Available Authentication Modes

Article
10/16/2013

The following authentication modes are available when you use the Business Data Catalog to connect to a Web service.

Pass-Through Authentication

Pass-through authentication refers to the ability of the operating system to pass a client's authentication information to the back-end server. The Business Data Catalog supports pass-through authentication for database connections and Web service connections. When you use pass-through authentication, you authenticate as the identity of the end user.

When you access the Business Data Catalog from a Web page, it runs in the Microsoft Internet Information Services (IIS) worker process, w3wp.exe. The identity of this process is the IIS application pool account impersonating the logged-on user. To avoid losing the logged-on user's identity when the Business Data Catalog authenticates to the back-end server, you must enable Kerberos delegation between the server running IIS and the other computer. Kerberos delegation enables a receiving server to send the authentication request to the proper location.

When you use the Business Data Catalog for crawling, it runs in the filter daemon process, mssdmn.exe. To access the back-end content source, the threads in the filter daemon process impersonate the content access account associated with that back-end content source.

One drawback to using pass-through authentication is that the operating system exposes only the user name and password. Therefore, if a company uses two-factor authentication (if users are required to have some specific—private—information in addition to a user name and password), you cannot use pass-through authentication.

Simplicity of use makes pass-through authentication a good candidate for use in a testing environment. You might also use it if the Web service or the destination server uses anonymous authentication or SSL connections.

RevertToSelf Authentication

If a user logs on with Windows authentication, IIS impersonates that particular account. While IIS runs under the application pool identity, it impersonates the logged-on user, and the request runs under the user's impersonation before it is passed forward.

RevertToSelf authentication enables you to revert this impersonation and authenticate as the underlying account that is configured for the IIS application pool.

Warning

If custom code uses RevertToSelf() for authentication, it can grant users system-level privileges on the back-end servers by granting privileges to the application pool identity. Ensure that you thoroughly test any custom code before you run it on a production system.

WindowsCredentials Authentication

Microsoft Office SharePoint Server 2007 authenticates by using Windows credentials from its default single sign-on (SSO) service. Use this mode if your Web service uses Windows authentication. You need to set up SSO before using this mode. When you use Windows credentials, Business Data Catalog tries and splits the username field that is returned from SSO into domain\user and then uses the domain, username, password triad to authenticate.

Credentials Authentication

Office SharePoint Server 2007 authenticates Web service systems by using credentials other than those from Windows authentication from its default SSO service. These credentials are used for basic authentication or digest authentication, depending on the configuration of the Web services server. Because basic authentication and digest authentication do not adequately protect credentials, you should use SSL or IPSec (or both) to secure communication between the Web services server and the server that is running the Business Data Catalog.

Use this mode if your Web service uses credentials other than Windows credentials. You need to set up SSO before using this mode. When you use Credentials, Business Data Catalog does not attempt to split the username field that is returned from SSO into domain\user as in WindowsCredentials mode but rather uses the username, password from SSO directly to authenticate.

Application-Level Authentication

The Business Data Catalog also supports a secondary, application-level authentication. This authentication is used in addition to the primary authentication configured for the system. It is particularly useful in situations where a back-end application needs security credentials to be passed in the method calls. For example, for authorizing users or for a Web method that looks for credentials in HTTP or SOAP headers. To enable application-level authentication, take the following steps.

In the SecondarySsoApplicationId property of the LobSystemInstance, specify the single sign-on application that contains the credentials.
If your back-end application needs security credentials to be passed in the method calls, define a Username filter and a Password filter and associate each with an input parameter.
If your back-end application needs security credentials to be passed as HTTP headers, define the HttpUsername property and the HttpPassword property on the method.
If your back-end application needs security credentials to be passed as SOAP headers, define the SOAPUsername property and the SOAPPassword property on the method.

UserContext Filter

The UserContext****filter limits the instances returned by a method to the current user’s context. This filter tells the Business Data Catalog to append the current Microsoft Windows user’s domain name and user name to the method call.

If a metadata author creates metadata that takes a user name as a user-controllable filter and returns sensitive personal data, a user may see another user's data. To avoid this, use the UserContext filter to pass in the user name to the method call.

For more information, see FilterDescriptor.

Important

If you get an application definition import error saying Business Data Catalog is unable to connect to the WSDL, note that the WSDL may not be public. In such a case, you need to set up authentication by using one of the modes discussed in this topic, or manually copy the WSDL to the local system and point the WSDLFetchURL to the file URL.