Productivity solutions

  • 10/9/2017

Skill: Create and configure a Business Connectivity Services (BCS) and Secure Store application

Business Connectivity Services (BCS) is a powerful feature that allows both SharePoint and non-SharePoint data and information to be represented within the same interface. Successfully presenting this data requires that the SharePoint administrator be familiar with both BCS itself as well as the Secure Store, which is required for storing credentials to these external systems.

Import and configure BCS models

Designing a data connection for use with BCS requires the use of a model. This model is an XML file that contains sets of descriptions of one or more external content types, the related external systems, and other environment-specific information, such as authentication properties.

Four main data sources are available for use within BCS:

  • Windows Communication Foundation

  • SQL Server

  • SQL Azure

  • OData sources (including SQL OData sources)

Importing a BCS model

Once a BCS model has been made for the data source, it must be imported for use within SharePoint. Selecting the Business Data Connectivity service application allows for the management of the BDC service (Figure 4-10).


FIGURE 4-10 Managing the BDC service application

Selecting the Import icon on the ribbon begins the import process, with the following options:

  • BDC Model Browse to and upload a BDC model XML file.

  • File Type Choose the file type (model or resource).

    • Model A BDC model definition file contains the base XML metadata for a system.

    • Resource A resource definition file enables you to import or export only the localized names, properties, permissions, or any combination of the three.

  • Advanced Settings Advanced Settings allows you to do the following:

    • Choose Which Resources To Import It is possible to select more than one of the following: Localized names (selected by default), Properties (selected by default), and Permissions (not selected).

    • Custom Environment Settings If you imported a resource file type, it can include custom settings.

Configuring an External Content Type Profile Page Host

Once the BCS model has been uploaded, Profile Pages can then be configured by selecting the Configure icon on the ribbon. The configuration process allows you simply to specify an External Content Type Profile Page Host, as shown in Figure 4-11.


FIGURE 4-11 Configuring an External Content Type

Profile Pages are used to display information for an entity (External Content Type). New Profile Pages are added by selecting the External Content Type and then selecting Create/Upgrade Profile Page (Figure 4-12).


FIGURE 4-12 Creating a new Profile Page

Configure BCS model security

BCS often connects to other line-of-business systems, which can contain sensitive data. As with any other system, security requires that we plan for the authentication to the data source as well as the authorization (permissions) for accessing the data source.


BCS supports three different authentication methods:

  • Credentials-based authentication User name and password credentials are passed directly from BCS to the external system.

  • Claims-based authentication The external system will accept credentials from a third-party authentication service (a security token provider). These credentials are comprised of assertions about the requestor (a claim).

  • Custom authentication If neither credentials- nor claims-based authentication is supported by the external system, then a custom solution will be required to translate credentials from BCS to a format understood by the external system.


Once authentication has been performed, the next discussion is which roles will be assigned access to the solution. The security of this data should be assigned to three roles in a SharePoint farm:

  • Administrative roles Administrators are responsible for permissions management, creating and managing the BDC service application, importing BDC models, and managing permissions. If Add-ins are also used, then administrators will also publish the Add-in and create and manage connection objects.

  • Developer or Designer roles These roles create the external content types, BDC models, and the Add-ins for SharePoint by using BCS.

  • User roles Multiple groupings of users may be assigned to consume and possibly manipulate external data in the BCS solution.

Permissioning in BCS needs to be managed for four distinct components of the BCS solution:

  • External system The external system administrator will assign and manage permissions for the solution; if users are required to use their SharePoint credentials, the Secure Store service might need to be set up in SharePoint.

  • BCS central infrastructure This has to do with the security of the service application contained within Central Administration on the SharePoint farm; permissions to this service application can be delegated (as can happen on a number of other service applications in SharePoint).

  • Development environment As a development environment will likely be required for BCS design efforts, this environment can have fewer users but permissions can be a bit more relaxed, so as not to impede development efforts.

  • User environment User permissions differ based on the mechanisms used for accessing BCS data. For instance, it is a different matter (in terms of scope and execution) to configure external lists and columns, than to assign permissions via Office and SharePoint Add-ins.

Generate a Secure Store master key

The Secure Store service in SharePoint 2016 is a claims-aware service that stores authorization credentials in an encrypted database. These credentials can be used by other service applications in the farm, particularly to access external data sources.

Creating the Secure Store service application

As service applications go, setting up the Secure Store service application is quite easy. After selecting Manage Service Applications from within Central Administration, all that must be provided is a handful of information:

  • Service Application Name A name for the new service application.

  • Database The server and database names, along with the authentication mechanism used (Windows or SQL).

  • Failover Server Only used if you implement SQL mirroring.

  • Application Pool Create a new application pool (or reuse an existing one).

  • Enable Audit Choose whether or not to enable an Audit log for the Secure Store service (and how many days it spans), which will then be stored in the Secure Store database.

Several guidelines exist for the secure configuration of the Secure Store service application. These guidelines are designed to help secure this database, as it stores potentially sensitive credentials.

  • Run the Secure Store service in a separate application pool from all other service applications.

  • Run the Secure Store service in a separate application server not used for any other service.

  • Deploy the Secure Store database to a different instance of SQL Server than is used for the SharePoint 2016 installation.

Creating a new key

Aside from creating the Secure Store service application (created from Central Administration, Service Applications), the only other task that remains is to create a new encryption key for use with the Secure Store database.

