security token, the response for authentication request is to decrypt that token and then to read the application ID value. The Secure Store Service will use the application ID to retrieve the credentials from the secure store database. These credentials will then be used to authorize access to resources.


Force Pex To Find Factories In Satellite Pex Assemblies

I am still at my client Pexing out. It’s really neat to explore this whole new framework but honestly I am starting to get a little bored writing nothing but tests, even though Pex makes it a little better.

One problem I ran into when building the tests for my client was Pex was barfing because could not a factory that was located in a satellite Pex assembly. The only way that I could seemingly get it to work was to use to copy the relevant class to the other main Pex assembly, but this is terribly because not having the ambiguous references is pretty bad.

This is fixable however through the use of the assembly level PexExplorableFromFactoriesFromType and PexExplorableFromFactoriesFromAssembly attributes which allow you to specify factory methods to use in a declarative fashion.

This looks like the following:

[assembly: PexExplorableFromFactoriesFromType(typeof(TypeWithFactoryMethod))]

Addition of the above will allow the mining of the appropriate factory methods.


Determine Referenced Assemblies and Assembly Load State

I find this approach really helpful when I am building assembly self-analysis into packages to ensure shared component load state, as well as being helpful when maintain audit logs of referenced assemblies in a SharePoint environment.

To do this, you can use the below three methods.

CompareLeftAndRightAssembly simply consumes two AssemblyName objects, doing a simple string comparison to see if the AssemblyName.FullName property is equitable. The FindAllTheReferencedAssemblies method takes an ArrayList representing the loaded assemblies using the GetReferencedAssemblies method to have a collection to iterate against. Inherently, this method uses the IsTheAssemblyLoaded method which will use the previously discussed CompareLeftAndRightAssembly method.


public static bool CompareLeftAndRightAssembly(AssemblyName asmLeft, AssemblyName asmRight)
return (((asmLeft == null) && (asmRight == null)) ||
(((asmLeft != null) && (asmRight != null)) &&
(Equals(string.Compare(asmLeft.FullName, asmRight.FullName, StringComparison.Ordinal), 0))));

public static void FindAllTheReferencedAssemblies(ArrayList loadedAssemblies)
var flag = false;
while (!flag)
flag = true;
for (var i = 0; i < loadedAssemblies.Count; i++) { var referencedAssemblies = ((Assembly)loadedAssemblies[i]).GetReferencedAssemblies(); for (var j = 0; j < referencedAssemblies.Length; j++) { if (IsTheAssemblyLoaded(loadedAssemblies, referencedAssemblies[j])) continue; flag = false; loadedAssemblies.Add(Assembly.Load(referencedAssemblies[j])); } } } } public static bool IsTheAssemblyLoaded(ArrayList loaded, AssemblyName name) { if (loaded != null) { for (var i = 0; i < loaded.Count; i++) { if (CompareLeftAndRightAssembly(((Assembly)loaded[i]).GetName(), name)) { return true; } } } return false; } [/csharp]