Microsoft Office Tutorials and References
In Depth Information
Chapter 8: Security
To fully protect parts of the workbook, you should use published items in combination with the View
Only permissions. When View Only permissions are applied, a user cannot download the workbook to
the client, and Excel Services displays only the published items.
Unsupported Protection Features
As you learned in Chapter 4, Excel Services does not support a number of other protection features.
The server will not open workbooks that contain any of the following features:
Workbooks with restricted permissions or protected by Information Rights Management — These can
restrict which users are allowed to read, print, copy, edit, and save the workbook.
Digital signatures — Allows you to verify that the workbook has originated from the author
who has signed it, and that it has not been changed since it was signed.
Document encryption — Requires a password to decrypt the document and show its content.
Workbook and sheet protection — Limits the changes that users can make to a workbook.
The recommended alternative with Excel Services is to use SharePoint Open and View Only
permissions, and to publish only part of the items in the workbook.
Configuring and Delegating Credentials
In the previous sections, you learned about how the user is authenticated and how you can use
permissions to protect the workbook and its content. This section describes how the user’s credentials are
delegated between the various server components.
A client application is executed in the context of the user’s credentials. For example, the Excel process
runs as the user who is logged on to the machine. Loading a file from a SharePoint document library
into Excel or querying data from a database is done as the user, because the operating system delegates
the user’s credentials to any other machine. This one hop of credentials over the network was described
in detail in Chapter 5.
In a server environment, there are multiple components running on multiple machines: the WFE, the
ECS, the SharePoint content database, or other file-store and external databases. Each of these processes
might run under different credentials, and delegating the user’s credentials between these components
is a complex process. Excel Services supports several ways of doing this.
Opening a Workbook on the ECS
When opening a workbook, the ECS needs the user’s credentials to verify the user’s permissions to the
file. There are two ways of sending the credentials from the WFE machine to the ECS machine:
delegation and trusted subsystem.
The credentials can be passed through delegation if the WFE and the ECS are on the same machine, or if
Kerberos-constrained delegation is configured between the WFE and the ECS. In either case, the
credentials of the user who has connected to the WFE are delegated to the ECS.
If it is not possible to use delegation, a trusted subsystem is created between the WFE and the ECS. With
this method, the WFE makes the requests to the ECS under the credentials of a special user, and passes