SharePoint Server 2013 - The Unattended Service Account

Here I am giving you the 'how it works' but you decide which one is the best for your environment.

The unattended service account is an active directory account that is used by many of the service applications in SharePoint 2013 and 2010. This account is a highly prevailed account that is used to impersonate the currently accessing users. Service application uses three ways to authenticate and access the external data sources. Based on each configuration the SharePoint works out a different authentication mechanism. Here I am giving you the 'how it works' but you decide which one is best for your environment.

Authentication option Credentials Used
Windows Authentication Current User identity
Secure Store Service Uses a Secure Store Service account
None Unattended Service Account

Windows Authentication

Use this windows authentication, pretty much straight forward, to get the external data will require Kerberos authentication which can do the double-hop authentication among the servers. Current user should have all the privileges.

None Authentication

Use "Unattended Service Account" for service applications; pool's service account should be mapped to the external account. By mapping the application pool's service account to external account, all the users in the farm who have access to the application pages will have access to the data.

Secure Store Service

When using the Secure Store Service in service applications, the current user's account/group needs to be mapped to the external account. This is quite different from the "Unattended Service Account" which uses the application pool's account. Only the users who are mapped in the "Members" in the SSS configuration will have access to the data. This adds another layer of security.

With the Secure Store Service connecting the external data, it could pass the credential in two ways: one is the credential in the connection string. One is the "impersonation".

In case of the excel calculation service, use this account with low-privileges that is impersonated by Excel Services if either of the following conditions are true:

  • Any time that it is trying a connection where the ‘None' authentication option is selected.
  • Whenever the ‘Secure Store Service' option is selected and the stored credentials are not Windows credentials.