The unattended service account is an active directory account that is used by
many of the service applications in SharePoint 2013 and 2010. This account
is a highly prevailed account that is used to impersonate the currently
accessing users. Service application uses three ways to authenticate and access
the external data sources. Based on each configuration the SharePoint works out a
different authentication mechanism. Here I am giving you the 'how it works' but
you decide which one is best for your environment.
|
Authentication option |
Credentials Used |
|
Windows Authentication |
Current User identity |
|
Secure Store Service |
Uses a Secure Store Service account |
|
None |
Unattended Service Account |
Windows Authentication
Use this windows authentication, pretty much straight forward, to get the external
data will require Kerberos authentication which can do the double-hop
authentication among the servers. Current user should have all the privileges.
None Authentication
Use "Unattended Service Account" for service applications; pool's service
account should be mapped to the external account. By mapping the application pool's
service account to external account, all the users in the farm who have access to
the application pages will have access to the data.
Secure Store Service
When using the Secure Store Service in service applications, the current user's
account/group needs to be mapped to the external account. This is quite
different from the "Unattended Service Account" which uses the application
pool's account. Only the users who are mapped in the "Members" in the SSS
configuration will have access to the data. This adds another layer of security.
With the Secure Store Service connecting the external data, it could pass the
credential in two ways: one is the credential in the connection string. One is
the "impersonation".
In case of the excel calculation service, use this account with low-privileges that
is impersonated by Excel Services if either of the following conditions are
true:
- Any time that it is trying a connection
where the ‘None' authentication option is selected.
- Whenever the ‘Secure Store Service'
option is selected and the stored credentials are not Windows credentials.