Aug 11, 2010

some notes on BCS, ECT authentication mode and SSO

SharePoint Business Connectivity Service, just like Excel service, is to get external data source into sharepoint, but its logic authentication is quite different from Excel Services, and it doesn't use C2WTS:

External Content Types in SPD have 4 types of authentications for external data source :
  • User's Identity
  • BDC Identity
  • Impersonate Window Identity
  • Impersonate Custom Identity
User's Identity is to use logon window user's identity to connect to external data, which requires Kerberos implemented for both sharepoint and external data source (no configuration needed for BCS application)

BDC Identity is to use Sharepoint application pool id to connect to external data ( it was called revertToSelf). no security enforcement.

Both Impersonate Window Identity and Impersonate Custom Identity are to use SSO:

The difference between those two is, the first one requires SSO application using window account and the second one use sql account as shown below:
To use ECT object, users need an execute permission which can only be set from central admin: