Creating Secure Store Application and Retrieving Credentials From the Secure Store Application

A Secure store application is used to store credentials for fetching data from an external system.

For example If we want to fetch data from a web service into a SharePoint project and credentials are required to access the web service then instead of hard-coding the credentials in the SharePoint project we can securely store the credentials in a secure store application.

How to store credentials in a secure store application

  1. Go to the Central Administration site.
  2. Click on Manage Service Applications under the Application Management group.

    central administration

  3. Click on Secure Store application.

    source store service

  4. Create a new Target Application to store the user credentials. Click on the New button in the ribbon.

    Target Application to store the user credentials

  5. It will open a Create New Secure Store Application page. Specify the following details:

    Application Id: Secure Store Application ID that will be unique to access to your credentials.
    Display Name: Display Name of the application.
    Contact Email: Valid Email address

    Target Application Type: group

    target application settings

  6. Click on "Next".
  7. In the next page specify the credential fields for your secure store application.

    For example Field Name Field Type Marked

    UserName Windows User Name No

    Password Windows Password Yes

    add field

  8. Click on "Next". In next page specify the Target Application’s membership settings:
    Configure the Target Application Administrators who will have permissions to manage the Target application settings.

    Configure the members that will access this application and retrieve the credentials to connect with the external system.

    Configure Members

  9. Click on Ok. It will save the Target Applications Settings.
  10. Now select the Target Application Id and in the ribbon click on the Set button in the Credentials group.

    WebServiceCredentials

  11. It will open a Set Credentials for Secure Store Target Application dialog. Specify the Username and Password for the Windows domain user account that you want to use.

    Windows domain user account

  12. Click on Ok. It will save the credentials. The Target Secure Store application has been successfully created.

How to access these credentials from Secure Store Application

  1. Open a Visual Studio and create a New Empty SharePoint Project.
  2. Create it as a Farm Solution.
  3. Add the references of following DLLs:
    Microsoft.BusinessData.dll
    Microsoft.Office.SecureStoreService.dll

