規劃 SharePoint Server 的 Secure Store ServicePlan the Secure Store Service in SharePoint Server

摘要:規劃在 SharePoint Server 2013 和 SharePoint Server 2016 中使用 Secure Store Service 而將授權認證存放在加密資料庫。Summary: Plan to store authorization credentials in an encrypted database by using the Secure Store Service in SharePoint Server 2013 and SharePoint Server 2016.

Secure Store Service 是一種宣告感知授權服務,包含用於存放認證的加密資料庫。The Secure Store Service is a claims-aware authorization service that includes an encrypted database for storing credentials.

關於 Secure Store ServiceAbout the Secure Store Service

Secure Store Service 是在 SharePoint Server 上執行的授權服務。Secure Store Service 提供用來存放認證的資料庫。這些認證通常包含使用者身分識別與密碼,但也可包含其他定義的欄位。例如 SharePoint Server 可使用 Secure Store 資料庫,儲存及擷取認證,以便存取外部資料來源。這些 Secure Store Service 支援多組認證存放,以便用於多個後端系統。The Secure Store Service is an authorization service that runs on SharePoint Server. The Secure Store Service provides a database that is used to store credentials. These credentials usually consist of a user identity and password, but can also contain other fields that you define. For example, SharePoint Server can use the Secure Store database to store and retrieve credentials for access to external data sources. The Secure Store Service provides support for storing multiple sets of credentials for multiple back-end systems.

Secure Store 的使用方法包含下列各項:Usage scenarios for Secure Store include the following:

  • Office Online 伺服器中的 Excel Online可使用 Secure Store 讓人員存取發佈在 SharePoint Server 2016 的活頁簿的外部資料來源。這可當作替代方案,不需要再將使用者的認證傳送到資料來源,傳送認證的程序通常還需要設定 Kerberos 的限制委派。Excel Online in Office Online Server can use Secure Store to provide access to external data sources in workbooks published in SharePoint Server 2016. This can be used as a substitute to passing a user's credentials to the data source, a process which often requires configuring Kerberos constrained delegation.

  • SharePoint Server 2013 的 Excel Services 可使用 Secure Store 讓人存取發佈活頁簿的外部資料來源。這可當作替代方案,不需要再將使用者的認證傳送到資料來源,傳送認證的程序通常還需要設定 Kerberos 委派。若要設定資料驗證的自動服務帳戶,Excel Services 需要 Secure Store。Excel Services in SharePoint Server 2013 can use Secure Store to provide access to external data sources in published workbooks. This can be used as a substitute to passing a user's credentials to the data source, a process which often requires configuring Kerberos delegation. Excel Services requires Secure Store if you want to configure an unattended service account for data authentication.

  • Visio Services 可使用 Secure Store 讓人員存取發佈資料連結圖表的外部資料來源。這可當作替代方案,不需要再將使用者的認證傳送到資料來源,這樣的傳送認證程序通常還需要設定 Kerberos 的限制委派。若要設定資料驗證的自動服務帳戶,Visio Services 需要 Secure Store。Visio Services can use Secure Store to provide access to external data sources in published data-connected diagrams. This can be used as a substitute to passing a user's credentials to the data source, a process which often requires configuring Kerberos constrained delegation. Visio Services requires Secure Store if you want to configure an unattended service account for data authentication.

  • PerformancePoint Services 可使用 Secure Store 提供對外部資料來源的存取權。若要設定資料驗證的自動服務帳戶,PerformancePoint Services 需要 Secure Store。PerformancePoint Services can use Secure Store to provide access to external data sources. PerformancePoint Services requires Secure Store if you want to configure an unattended service account for data authentication.

  • Power Pivot 需要 Secure Store 來排定重新整理 PowerPivot 活頁簿的時間。Power Pivot requires Secure Store for scheduled refresh of PowerPivot workbooks.

  • Microsoft Business Connectivity Services 可使用 Secure Store 將使用者的認證對應到外部系統的認證組。解決方案管理員可以選擇將每一位使用者的認證對應至外部系統上的專用帳戶,或是將一組經過驗證的使用者對應至單一群組帳戶。Business Connectivity Services 也可使用 Secure Store 來存放認證,以便存取 SharePoint Online 的内部部署資料來源。Microsoft Business Connectivity Services can use Secure Store to map the user's credentials to a set of credentials for an external system. You can either map each user's credentials to a unique account on the external system or you can map a set of authenticated users to a single group account. Business Connectivity Services can also use Secure Store to store certificates for accessing an on-premises data source from SharePoint Online.

  • 如有任何使用者應用程式需要 SharePoint 執行階段來佈建並使用 Azure Services, SharePoint 執行階段 可使用 Secure Store 來存放與 Azure 服務通訊所需的認證。SharePoint runtime can use Secure Store to store credentials necessary to communicate with Azure services, if any of the user apps require SharePoint runtime to provision and use Azure Services.

