MCT USE ONLY. STUDENT USE PROHIBITED
Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-15
• Describe the design options for BCS security.
• Explain planning options for authentication when using the Secure Store
Service.
• Describe how to prevent the double-hop issue.


MCT USE ONLY. STUDENT USE PROHIBITED
11-16 Designing a Microsoft® SharePoint® 2010 Infrastructure
Overview of Business Connectivity Services

Key Points
BCS is a foundation component for data integration in SharePoint 2010. It is one of
the few service applications that are embedded in Microsoft SharePoint
Foundation 2010.
The terminology for BCS is potentially confusing for those who have experience of
the Office SharePoint Server 2007 Business Data Catalog (BDC). BCS is described
by using the following terms and acronyms:
• Business Connectivity Services. The overall name for the service.
• Business Data Connectivity (BDC). The runtime that enables connectivity to
external data sources.
• External Content Type (ECT). An entity that is consumed through BCS.
• External List. A SharePoint 2010 list that is specifically designed to deliver data
from external systems.

MCT USE ONLY. STUDENT USE PROHIBITED
Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-17
BCS Overview
BCS is a set of features that enable you to connect through SharePoint 2010 to a
range of external data sources. You can render this external content into

SharePoint visualizations such as external lists or Web Parts. You can connect to
data sources that include, but are not limited to:
• SQL Server databases
• SAP applications
• Web services (including Windows® Communication Foundation (WCF) Web
services)
• Custom applications
• SharePoint Web sites

BCS uses a standard set of interfaces that makes it possible for both users and
developers to create business applications in SharePoint 2010. A key tool for users
is Microsoft SharePoint Designer 2010, which enables them to develop solutions
without the need to write programming code. For more sophisticated
development, there is Microsoft Visual Studio® 2010, with its SharePoint 2010
add-ins.
SharePoint Designer 2010 is a powerful tool that you can deploy to users who
need to develop and deploy business solutions. These may not be defined as BI
solutions, but if the solutions are designed to help information workers to become
more productive, you should treat them as BI solutions.

Note: If your design includes provision of self-service development through SharePoint
Designer 2010, you should ensure that you include the use of sandboxed solutions in
your development standards. These enable you to restrict resources that any application
that runs in your SharePoint 2010 environment uses.
In a broader BI context, BCS provides external data access to Microsoft Office tools
such as Excel 2010. It does this through a runtime environment in which solutions
that include external data are loaded, integrated, and executed in supported Office
client applications and on the Web server.



MCT USE ONLY. STUDENT USE PROHIBITED
11-18 Designing a Microsoft® SharePoint® 2010 Infrastructure
Additional Reading
For more information about using SharePoint Designer 2010 with BCS, see

For more information about sandboxed solutions, see


MCT USE ONLY. STUDENT USE PROHIBITED
Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-19
Planning BCS Security

Key Points
The security architecture of BCS is primarily involved in integrating authentication
with external systems.
Authentication
BCS is designed to integrate with external data sources, which means that you
must ensure that you can pass authentication credentials from the user to the
external platform. The two methods of authentication that are available in BCS are:
• Claims-based authentication
• Credentials-based authentication

Authentication of BCS Access with Claims
If you are planning for SharePoint 2010 BCS with a claims-aware data source, you
may want to enable your Web application for claims-based authentication. For BCS
authentication, your solution uses the SharePoint 2010 Security Token Service
(STS). This service is preconfigured on a farm and authenticates users or functions,
MCT USE ONLY. STUDENT USE PROHIBITED
11-20 Designing a Microsoft® SharePoint® 2010 Infrastructure
such as a Web service, to SharePoint. The service is a broker for SharePoint 2010

and supports multiple authentication providers for applications based on both
ASP.NET and WCF.
The process for claims-based authentication is as follows:
1. The user accesses an application that is configured for claims authentication,
such as an external list. The list access triggers an authentication request.
2. The list requests a security token from the STS.
3. The STS issues a token that contains a set of claims based on the user identity,
and a target application identifier, which is returned to the list.
4. The list passes the security token to the Secure Store Service.
5. The Secure Store Service reads the user information and sends credentials to
the external data source.
6. The external source reviews the credentials and, if the claims are appropriate,
sends the data to update the list.

Authentication of BCS Access with Credentials
BCS supports the following credential authentication options:
• Windows authentication:
• Windows Challenge/Response (NTLM)
• Microsoft Negotiate
• Authentication other than Windows:
• Forms-based
• Digest
• Basic

Authentication Modes
You must ensure that application developers are aware of the options for
authenticating data access from the BCS. You must associate each with an
authentication mode, which is associated with an external content type. There are
two methods of passing this information to the target data source:
• Pass the credentials directly to the target.

MCT USE ONLY. STUDENT USE PROHIBITED
Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-21
• Map the credentials to an account in the Secure Store Service.

