Microsoft Office Tutorials and References
In Depth Information
Chapter 8: Security
You can set up IIS to allow anonymous access. In that case, the end user is not authenticated, and a
predefined account is used. This configuration is useful when there is no need to differentiate between
users — all users are given the same permissions. When you use this setting, you won’t know which
end user is really logged in.
With anonymous users, SSO and Kerberos delegation do not work if the predefined account for all users
is a local account on the WFE machine (this is the default in IIS). You can change the anonymous user to
a domain account instead of a local user, or use the None authentication setting, which connects to
external data as the Unattended Account.
With anonymous access, the limit of maximum sessions per user applies to all the users together
(because all of them use the same account). By default, this limit is set to 25 sessions per user, but you
can increase the limit with the Excel Services administration settings.
Now that you know how users are authenticated, the next step is to examine the authorization process
for opening workbooks.
Excel Services allows workbooks to be opened from SharePoint document libraries, UNC folders, and
HTTP locations. You can define a trusted location for each such library or folder, or use the Include
Children option to define a root folder and all its subfolders. When you set up a trusted location, you
define its type (SharePoint, UNC, or HTTP). Chapter 7 discusses the administration of Excel Services
and setting up trusted locations.
The authorization process depends on the type of trusted location.
SharePoint Document Libraries
When a user opens a workbook from a SharePoint location, Excel Services uses SharePoint to determine
if he or she is authorized to do so.
When Kerberos-constrained delegation is set up between the WFE and the ECS, or both of these
components are running on the same machine, the ECS is impersonated as the end user. SharePoint uses these
end user credentials to authorize the workbook to be opened.
In the other configurations, the ECS is not impersonated as the user. When the request to open the
workbook is processed on the WFE, Excel Services gets a token from SharePoint that identifies the user who
was authenticated. The WFE sends the token to the ECS component, which then passes it to SharePoint
when opening the workbook.
Even though the ECS caches workbooks for performance reasons, it still checks the permissions for
every request to open a workbook.