BDC Single Sign On

Business Data Catalog and Single Sign On

The Business Data Catalog is a component of Microsoft Office SharePoint Server 2007 Enterprise Edition. It allows you to integrate your Line of Business databases and web services with SharePoint.

Usually Single Sign-On (SSO) is used for credential mapping so that you are not prompted again for your username and password when accessing data from a backend system. Meaning that, if you have already logged onto SharePoint, and you are a member of a domain group, your credentials will be mapped to a user account that has permissions to access the database, and SharePoint doesn’t need to challenge you again for your username and password.

Where the BDC is concerned that hurdle can be overcome in other ways as well as using SSO. The Business Data Catalog can use different authentication mechanisms such as PassThrough or RevertToSelf. If using RevertToSelf you are asking the Application Pool ID to access the database for you, so that each users doesn’t need a specific login account locally at the database. Using PassThrough means that the users credentials are passed through to the database and the user will require a login account and permissions to the database.

Typically in a real world SharePoint environment your SQL/Oracle database (aka Line of Business Data) will reside on a remote server to the SharePoint

Web Front End Server (WFE). When we describe Line of Business (LOB) data we are referring to: Microsoft Navision, Microsoft Great Plains, Oracle Financials, or any type of database that stored business data such as customers, suppliers, orders etc…

If your LOB database is remote, and you also happen to be using Network LAN Manager (NTLM) as an authentication mechanism for Integrated Security you will suffer from what is known as the double hop issue. If you haven’t come across the double hop issue by now, you will do soon if you try accessing remote data from SharePoint whilst using NTLM. NTLM can only make one hop. One hop is from INternet Explorer (IE) to Internet Information Services (IIS). Unfortunately credentials need to be passed from IE to IIS to your database server (two hops). SSO is able to connect to the data source as a user specified in the SSO Application Definition and emporarily logs in as that user, meaning only one hop is required to access the data source.

The double hop issue is just one reason to use SSO. Another reason is that you want to make use of your Active Directory (AD) groups when accessing data. This means that you can provide access to the data from a domain group such as ‘domainnamesales’ or ‘domainnamedomain users’ to the database using a specific account.

Of course the credential mapping is still very useful as I don’t need a login account at the database. If I am a member of a group such as ‘domain users’ then ‘domain users’ can be configured to always connect to the database as ‘domainnameadministrator’ or another account that has read permissions to the database.

Click here to download the free whitepaper:

Single Sign on and Business Data Catalog is easy!


Leave a comment