The modes that are available include:
• PassThrough. Passes the credentials of the logged-on user to the external
system, which means that the user credentials must exist on the target system.
• RevertToSelf. Maps the user credentials to the BCS application pool account
and sends those credentials to the target system.
• WindowsCredentials. Can be used for both external Web services and database
access. It uses a Secure Store Service to map the user’s credentials to a set of
Windows credentials on the external system.
• Credentials. Can be used for external Web services. It uses the Secure Store
Service to map the user’s credentials to a set of credentials that a source other
than Windows supplies. These must be known to the target system, which
uses a basic or digest authentication.
• RdbCredentials. Can be used for external database access. It uses the Secure
Store Service to map the user’s credentials to a set of credentials that a source
other than Windows supplies. These must be known to the target system,
which uses a basic or digest authentication.

You should plan to use the latter two options with Secure Sockets Layer (SSL) or
IPSec security protocols.
Permissions
You can associate BCS permissions with an individual account, group account, or
claim with one or more permission levels on an object in a metadata store. When
you plan a permissions strategy, you should give specific permissions to each user
or group that needs it, in accordance with the principle of least privilege.
MCT USE ONLY. STUDENT USE PROHIBITED
11-22 Designing a Microsoft® SharePoint® 2010 Infrastructure

Planning Data Access Security by Using the Secure Store
Service

Key Points
The Secure Store Service is a service application that enables access to external data
sources. It provides a store of credentials through which an active user can gain
access to an external data source through impersonation. This impersonation
functionality maps BI service applications, users, and credentials through use of a
target application. This is a set of metadata that lists the users who have access to
the credentials that a BI application uses to access external data. The metadata and
credentials are stored in an encrypted Secure Store Service database in SharePoint
2010.
The stored settings include:
• Administrators. This lists the target application administrators. These can be
administrators or users to whom you delegate administrative rights to the
Secure Store Service target application.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning a SharePoint 2010 Implementation of a Business Intelligence Strategy 11-23

Note: PerformancePoint Services automatically configures administrators for target
applications that are configured through it.
• Members. This lists users or Active Directory® directory service groups for
whom the Business Intelligence Service Application impersonates credentials.

Note: For target applications that are configured through PerformancePoint Services,
PerformancePoint Services specifies the service account that the PerformancePoint
Services application pool uses as a member.
• Credentials. This lists the target application credentials, which consist of an
Active Directory account with direct access to data sources. You must grant
this account access to the data source outside SharePoint 2010, in line with the

principle of least privilege. This account is impersonated to provide data access
to users.

Farm administrators can configure all of these through the Secure Store Service for
Excel Services and the Visio Graphics Service. However, PerformancePoint Services
is configured through the PerformancePoint Service Application Settings.
Excel Services and the Visio Graphics Service
You can design two methods for use of the Secure Store Service for Excel Services
and the Visio Graphics Service:
• Specified target application. The workbook or drawing specifies the target
application. The Secure Store Service uses the associated credentials when a
user requests data access.
• No specified target application (unattended service account). Again, the workbook
or drawing specifies this. However, with this option, the Secure Store Service
uses the unattended service account credentials that are specified in the Global
Settings for the service application.

PerformancePoint Services
PerformancePoint Services cannot specify a specific Secure Store Service target
application. It only uses the Secure Store Service by specifying the unattended
service account.
MCT USE ONLY. STUDENT USE PROHIBITED
11-24 Designing a Microsoft® SharePoint® 2010 Infrastructure
Data Connection Files
Excel, Visio, and PerformancePoint Services all use data connection files to specify
authentication information. For Excel Services and the Visio Graphics Service, this
is an Office Data Connection (ODC) file. For PerformancePoint Services, it is a
PerformancePoint Services Data Connection (PPSDC) file.
Excel Services Connections
For Excel Services, you must plan and specify the ODC connection before you load

the workbook. The settings include:
• Integrated Windows authentication. Integrated Windows authentication with
Kerberos delegation to authenticate each user.
• Secure Store Service Identifier (SSS ID). The specific Secure Store Service target
application that is used for data access.
• None. The credentials that are specified in the connection string or the
unattended service account.


Note: You can only edit these settings by opening the worksheet or ODC file in Excel
2010.
Visio Graphics Service Connections
For the Visio Graphics Service, you can use either embedded connection
information or connection information in an ODC file:
• Embedded connection. This requires you to specify that users connect to an
external data source when they create Visio drawings, which stores the
connection directly in the file. When a user accesses the drawing, the Secure
Store Service uses the unattended service account.
• ODC connection. This uses an existing ODC file that is specified in the drawing.
When you publish the drawing, the Visio Graphics Service maintains the link
to the ODC file and uses the connection information.