Microsoft Office Tutorials and References
In Depth Information
Chapter 8: Security
In order to protect the information, the user needs to be identified. This process is called authentication .
Excel Services support Windows authentication, forms authentication, and anonymous users.
Windows authentication is the default mode for SharePoint. The authentication is done through IIS on
the WFE machines. IIS maps the user to a Windows domain account. Windows authentication gives
you the following options:
Windows Integrated — This is the default configuration for IIS. It authenticates the user through
the username that he or she logs in on the client machine. This is the most common setting for
intranet scenarios within an organization.
Digest — This option allows the user to enter the username and password. The password
requires Active Directory for encryption. This setting is useful for browsers that do not support
Windows integrated authentication and in extranet scenarios.
Basic — This option is similar to Digest, except that the password is sent in clear text over the
network. In general, it is not recommended, except if the connection is secure.
In all these options, IIS handles the authentication on the WFE. If the authentication is successful,
SharePoint and Excel Services use the Windows username that was authenticated to check the
authorization for opening the workbook.
You can use Windows credentials with Excel Services to access external data, through SSO or if
Kerberos-constrained delegation is enabled. For more details about accessing external data, see
Forms authentication is an alternative way of authenticating credentials that are not Windows
credentials. ASP.Net provides a pluggable infrastructure to allow users to design their own authentication
mechanism. Usernames and passwords are stored in a system such as a SQL database, Lightweight
Directory Access Protocol (LDAP), or other identity-management systems. After users log in and the
system authenticates them, a cookie is used on the client side to identify them in future requests in the
Forms authentication is useful in extranet or Internet configurations, in which the users are not part of
the domain of the server.
You can use forms authentication with Excel Services to ensure that users have permissions to open
workbooks from a SharePoint document library.
You use Kerberos-constrained delegation for forms authentication, because it is not a Windows account.
Connecting to an external data source through SSO works only for SSO providers that support forms
authentication. You can use the None authentication setting to query external data work, because it uses
the Unattended Account. Chapter 5 describes the Kerberos, SSO, and None authentication methods.