in

SharePoint Blogs

The Best Place for SharePoint-related Blogs

Michael Hofer - SharePoint Blog

Michael Hofer's blog about adventures in SharePoint land, including tips and tricks for all products and technologies used in Information Worker solutions.

Using the Business Data Catalog with Single Sign-On

Connecting the Business Data Catalog to a Microsoft SQL Server Database or any other ADO.NET based data source is an easy task when using Windows Credentials since the users own credentials or the application pool identity can be passed to the business application directly or a user/password combination can be used in the definition file (not recommended).

While it is for many reasons the best practice to use Windows Credentials to connect to any data source, there are sometimes scenarios where other authentication mechanisms have to be used. When connecting the Business Data Catalog to a Microsoft SQL Server Database using SQL Server authentication, user credentials must be transmitted using the Microsoft Single Sign-On Service.

MOSS 2007 includes an administrative interface to the Microsoft Single Sign-On service as well as an own pluggable Single Sign-On provider implementation. The following paragraphs describe how to setup and configure Single Sign-On and Business Data Catalog for SQL authentication-based data connections.

For reference, see [1].

Setup and configure Single Sign-On

General

Installing Single-Sign On capabilities require high attention on security. The following paragraphs describe a step-by-step approach using best practices for security configuration when installing Single Sign-On for the Microsoft Office System Server (MOSS) 2007.

The general reference on how to install and configure the Single Sign-On Service can be found in Technet (see [2]).

Step 1: Understanding the architecture

To use Single Sign-On, the Microsoft Single Sign-On service (SSOSrv) must be installed on all Microsoft Windows front-end Web servers in the farm.
SSOSrv must also be installed on all servers running Excel Services. If the Business Data Catalog search is used, SSOSrv must also be installed on the index server.
In addition, the Encryption-Key server has to be determined. This is always the first server in the system where the SSOSrv is started.

Step 2: Setting up security accounts and groups

In order to setup Single Sign-On, it is best practice to setup the following security accounts and groups:

SSO Service Account:

  • The account the Microsoft Single Sign-On Service is running on.
  • Must be a domain user account. It cannot be a group account.
  • Must be an Office SharePoint Server farm account.
  • Must be a member of the local Administrators group on the encryption-key server.
  • Must be a member of the Security Administrators role and db_creator role on the computer running Microsoft SQL Server. 
  • Must be a member of the MOSS SSO Administrators Group.

MOSS SSO Administrators Group

  • Can configure MOSS SSO Server settings such as the database, MOSS SSO Application Definition Administrators or encryption keys.
  • Usually, these are the same administrators that also configure MOSS farm-level settings in Central Administration
  • Must be a Windows global group, cannot be a domain local group account or a distribution list.
  • Must be member of the Farm Administrators SPGroup on Central Administration.
  • The single sign-on service account must be a member of that group.
  • At least the farm administrator's account who is configuring Single Sign-On should be member of that group.
  • All group members must be local Administrators on the encryption-key server. Do not make this account a member of the local Administrators group on the encryption-key server.

MOSS SSO Application Definition Administrators Group

  • Can manage credentials of an enterprise application definition, including changing the password of a group enterprise application definition and changing or deleting credentials for an individual enterprise application definition.
  • Must be a Windows global group, cannot be a domain local group account or a distribution list. 
  • Must be a member of the Reader SharePoint group on Central Administration.

Please note: It is crucial, that all requirements are met. If not, you will receive an error stating "You do not have the permission to perform this action" when setting up the MOSS SSO Server in Central Administration.

Step 3: Configuring the Single Sign-On Service

  1. On the server, click Start, Control Panel, Administrative Tools, and then click Computer Management.
  2. In the Computer Management console, expand Services and Applications, and then click Services.
  3. Right-click Microsoft Single Sign-On Service, and then choose Properties.
  4. On the General tab, change the Startup type to Automatic.
  5. On the General tab, under Service Status, click Start.
  6. Click OK to save your changes and close the Properties window.
  7. Repeat steps 1 through 6 for each applicable server in the farm.

Step 4: Registering the Single Sign-On Service in MOSS

This step is not described in [2], however it performs some additional configurations on all servers where Single Sign-On will be enabled. For example, it adds the SSO Service Account to the IIS_WPG local group and configures the SSO Service (Step 3) to run under this account.

  1. On Central Administration, on the top navigation bar, click Operations.
  2. On the Operations page, in the Security Configuration section, click Service Accounts.
  3. Choose Windows Service and the Single Sign-On Service.
  4. Select Configurable for the account and enter the SSO Service Account by using the form domain\username.
  5. Click OK to save your changes and close the Properties window.

Step 5: Setting up the MOSS Single Sign-On Server

You must open Central Administration on the computer that runs Office SharePoint Server 2007 to manage server settings for single sign-on.

  1. On Central Administration, on the top navigation bar, click Operations. 
  2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
  3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage server settings.
  4. On the Manage Settings for Single Sign-On page, in the Account name box in the Single Sign-On Administrator Account section, type the MOSS SSO Administrators Group by using the form domain/group.
  5. In the Enterprise Application Definition Administrator Account section, in the Account name box, type the MOSS Application Definition Administrators Group by using the form domain/group or domain/username.
  6. In the Database Settings section, in the Server name box, type the NetBIOS name of the single sign-on database server (for example, computer_name or computer_name\SQL_Server_instance). Do not type the fully qualified domain name. 
  7. In the Database name box, enter the name of the single sign-on database server. 
  8. In the Time Out Settings section, in the Ticket time out (in minutes) box, type a value for how many minutes passes before a single sign-on ticket expires. The time-out should be long enough to last between the time that the ticket is issued and the time that the enterprise application redeems the ticket. Two minutes is the recommended value.
  9. In the Delete audit log records older than (in days) box, type a value for how many days the audit log holds records before deleting them.
  10. Click OK.

If you should get a "You do not have the permission to perform this action error" check the application log and make sure that all security requirements defined in step 2 are met.

Step 6: Creating the Application Definition

In the single sign-on environment, the back-end external data sources and systems are referred to as enterprise applications. For each enterprise application that Office SharePoint Server 2007 connects to, a corresponding enterprise application definition needs to be configured.

In order to connect to a Microsoft SQL Server database using SQL authentication a application definition has to be created in which the credentials of the SQL user will be stored.

  1. On Central Administration, on the top navigation bar, click Operations. 
  2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
  3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise application definitions.
  4. Click on New Item
  5. Enter a display name for the application in the Display Name box
  6. Enter an application name for the application in the Application name box
  7. In the "Field 1: Display Name" , enter "User ID" and set "Mask" to "No"
  8. In the "Field 2: Display Name", enter "Password" and set "Mask" to "Yes"
  9. Click OK
  10. Back on the Manage Settings for Single Sign-On page, in the Enterprise Application Definition Settings section, click Manage account information for enterprise application definitions.
  11. On the Manage Account Information for an Enterprise Application Definition page, in the Enterprise application definition list in the Account Information section, click the application definition for which you want to manage account information.
  12. In the Group account name box, type the name of the group that is allowed access to the enterprise application.
  13. In the Enterprise Application Definition section, select Update account information.
  14. Click Set. 
  15. On the Provide Account Information page, in the Logon Information section, type the user name and password of the SQL user that will be used to connect to the Microsoft SQL Server database.
  16. Click OK.

Configuration of the Business Data Catalog

Actually, there is no configuration to be done for the Business Data Catalog itself to interact with Single Sign-On. However, for every Application Definition where Single Sign-On is used, a LobSystemInstance node has to be added to the LobSystemInstances collection. Every LobSystemInstance specifies an "access point - in terms of connection and security information - to the LOB system, the Microsoft SQL Server database in this example scenario.

...
    <LobSystemInstance Name="Demo LOBDatabase">
      <Properties>
        <Property Name="AuthenticationMode" Type="System.String">RdbCredentials</Property>
        <Property Name="DatabaseAccessProvider" Type="System.String">SqlServer</Property>
        <Property Name="RdbConnection Data Source" Type="System.String">moss-sql01</Property>
        <Property Name="RdbConnection Initial Catalog" Type="System.String">SQLAuthDemo</Property>
        <Property Name="RdbConnection Integrated Security" Type="System.String">false</Property>
        <Property Name="RdbConnection Pooling" Type="System.String">false</Property>
        <Property Name="SsoApplicationId" Type="System.String">SQLAuthDemoSSOApp</Property>
        <Property Name="SsoProviderImplementation" Type="System.String">Microsoft.SharePoint.Portal.SingleSignon.SpsSsoProvider, Microsoft.SharePoint.Portal.SingleSignon, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c</Property>
      </Properties>
    </LobSystemInstance>
...

In order to use Single Sign-On, please make sure that besides the regular connection information, the following properties are set:

RdbConnection Integrated Security: Tells the Business Data Catalog explicitly to not use integrated security.

SsoApplicationId: Name of the Single Sign-On application as specified in Step 6.5 of the Single Sign-On setup.

SsoProviderImplementation: Default pluggable implementation of the SharePoint SsoProvider.

Besides of the above configuration which is done directly in the application definition file, there are no further actions required to enable Business Data Catalog to connect using Single Sign-On services.

References

[1]: Microsoft MSDN: Business Data Catalog Authentication
[2]: Microsoft TechNet: Configure single sign-on

 

Published Jul 30 2007, 11:06 PM by mhofer1976
Filed under: , , , ,

Comments

 

Mark Teviotdale said:

Hi Michael

Thanks for this, I have been working with the BDC for a couple of weeks and needed to connect to a database that wasn't on the same machine as the MOSS instance.  After many goes at trying to get this working I gave up and installed the database on the same machine as MOSS.  When you look at documentation on the net about connecting the BDC most people are using the pass though authenication method and not trying to connect to a database on a different machine on the same domain.  Looking forward to trying this post out and to see if I can finally get this going.