    add the reference

  4. Add the following using statements:
    1. using Microsoft.SharePoint.Administration;  
    2. using Microsoft.BusinessData.Infrastructure.SecureStore;  
    3. using System.Diagnostics;  
    4. using System.Security;  
    5. using System.Runtime.InteropServices;  
  5. Add a class with the name Credentials as follows:
    1. public class Credentials  
    2. {  
    3.     private string _userName;  
    4.     public string UserName  
    5.     {  
    6.         get { return _userName; }  
    7.         set { _userName = value; }  
    8.     }  
    9.   
    10.     private string _password;  
    11.     public string Password  
    12.     {  
    13.         get { return _password; }  
    14.         set { _password = value; }  
    15.     }  
    16.   
    17.     public Credentials(string username, string password)  
    18.     {  
    19.         _userName = username;  
    20.         _password = password;  
    21.     }  
    22.   
    23.     /// <summary>  
    24.     ///  Retrieve credential information of a given Secure Store Target Application Id from the Secure Store.   
    25.     /// </summary>  
    26.     /// <param name="strTargetAppID"></param>  
    27.     /// <returns>Credentials Object</returns>  
    28.     public static Credentials GetCredentials(string strTargetAppID)  
    29.     {  
    30.         Credentials objUserCredentials = null;  
    31.         SPSecurity.RunWithElevatedPrivileges(delegate()  
    32.         {  
    33.   
    34.             // Get the default Secure Store Service provider.  
    35.             ISecureStoreProvider objSecureStoreProvider = SecureStoreProviderFactory.Create();  
    36.             if (objSecureStoreProvider == null)  
    37.             {  
    38.                 //Throw an InvalidOperationException exception  
    39.                 throw new InvalidOperationException("Unable to get an ISecureStoreProvider");  
    40.             }  
    41.   
    42.   
    43.             ISecureStoreServiceContext objProviderContext = objSecureStoreProvider as ISecureStoreServiceContext;  
    44.             objProviderContext.Context = SPServiceContext.GetContext(GetCentralAdminSite());  
    45.   
    46.             // variables to hold the credentials.  
    47.             string sUserName = string.Empty;  
    48.             string sPassword = string.Empty;  
    49.   
    50.             // Specify a valid target application ID for the Secure Store.  
    51.             string sApplId = strTargetAppID;  
    52.   
    53.             try  
    54.             {  
    55.                 //looking for the first user name, password credentials in the collection.  
    56.                 using (SecureStoreCredentialCollection objSecureStoreCredentials = objSecureStoreProvider.GetCredentials(sApplId))  
    57.                 {  
    58.   
    59.                     Debug.Assert(objSecureStoreCredentials != null);  
    60.   
    61.                     if (objSecureStoreCredentials != null)  
    62.                     {  
    63.                         foreach (SecureStoreCredential cred in objSecureStoreCredentials)  
    64.                         {  
    65.                             if (cred == null)  
    66.                             {  
    67.   
    68.                                 continue;  
    69.                             }  
    70.   
    71.                             switch (cred.CredentialType)  
    72.                             {  
    73.                                 case SecureStoreCredentialType.WindowsUserName:  
    74.                                 if (string.IsNullOrEmpty(sUserName))  
    75.                                 {  
    76.                                     sUserName = GetStringFromSecureString(cred.Credential);  
    77.                                 }  
    78.                                 break;  
    79.   
    80.                                 case SecureStoreCredentialType.WindowsPassword:  
    81.                                 if (string.IsNullOrEmpty(sPassword))  
    82.                                 {  
    83.                                     sPassword = GetStringFromSecureString(cred.Credential);  
    84.                                 }  
    85.                                 break;  
    86.   
    87.                             }  
    88.                         }  
    89.                     }  
    90.                 }  
    91.   
    92.                 //Checking whether required credentials are found  
    93.                 if (string.IsNullOrEmpty(sUserName) || string.IsNullOrEmpty(sPassword))  
    94.                 {  
    95.                     objUserCredentials = null;  
    96.                 }  
    97.                 else  
    98.                 {  
    99.                     objUserCredentials = new Credentials(sUserName, sPassword);  
    100.                 }  
    101.   
    102.   
    103.             }  
    104.             catch (SecureStoreException ex)  
    105.             {  
    106.                 objUserCredentials = null;  
    107.             }  
    108.         });  
    109.         return objUserCredentials;  
    110.     }  
    111.   
    112.     /// <summary>  
    113.     /// This method Converts a secured sting into plain string  
    114.     /// </summary>  
    115.     /// <param name="objSecureString"></param>  
    116.     /// <returns>string</returns>  
    117.     private static string GetStringFromSecureString(SecureString objSecureString)  
    118.     {  
    119.         if (objSecureString == null)  
    120.         {  
    121.             return null;  
    122.         }  
    123.   
    124.         IntPtr pPlainText = IntPtr.Zero;  
    125.         try  
    126.         {  
    127.             pPlainText = Marshal.SecureStringToBSTR(objSecureString);  
    128.             return Marshal.PtrToStringBSTR(pPlainText);  
    129.         }  
    130.         finally  
    131.         {  
    132.             if (pPlainText != IntPtr.Zero)  
    133.             {  
    134.                 Marshal.FreeBSTR(pPlainText);  
    135.             }  
    136.         }  
    137.     }  
    138.   
    139.     /// <summary>  
    140.     /// This method retrieves the Central Administration site. This is used by the GetCredentials method to set the ProviderContext.  
    141.     /// </summary>  
    142.     /// <returns>SPSite</returns>  
    143.     private static SPSite GetCentralAdminSite()  
    144.     {  
    145.         SPAdministrationWebApplication objAdminWebApp = SPAdministrationWebApplication.Local;  
    146.         if (objAdminWebApp == null)  
    147.         {  
    148.             throw new InvalidProgramException("Unable to get the admin web app");  
    149.         }  
    150.   
    151.         SPSite objAdminSite = null;  
    152.         Uri objAdminSiteUri = objAdminWebApp.GetResponseUri(SPUrlZone.Default);  
    153.         if (objAdminSiteUri != null)  
    154.         {  
    155.             objAdminSite = objAdminWebApp.Sites[objAdminSiteUri.AbsoluteUri];  
    156.   
    157.         }  
    158.         else  
    159.         {  
    160.             throw new InvalidProgramException("Unable to get Central Admin Site.");  
    161.         }  
    162.   
    163.         return objAdminSite;  
    164.     }  
    165. }  
  6. Build the Solution.
  7. Use this class and methods to read the credentials from the Secure Store Application. This class will connect to the secure store application and read the required credentials. If the User context in which the code is running is not a member of the Target Application Members Group, it will throw an exception.

I hope this will help you!


Recommended Ebook

SharePoint Online And Office 365 Administration

Download Now!
Similar Articles