On the initial installation of the Secure Store service application, the service will not allow you to create new Target Applications until this key has been generated (Figure 4-13).


FIGURE 4-13 Warning message about generating a new key

Three guidelines exist for the creation and management of the encryption key:

  • Back up the Secure Store database:

    • Before generating a new encryption key

    • After it’s initially created

    • Each time credentials are re-encrypted

  • Back up the encryption key (located in the Secure Store service application):

    • After initially setting up Secure Store

    • Each time it is regenerated

  • Do not store the encryption key backup media in the same location as the backup media used for the Secure Store database.

Clicking the Generate New Key icon starts the process of generating and applying the encryption key. This process requires that you create a case-sensitive pass phrase for use with the encryption key, and which is used when adding new Secure Store service servers as well as restoring a backed-up Secure Store database (Figure 4-14).


FIGURE 4-14 Creating a new pass phrase while generating a new encryption key

Once the key has been generated, make sure to record the pass phrase, as both it and the encryption key are required to successfully restore the Secure Store database.

Create Secure Store Target Applications

Creating a new Secure Store Target Application is a three-step process. On the ribbon, clicking the New icon begins this process.

First Configuration page

On the first configuration page, shown in Figure 4-15, you have the opportunity to provide the following values:

  • Target Application ID (name) A unique, unchangeable identifier for your Target Application.

  • Display Name A friendly (display) name for the Target Application.

  • Contact E-mail The e-mail for the primary contact for this Target Application.

  • Target Application Type Choose from an Individual Ticket, Individual Restricted, Individual (Default), Group Ticket, Group Restricted, or Group.

  • Target Application Page URL Choose whether to use Default Page, a Custom Page (specify), or None.


FIGURE 4-15 Creating a new Secure Store Target Application (Page 1)

Second configuration page

On the second configuration page, you have the opportunity to provide both two field names and two matching field types (Figure 4-16). Field Name simply describes what the field is to be called, and is not a field for entering a user name or a password. The Masked check box can be selected to hide either the user name, password, or both when setting credentials, as you will see shortly.


FIGURE 4-16 Creating a new Secure Store Target Application (Page 2)

Third configuration page

On the third and final configuration page, the Target Application Administrators can be selected. These users are then given privileges to manage the Target Application settings (Figure 4-17).


FIGURE 4-17 Creating a new Secure Store Target Application (Page 3)

Manage Secure Store Target Application permissions

Permissions for the Secure Store Target Application have to do with two actions: setting credentials and setting permissions.

Setting credentials

Once the Target Application has been created, user credentials need to be initially set. Selecting Target Application, Set Credentials provides the opportunity to specify a Credential Owner as well as individual or group user names and passwords (Figure 4-18).


FIGURE 4-18 Setting credentials for the Secure Store Target Application

Setting permissions

After the Target Application is created, user permissions can be applied after the fact. Selecting the Target Application ID and then choosing to Set Permissions will give the ability to specify one or more permission sets (Target Application Administrators shown in Figure 4-19), depending on the Target Application type previously chosen.


FIGURE 4-19 Setting permissions

Configure BCS for search

To surface a BDC External Content Type in Search, the External Content Type needs to be configured as a Content Source in the Search service application.

Within the Search service application, selecting New Content Source begins this process, requiring the following fields (shown in Figure 4-20):

  • Name The name of the Search content source.

  • Type of content to be crawled Selections include SharePoint Sites, Web Sites, File Shares, Exchange Public Folders, Line Of Business Data (selected), and Custom Repository.

  • Select The Business Connectivity Service Application Allows for the selection of a BCS service application (assuming there is more than one).

  • Crawl Either Crawl All External Data Sources or Crawl Selected External Data Source, in this case Wingtiptoys.


FIGURE 4-20 Configuring a BCS content source

Configure hybrid BCS

BCS is available both on-premises and in SharePoint online. By using the Microsoft BCS hybrid deployment scenario, you can publish on-premises data to an external list or add-in on SharePoint Online.


Prior to its use, an environment must be configured for use with the BCS hybrid scenario. This configuration has several prerequisites:

  • There must be an S2S trust with Azure Access Control Service for inbound hybrid connections.

  • Ensure that all on-premises user accounts accessing the BCS hybrid solution are federated accounts.

  • Create a service account in the on-premises domain intended to access the OData service endpoint.

  • Create a global security group in the on-premises domain.

  • Add the federated accounts from the on-premises domain to the global security group.

Configuration steps for hybrid BCS

Configuring the on-premises environment to use the hybrid BCS scenario requires several steps, intended to establish the relationship between the two environments:

  • Create and configure a Secure Store Target Application, which links the global security group to the service account, both of which were created in the prerequisites section.

  • Create and configure the OData service endpoint; this will also include the assignment of permissions to the data source represented by this endpoint.

  • Prepare the SharePoint Online site and App Catalog, identifying the site through which the data will be offered, and configuring the App Catalog (if an Add-in for SharePoint will be used).

  • Set permissions on the BDC Metadata Store in SharePoint Online (for use with manual imports of External Content Type method).

  • Validate external access to the on-premises SharePoint environment using the URL published through your reverse proxy.

  • Create and configure the External Content Type by using Visual Studio.

  • From BCS in SharePoint Online, configure a connection settings object, which contains additional information used to establish the connection to the external system and OData source.