Thanks

Mark  

July 30, 2007 9:11 PM
 

Jon-Jacques Umphrey said:

Michael and Mark

We are trying to do the same thing as Mark. IE connect to a SQL DB on another machine. However to clarify we are wishing to utilize a domain account with permissions to SQL rather than the SQL account directly. Any ideas?

August 9, 2007 3:34 PM
 

mhofer1976 said:

Hi Jon-Jacques,

I didn't test that but when you check the msdn article I've posted above, you'll find the answer:

You still have to use Single Sign-On with two differences:

- in the application definition, you must now enter the windows account (domain\user) and its password.

- in the BDC app definition, set "WindowsCredentials "instead of "RdbCredentials"

That's it!

August 10, 2007 3:30 PM
 

Blog del CIIN said:

Siguiendo con la tradicional recopilación periódica de recursos sobre WSS 3.0 &amp; MOSS, en esta ocasión

August 28, 2007 6:02 AM
 

chandrika12345 said:

I want to access the external applications(Not the back end) from the sharepoint site .How do i define application definition for it?help me in solving this issue.I need step by step implimentation.

Thanks

chandrika

August 28, 2007 7:19 AM
 

asphughes said:

Sorry if I'm missing something obvious here but how do you create an application definition file. I have set up an application definition in Manage enterprise application definitions but now need to import an application definition file file to set  up the business data catalog. Am I missing a step?

October 16, 2007 9:46 AM
 

Vijay said:

Hi Michael,

I’m   planning to develop a application which is going to be a business (no data manipulation) views. Our application will be connected to LOB databases and fetch the results based on search criteria and display results in tabular format.

Below I have given the two types of approach what I’m planning to do.

Can you please validate and suggest which the best approach?

Approach 1 – using BDC

I’m planning to develop the web service (because other non .NET application requires this data) and connecting the web service through BDC for fetching the results.

For example once user enters the search criteria then search criteria a will be passed to BDC and BDC in turn will talk to web service to fetch the results.

Once the results are fetched then it will be displayed in Tabular format(DataGrid).

We can’t use BDC web parts because we have to some customization like on lick of some columns it should take user to some detail page.

Approach 2 – Using Web service directly

Directly query the results the web service from web part.

Inputs on thie regard huly appceritabkle.

Regards

Vijay

January 6, 2008 11:38 PM
 

Vijay said:

I’m   planning to develop a application which is going to be a business (no data manipulation) views. Our application will be connected to LOB databases and fetch the results based on search criteria and display results in tabular format.

Below I have given the two types of approach what I’m planning to do.

Can you please validate and suggest which the best approach?

Approach 1 – using BDC

I’m planning to develop the web service (because other non .NET application requires this data) and connecting the web service through BDC for fetching the results.

For example once user enters the search criteria then search criteria a will be passed to BDC and BDC in turn will talk to web service to fetch the results.

Once the results are fetched then it will be displayed in Tabular format (DataGrid).

We can’t use BDC web parts because we have to some customization like on click of some columns it should take user to some detail page.

Approach 2 – Using Web service directly

Directly query the results the web service from web part.

Inputs on this regard are highly appreciated.

January 6, 2008 11:41 PM
 

sharepoint applications ticketing said:

Pingback from  sharepoint applications ticketing

May 30, 2008 10:07 AM
 

Todd Giedraitis said:

In order to install the sso I had to do the below:

To configure the singls service sign on account

When connecting remotely from moss2007 to SQL 2005 and setting up moss 2007 anywhere it has domain username put

tandel\moss NOT tandel.com\moss

1.Must be signed on the server as the service account

2. Must sign into the Moss central administration account as the service account

3. Must configure the single sign on service and the service account

4. When starting up internet explorer right click and use run as administrator

5. Must be in the local sarepoint services group on the sharepoint server

Must be in the administrators local account on the sql server

6. Must be configured as an account in the SQL server console

7. Must configure the sinlge sign on service in services to run as the service account

June 19, 2008 11:07 AM
 

santosh said:

Can we use BDC to fetch SQL data without using Single SIgn or Server?

July 13, 2008 11:15 PM
 

MidnightMonkey » Microsoft Sharepoint Office Application Developer Exam 70-542 said:

Pingback from  MidnightMonkey &raquo; Microsoft Sharepoint Office Application Developer Exam 70-542

July 22, 2008 10:56 AM

Leave a Comment

(required )  
(optional )
(required )  
Add

About mhofer1976

For all of my IT carreer, I've been addicted to Microsoft-based software development, starting with VB, but then heading straight towards the .NET Framework in its earliest days. While working in different positions as a lead developer, project manager, pre-sales consultant and most recently a business unit manager, I've always kept beeing a developer and specialized on solutions in the Information Worker area, with an emphasis towards Enterprise Content Management. The Microsoft Office System and especially the SharePoint products and technologies are my favorite "playground", one big reason why I've joined the Microsoft Consulting Services in Switzerland where I'm currently working as Senior Consultant for Information Worker solutions.
Need SharePoint Training? Attend a SharePoint Bootcamp!
Posts (c) their respective authors. Everything else (c) 2007 SharePoint Experts