This is our third look at Business Connectivity Authentication, you can check out our two earlier articles here:

Business Connectivity Services Authentication

Business Connectivity Services PassThrough and RevertToSelf

Secure Store Service

The Secure Store Service provides you with the ability to store many credentials in the form of User Name and Password, Tokens, Pins, or Strings. Within a Secure Service Application you will design the schema providing the required information to authenticate. Usually the minimum is username and password which might be two string fields or a Windows Username and Windows Password.

Within the Secure Store Application you map at user or group level the credentials that will be passed to the database. Using the Secure Store Service you can connect to the data source using Federated, Delegated or Impersonated Authentication. When connecting to the Line of Business System, the BCS runtime passes the mapped credentials from the Secure Store Service to the data source.

If you don’t already have a Secure Store Application, you will need to create one. This is done by going to Application Management in Central Administration and then Manage Service Applications. Within that screen you can create a new Secure Store Application as shown below.

SSS1%20(2) thumb BCS Secure Store Services

The Secure Store is storing highly sensitive data and therefore needs to be encrypted. Before you configure the application, it is a good idea to generate the key used to encrypt the contents of the store. The Encryption key should also be backed up.

SSS3 thumb BCS Secure Store Services

The Target application can then be created, allowing you to design the schema of the information passed to the data source.

SSS5 thumb BCS Secure Store Services

SSS4 thumb BCS Secure Store Services

Once you have created the application, you can Set Credentials using the drop down menu on the Application.

SSS6 thumb BCS Secure Store Services

The final thing to do is configure you External Content Type to point to the Secure Store Target Application ID.

The Office Client applications can also make use of single sign on. They do this using an application called Credman and this has to be configured on the client machine itself. This allows users to store credentials themselves which will often require the assistance of Administrators to key in any service account passwords etc. However this does mean that Single Sign on can be used via SharePoint Workspace and Outlook etc.

Once you have Secure Store Service configured, within SharePoint Designer you will need to select ‘Connect with Impersonated Windows Identity’ and enter the Secure Store Application ID that you created earlier.

SSS7 thumb BCS Secure Store Services

If you are authenticated you will be able to connect to the data source using Secure Store Service.

One other type of Authentication supported is Claims based Federated Authentication. This allows WCF web services to pass credentials to a Secure Token Service which can be a SharePoint Secure Token Service or third party. You can then be authenticated based upon a claim against an identity. An example would be that you are authorised because you are older than 18 years of age, or that you have any other property value against a profile somewhere. A generated SAML token is then passed to the backend datasource. Federated Authentication will be covered in more detail in a future post.


  1. Tialen

    Thanks for the Article!
    I do have a question however, what do you setup for the credentials in the Secure Store target so all your users would have access to the SQL Database? I was assuming that the external connector would just use the individual account to authenticate all users who attempted to access the external datasource, however i’m getting access denied messages from every user except the user I setup in the Secure Store target..


  2. There could be multiple reasons for this error. Most likely, this is because you have not set a limit filter in your BDC model when you created it. If you query retrieves more than 2000 items, you might see this error in the UI. You can dig into ULS to see what the error is and correct it.

  3. Maja


    I created a new instance of Secure Service Store and then when I click Manage system gives the following error message:

    “Cannot complete this action as the Secure Store Shared Service is not responding. Please contact your administrator.”

    I check under Services on Server and Secure Store Service is started.

    Any help is appreciated.



Leave a Comment

Your email address will not be published. Required fields are marked *


* Copy This Password *

* Type Or Paste Password Here *