Microsoft Office Tutorials and References
In Depth Information
Chapter 8: Security
the ID of the end user to the ECS as part of the request. The ECS trusts that special user to pass in the
correct end-user ID.
The default when setting up Office Server is to use delegation for single-box installations and a trusted
subsystem for multiple-box installations. You cannot change the setting with the administration UI.
The only way to change it is to run the command-line administration tool as follows:
stsadm.exe -o set-ecssecurity -AccessModel Delegation
stsadm.exe -o set-ecssecurity -AccessModel TrustedSubsystem
When opening a workbook from a SharePoint document library, the ECS must pass the correct end-user
credentials to the SharePoint object model. The ECS uses delegation or a trusted subsystem to the
SharePoint object model to pass the credentials it has received from the WFE. SharePoint uses those
credentials to find out if the user has Open or View Only permissions to the file.
When a workbook is opened from an UNC or HTTP location, the way the credentials are delegated
depends on the access model between the WFE and the ECS (delegation or trusted subsystem), and
the file access model (impersonation or process account). The following table shows the various
The end user’s credentials are delegated
to the ECS via Kerberos-constrained
delegation, or if the WFE and the ECS are on
the same machine. These credentials are
used to open the file.
This option fails to load the
file, because impersonation
requires the end user’s
credentials to be delegated.
The ECS process account is used to open
the file. Using the process account is less
secure (because all the users get the same
credentials), and therefore is not
recommended when using delegation.
The ECS process account is
used to open the file. Using
the process account is less
secure (because all users get
the same credentials), but it
is the only way to load
UNC and HTTP files when
using a trusted subsystem.
The issue of delegating the end user’s credentials to the database in order to check permissions gets
more accentuated when querying data from an external database. The database might be on a separate
machine, creating one more hop.
Excel Services has multiple ways to define which credentials to use to connect to a database. This must
be done by the workbook author in the Authentication Settings dialog box. In addition, the
administrator of the server must set up the server correctly to support these authentication settings.