SharePoint 2010 Cross-Farm Services And External Data Sources

There are several steps involved in the process of deploying cross farm services. Each step is very important to gain the overall results you are after.

Configuration of trusted farms ensures all of the farms that use exchanges can trust each other. Certificates have to be exported to a file. Make sure you back up that file before you connect to any of the cross farm services. Publishing service applications must be done before you will be able to successfully share it across farms. Connecting cross farm service applications provides a connection must be made to a service that is published by a remote farm. This will require the URL to be entered of the published service. This is going to be displayed when you publish it. The connection on the local farm has to be created so that it can be connected successfully to a service application for a remote farm.

Should there be two domains where the server farms are located, the User profile service application will require both of them to trust each other. With the Business Data Connectivity and Secure Store Service the domain of the publishing farm has to trust that of the consuming farm. None of the cross farm service applications are going to work if there isn’t a trust requirement in place for the two domains.

It is possible for certain service applications to access external data sources. This occurs through the access of a delegated Windows identity that will place some additional requirements on a given environment. These types of service applications have to be in the same domain as the SharePoint Server 2010 farm. This is where the service applications are housed. The other option is for the service application to be configured using the Secure Store Service.There are plenty of different service applications that can be found across the external data. They use a delegated Window identity. This includes:

  • Excel Services
  • InfoPath Forms Services
  • PerformancePoint Services
  • Visio Services

The service applications used to access external data sources must have a delegated Windows identity. Otherwise it has to be configured for the use of the Secure Store Service. This will store and maintain the credentials of a user or a service. When service applications are used to store credentials, they have to be authenticated before the data can be accessed.

If the external data sources aren’t within the same domain then authentication for the external data sources will fail unless you use the Secure Store Service. Farm servers can be split between two different domains but the application servers have to be found in the same domain as the external data sources.

There are several service applications and products that don’t have those requirements. They include:

  • Access Services
  • Business Data connectivity Services
  • Microsoft Business Connectivity Services
  • Microsoft Project Server 2010
  • Microsoft SQL Server PowerPivot for Microsoft SharePoint
  • Microsoft SQL Server Reporting Services

Excel Services Security Best Practices Common Security Settings

The ability to configure the administrative settings for Excel Services Application can be found by opening the SharePoint Central Administration Web Application. Then the Excel Services Settings page needs to be accessed.

It is important for the Excel Services Settings to be configured for several things. External data controls the external data connections for Excel Calculation Services. Load Balancing allows Excel Services Application sessions will be spread out across the Excel Calculation Services. Memory Utilization is the memory allocated for Excel Calculation Services. Security is where communication and web service settings are determined. The Excel Services Application is also authenticated here. Session Management maintains the sessions of behavior for the Excel Calculation Services. Workbook Cache are the settings for caching of the workbook files in memory and on disk. The use of Excel Service Settings Page can help you to configure options for a file. This access method also enables encryption for connections and methods. All of these scenarios directly affect the security of any deployment.

With impersonation you have the ability for a thread to run in the secure context. This is a good idea when you want Excel Calculation Services to authorize users to access any workbooks that have been stored in HTTP or UNC locations. This has no bearing on any workbooks that have been stored in SharePoint Server 2010 databases. Most of the server farms deploy front end web servers and Excel Calculation Services applications that run on various computers. With impersonation Kerberos delegate is restrained. When you have workbooks to open, Excel Calculation Services serves can allow that to happen from HTTP or UNC sites. However, the process account has to be used because the user account won’t be able to be impersonated.

The use of SSL for encryption for the data that will be transmitted is very important when you rely on Excel Calculation Services, data sources, client computers, or front end web servers. In order to encrypt the data while it is being transmitted, click on Connection Encryption settings and make sure it says required. If it says not required which is the default setting your data won’t be as secure as it needs to be. The Excel Calculation Services will only allow data that has been transferred between client computers and front end web servers to be done through SSL. If you don’t require encryption then you will have to configure the SSL manually. This will allow you to have encryption for the connections that occur between client computers and front end computers. However, you can have connections from front end servers and Excel Calculation Service applications that aren’t encrypted.