Deploying BCS Simple Solutions
Using Microsoft Business Connectivity Services (BCS) you can model business data into external content types, create external lists from these external content types, and make this business data available offline in Microsoft Office applications such Microsoft Outlook and Microsoft SharePoint Workspace. You can take the data offline in the form of a Business Connectivity Services simple solution that you can then install on the client computer. This topic discusses the nature of this BCS solution and provides important information to help you ensure a seamless deployment experience for simple solutions.
Applies to: SharePoint Server 2010
In this article
Security in ClickOnce Applications
User Prompting Based on Security Zones
Avoiding Deployment Failures That Result From the Default Prompting Policy
Prerequisites for Business Connectivity Services Solution Deployment
Browser Support for Business Connectivity Services Solution Deployment
When you click the Connect to Outlook or Sync to SharePoint Workspace button on an external list, you will first package all the artifacts relevant to the external list into a ClickOnce application package, which then becomes our Business Connectivity Services solution. As such, a Business Connectivity Services solution is inherently a ClickOnce application, and all the rules, regulations and limitations that govern general ClickOnce applications are applicable to BCS solutions. After you create this ClickOnce application, and the necessary prerequisites are met on the client, you can install the ClickOnce application by using the Visual Studio 2010 Office Solution Installer.
Security in ClickOnce Applications
The ClickOnce security model relies on trusted publishers or user prompting to determine elevation of privileges that would allow a ClickOnce application to be deployed to a client. If a ClickOnce application is by a trusted publisher, then the application, without prompting, automatically elevates its own privileges and continues with the installation. However, if the application is not signed by a trusted publisher, ClickOnce does not automatically trust this application and you are prompted to confirm that you want to install the application. However, this prompting is neither automatic nor is it guaranteed: it is determined by the security zone from which the ClickOnce application is being installed, as explained in the following section.
User Prompting Based on Security Zones
ClickOnce makes use of code access security (see Code Access Security for ClickOnce Applications to determine the deployment experience, such as whether or not you should see a prompt asking if you want to install a solution. By default, ClickOnce relies on the five built-in security zones that are defined in Internet Explorer:
MyComputer
LocalIntranet
Internet
TrustedSites
UntrustedSites
These zones are used by code access security to make trust decisions for prompting level and behavior. Each zone is determined by the full path address of the deployment manifest file. In the case of Business Connectivity Services, this is the URL of the solution in the external list. Table 1 shows example URLs and their corresponding security zones.
Table 1. Example URLs for deployment manifest files
ClickOnce Application URL |
Security Zone |
|---|---|
C:\contoso\clientsolution\customer.vsto |
MyComputer |
http://contoso/clientsolution/customer.vsto |
LocalIntranet |
\\contoso\clientsolution\customer.vsto |
LocalIntranet |
http://fabrikam.contoso/clientsolution/customer.vsto |
Internet |
https://www.contoso.com/clientsolution/customer.vsto |
Internet |
\\127.0.0.1\clientsolution\customer.vsto |
Internet |
Whether a user sees a prompt before a ClickOnce application can be installed is determined by the security zone, as shown in Table 2.
Table 2. Prompt behaviors by security zone
Security Zone |
Default Trusting Prompt Behavior |
|---|---|
MyComputer |
Allow user prompting |
LocalIntranet |
Allow user prompting |
Internet |
No user prompting allowed unless the solution is signed by a certificate whose issuer is a trusted Certificate Authority (CA) |
TrustedSites |
Allow user prompting |
UntrustedSites |
No user prompting allowed unless the solution is signed by a trusted certificate whose issuer is a trusted CA |
For more information about security zones and how to handle prompting, see Configuring ClickOnce Trusted Publishers, and pay special attention to the "Get Into the Zone" section.
The default deployment experience uses a self-signed certificate to sign Business Connectivity Services solutions. Because the certificate is self-signed, it is not from a trusted CA. This leads to the following default experience for LocalIntranet and Internet zones:
If your external list is in a LocalIntranet zone when you take it offline, you will see a Publisher cannot be verified prompt, as shown in Figure 1.