Secure Store Service 準備Secure store service preparation

準備部署 Secure Store Service 時,請注意下列重要規則:When you prepare to deploy the Secure Store Service, be aware of the following important guidelines:

  • 產生新的加密金鑰前,請先備份 Secure Store 資料庫。請在第一次建立 Secure Store 資料庫之後立即備份,再於每次重新加密認證時重新備份。產生新金鑰時,可使用新金鑰重新加密認證。若更新金鑰失敗,或忘記複雜密碼,則無法使用認證。Before you generate a new encryption key, back up the Secure Store database. You should also back up the Secure Store database after it is initially created, and again each time credentials are reencrypted. When a new key is generated, the credentials can be re-encrypted with the new key. If the key refresh fails, or the passphrase is forgotten, the credentials will not be useable.

  • 請在首次設定 Secure Store 之後備份加密金鑰,再於每次重新產生時重新備份金鑰。Back up the encryption key after initially setting up Secure Store, and back up the key again each time it is regenerated.

  • 請勿將加密金鑰備份媒體儲存在 Secure Store 資料庫備份媒體的相同位置。若使用者取得內含資料庫與金鑰的複本,可能會危害儲存於資料庫中的認證。Do not store the backup media for the encryption key in the same location as the backup media for the secure store database. If a user obtains a copy of both the database and the key, the credentials stored in the database could be compromised.

由於 Secure Store 是用於儲存機密資訊,為了安全起見,建議您考慮使用下列準則:Because Secure Store is used to store sensitive information, for better security we recommend that you consider the following guidelines:

  • 請在任何其他服務未使用的個別應用程式集區中,執行 Secure Store Service。Run the Secure Store Service in a separate application pool that is not used for any other service.

  • 請在執行 SQL Server 的個別伺服器上,建立 Secure Store 資料庫。請勿使用與內含內容資料庫相同的 SQL Server 執行個體。Create the Secure Store database on a separate server running SQL Server. Do not use the same SQL Server instance that contains content databases.

Secure Store 中的目標應用程式Target applications in Secure Store

「目標應用程式」 是資訊集合,將一位或多位使用者對應到存放在 Secure Store 資料庫的加密認證組。目標應用程式內含下列您定義的資訊:A target application is a collection of information that maps a user or users to a set of encrypted credentials stored in the Secure Store database. Target applications contain the following information that you define:

  • 個別或群組對應。Whether this is an individual or group mapping.

  • 要存放在 Secure Store 資料庫的欄位。(預設是「Windows 使用者名稱」與「Windows 密碼」,但也可選擇其他欄位類型,視應用程式而定。)What fields to store in the Secure Store database. (The default is Windows User Name and Windows Password, but additional field types can be selected, depending on the application.)

  • 帶有可管理目標應用程式之權限的使用者。Users with permissions to administer the target application.

  • 認證對應的個人或群組。The individual or group to whom you are mapping the credentials.

每個目標應用程式都有一個唯一「應用程式識別碼」,也就是您定義要用於參照外部應用程式的目標應用程式,例如 Excel Online 或 SharePoint Designer。Each target application has a unique application ID that you define that is used to reference the target application from external applications such as Excel Online or SharePoint Designer.

Secure store 認證對應Secure store credential mappings

Secure Store Service 支援個別對應及群組對應。在群組對應中,特定網域群組成員的每一位使用者都會對應至同一組認證。在個別對應中,每一位使用者皆會對應至唯一的認證組。若需要個別使用者存取共用資源的記錄資訊,則個別對應十分有用。對於群組對應,安全性階層會對照一組存放於 Secure Store 資料庫的認證,對應多個網域使用者的認證。維護群組對應比維護個別對應簡單,效能也較佳。The Secure Store Service supports individual mappings and group mappings. In a group mapping, every user who is a member of a specific domain group is mapped to the same set of credentials. In an individual mapping, each individual user is mapped to a unique set of credentials. Individual mappings are useful if you need logging information about individual user access to shared resources. For group mappings, a security layer maps credentials for multiple domain users against a single set of credentials that are stored in the secure store database. Group mappings are easier to maintain than individual mappings, and can provide improved performance.

Secure Store Service 與宣告驗證Secure store service and claims authentication

是宣告感知服務,可接受安全性權杖並對其解密以取得應用程式識別碼,然後再執行查閱。SharePoint Server Security Token Service (STS) 核發安全性權杖以回應驗證要求時,Secure Store Service 會解密此權杖並讀取應用程式識別碼值。Secure Store Service 會使用應用程式識別碼從 Secure Store 資料庫擷取認證,再使用此認證授權存取資源。The Secure Store Service is a claims-aware service. It can accept security tokens and decrypt them to get the application ID, and then perform a lookup. When a SharePoint Server Security Token Service (STS) issues a security token in response to an authentication request, the Secure Store Service decrypts the token and reads the application ID value. The Secure Store Service uses the application ID to retrieve credentials from the secure store database. The credentials are then used to authorize access to resources.

另請參閱See also

其他資源Other Resources

在 SharePoint Server 中設定 Secure Store ServiceConfigure the Secure Store Service in SharePoint Server