Secure Store Service Best Practices In SharePoint 2010

With Microsoft SharePoint Server 2010 the legacy single sign on feature has been replaced. The Secure Store Service (SSS) has been introduced to offer a claims authorization service. This includes a database that is secure for the use of storing credentials associated with any given application identification.

The application identification can be used to authorize access to external data sources. As you learn about the Secure Store Service, how to prepare it, ID’s, mapping, and claims authentication you will quickly realize what a valuable access it happens to be.

 The Secure Store Service is a type of service that allows for authorization to be conducted on the application server in the SharePoint server farm. This provides a database that is used for credentials to be securely stored though the use of password and identity verification of the user. With SharePoint Server 2010 there is the use of the Secure Store Database. It is used to store and to retrieve credentials for accessing external data sources. The Secure Store Service also provides support for the storage of credentials to multiple back end systems. They can have multiple application ID’s too.

 There are some very important issues that you need to take into consideration when you are preparing for the Secure Storage Service to be implemented. You need to run the Secure Store Service in an application that isn’t being used for any other services, this is both a logical and technical restraint. You need to create the Secure Store Service database on an application that is running SQL server. You don’t want to use the same SQL server application though that is being used for your content database. Prior to generating your new key for encrypting, you need to back up the Secure Store Service database. It is recommended that you do so right after it is created too. Each time you create a new key, you want those credentials to be encrypted again with it. You never want the key refresh to fail as this can result in the credentials failing to allow you to have access. Never store the backup media to the encrypted key in the same location as the backup for the Secure Store Service database. This is an additional layer of protection that can prevent your database information from being compromised by an unauthorized user.

 There are application ID’s for each of the Secure Storage Service entries. They are used to retrieve a given set of credentials from the Secure Store Database. Each of the application ID’s can be set up with given permissions that have to be applied. This will restrict the users or groups that are able to successfully access those credentials stored within the application ID. The application can be used to retrieve a given data source. These application ID’s are also used to map out users within given sets of credentials. It can be set up for mapping to occur both for individuals and for groups. With individual mapping each user has their own set of credentials that are different from others. If there is a group then each user that belongs to that group gets mapped with the same credentials.

 There are individual mappings and group mapping to consider. The Secure Store Service supports both of them and maintains credentials for the application ID’s of the resources that are stored in the Secure Store database. With individual credentials of an application, they are retrieved from the application ID. This type of individual mapping is beneficial when a user logs in using information to personally identify themselves. With group mapping there is a layer of security in place that will check the credentials of the group. It will look for multiple domain users and compare them to a given set of credentials that are in place to identify a application ID which is stored in the Secure Store database. It is easier to maintain group mapping versus individual mappings so keep that in mind if you are after optimal performance.

Claims authentication can occur within Secure Store Service. It is able to accept security tokens and to decipher the encrypted application ID. From there it is able to look up the information for verification of authentication. With SharePoint Server Security Token Service, a token is created in response to a request for authentication. The Secure Store Service deciphers the token so that it can successfully read the value of the application ID. The Secure Store Service uses that application ID in order to successfully retrieve the credentials that are in the Secure Store database. These credentials will be used to authorize access to the various resources offered.

Share

SharePoint Security And Authentication Part 4 Choosing The Right Authentication Strategy

When Designing authentications strategies for SharePoint 2010, there are guidelines to be aware of with the process for authentication with SharePoint Server 2010. So let's just get down to it. The authentication process is configured through the web application. A server farm may be configured to host sites for many organizations. However, the authentication is configured on an individual level for each of the organizations. It is possible for web applications in SharePoint Server 2010 to be configured with up to five different methods being used. Authentication for internal employees can be completed through one of the standard Windows methods. When a partner organization is involved, their employees can be authenticated with the identity management system that is in place for that particular organization. In order to be able to configure a web application so that it can be accessed by at least two systems of authentication, the additional zones must be configured in the web application. Each of the zones is a representation of a different path for accessing the same application. Typically when there is a partner application, the employees of a partner company are going to gain access to the application through the internet. Internal employees will be able to do so through intranet.  The zone type is a category for naming purposes but it won’t affect the overall configuration of a zone. Once you have successfully extended the web application, you can move on to configuring a new method of authentication for that zone. The default zone that will be in place should only be used by the internal employees. Partner access can be used by configuring the internet zone for forms based authentication.

If you are planning to implement more than one method of authentication for a web application, you will need to plan how to create those zones. There is some best practices to follow. The default zone can be use to implement secure settings for authentication. If a request isn’t able to be associated with a given zone then the settings and security policies of the default zone will apply. The default zone is one that is going to be created when you first initialized the web application. The secure authentication settings are to be used by end user access. Therefore, end users are the most likely to be the ones accessing the default zone. Use the least number of zones that are required by any given applications. Each of the zones will be associated with a new IIS site and domain. They will be used when a user is accessing that web application. You should only add new points of access when they are required. In order for content from the web application to be included in search results you need to make sure there is at least one zone configured with NTLM authentication. This requirement is going to result in the crawl content being indexed. Only create a dedicated zone for that indexing if it is necessary.

There are some methods of authentication that you need to consider when you are planning which of them you will use. Ensure that the methods of authentication are compatible with the browsers that your users will be accessing, understand the methods use for your user accounts to be managed, understand how credentials of users and identity are cached in SharePoint Server 2010, evaluate the pros and cons of each method of authentication available, and evaluate the security of the web applications to be used in SharePoint Server 2010.

Security should be a huge factor that you consider when you are looking at authentication methods for your applications. There are some common security environments for you to evaluate. External anonymous implementations allow for some access without authentication occurring. However, the permission is a read only basis. There isn’t the ability to modify. Authentication can be used to allow access to specific materials. External secure collaboration requires configuring a separate zone for each partner organization that will be connecting to the site. Once a user is no longer employed they won’t be able to continue accessing the application. Intranet implementations are used to protect the credentials of users from being in plain sight.

There are some significant advantages to using certain authentication methods. However, there are also some tradeoffs that occur as well. Exploring both sides of this issue will help you to determine which ones are best for your organization. The advantages of claims include the implementation being a collection of materials for the security token to determine if the user has permission to access a network. These types of materials can include a user name, password, role, or employee ID. All of which can determine the authorization as well as the level of permission.

The tradeoff is that the configuration to manage it all takes a great deal of planning and training. It can be a complex process that a person needs time to fully understand. Windows allows for the authentication of existing Active Directory Accounts to be used. This makes managing any given user simple to take care of. There is no need to write custom code either. Active Directory groups can be beneficial when you complete the configuration in SharePoint Server 2010. The trade off is that not all of the IIS authentication protocols offered are supported by the various web browsers. Therefore you will have to make sure those browsers users are going to use are going to be compatible with it. With forms based authentication, the environment doesn’t use AD DS or Windows accounts. It is possible to have more than one authentication method in place that can help with Identity Management Systems for partner applications to be completed. Authentication users come from the internet. It is possible to customize the authentication process to based on specific criteria. The trade off is that this also requires the web.config file to be customized. It can also be risky if the SSL is in place for an additional layer of security.

Share