Figure 1. Unknown publisher prompt in the Intranet zone
.gif "Unknown publisher prompt in the Intranet zone")
If your external list is in an Internet zone, you will not be prompted and deployment will fail with an Installing Office customization error, as shown in Figure 2.
Figure 2. Unknown publisher prompt in the Internet zone
.gif "Unknown publisher prompt in the Internet zone")
Avoiding Deployment Failures That Result From the Default Prompting Policy
To get around the deployment failure described in the previous section, then you can choose to do any of the following:
In an enterprise scenario, administrators can provide CA-issued certificates to use to sign their Business Connectivity Services solutions. For more information about how to do this, see How to: Get Rid of the Publisher Cannot Be Verified Alert When Taking External Lists Offline.
In an enterprise scenario, administrators can also push a Trust prompting policy through their Group Policy infrastructure if they want a prompting policy that is different from the defaults explained previously.
Users can add the SharePoint site to the list of Trusted sites or the Local intranet sites in Internet Explorer. However, this is not recommended for every site and should be done only for sites that the user can trust.
Users can add a PromptingLevel registry key that defines the behavior that they want. For more information about how to do this, see How to: Configure Inclusion List Security.
Warning
If you have installed the 32-bit version of Office 2010 on a 64-bit computer, you should create the registry key in the corresponding Wow6432Node node.
Prerequisites for Business Connectivity Services Solution Deployment
Connecting an external list to either Outlook 2010 or SharePoint Workspace 2010 can be done only from a server with Microsoft SharePoint Server 2010 with Enterprise Client Access License installed. All other servers, such as those running Microsoft SharePoint Foundation 2010, are not supported. To deploy a Business Connectivity Services solution to a client computer, the client computer must have Microsoft Office Professional Plus 2010 or Outlook 2010 already installed. The following are other requirements for connecting an external list to Outlook or SharePoint Workspace:
Microsoft .NET Framework 3.5
.NET Framework 3.5 Service Pack 1 is supported. If .NET Framework 3.5 is not installed, you will see the installation error message shown in Figure 3 when you try to connect an external list to Outlook:
Figure 3. .NET Framework 3.5 not installed error message
.gif ".NET Framework 3.5 not installed error dialog")
And SharePoint Workspace will show the following error:
Figure 4. .NET Framework 3.5 not installed error message in SharePoint Workspace
.gif ".NET Framework 3.5 not installed error")
Business Connectivity Services (BCS)
Business Connectivity Services is installed by default when Office Professional Plus 2010 is installed. However, Business Connectivity Services is dependent on .NET Framework 3.5, so if .NET Framework 3.5 is not installed at the time of Office installation, Business Connectivity Services will not be installed. You will see the .NET Framework 3.5 error message shown previously in Figure 4 if you try to take an external list offline. This is because the installer first checks for .NET Framework 3.5 and detects that it is not installed.
If you eventually install .NET Framework 3.5 and then take an external list offline, the on-demand installation of Business Connectivity Services will start. At this point, Office will be configured, and then the Visual Studio 2010 Office Solution installer will be launched to install the solution.
If you have .NET Framework 3.5 installed, but do not want to install Business Connectivity Services (by marking it as Not Available in Office Installation Options under Office Shared Features), you will see the error message shown in Figure 5 when you try to take the external list offline to Outlook.
Figure 5. Business Connectivity Services not installed error message
.gif "Business Connectivity Services not installed error")
SharePoint Workspace will show the installation error message shown in Figure 6.
Figure 6. Business Connectivity Services not installed error message in SharePoint Workspace
.gif "Business Connectivity Services not installed error")
Browser Support for Business Connectivity Services Solution Deployment
The mechanism for taking external lists offline makes use of an ActiveX control to check the prerequisites mentioned earlier. Because only Internet Explorer supports ActiveX controls, taking external lists offline is supported only in Internet Explorer. In other browsers, such as Firefox, the Connect to Outlook and Sync to SharePoint Workspace buttons are, disabled as shown in Figure 7.
Figure 7. Buttons for taking lists offline are disabled in browsers other than Internet Explorer
.gif "Buttons disabled in non-IE browsers")