SharePoint 2013 – Secure Store Service

Overview

The secure store service is responsible for storing and mapping a user’s credential to an external service. This provides users with a single sign-on experience by allowing SharePoint to access the external system as the user. An example of typical scenarios where Secure Store might be utilised, as the mechanism for passing a user’s credentials without interaction from the user, could include:

  • Business Data Connectivity Services – Credentials can be mapped to unique external system accounts or map a group of credentials to a single external group account. With BCS, it is also possible to store the certificates for accessing on-premise data sources through SharePoint online
  • Excel Services – If a workbook has been published that contains external data
  • Visio Services – If a diagram has been published that contains external data connections

In addition to these, other services that are capable of consuming the Secure Store are; PerformancePoint, PowerPivot and the SharePoint Runtime (for instance, accessing Azure Services). In most cases where Excel or Visio are being configured with the Secure Store, Kerberos authentication must be configured for delegation too.

Pre-Requisites

  • Dedicated Service Account and Application Pool
  • SharePoint 2013 environment
  • Ideally, an Application Server where the service will run

General guidance (and common sense) would dictate that:

  • You do not run the Secure Store on the same server as SQL Server that holds SharePoint content databases
  • You will perform a backup of the Secure Store database before you generate a new encryption key (whether upon first creation or re-encrypting the store)
  • Do not store the backup media for the Secure Store database in the same location as the backup media for the encryption key

About the author