SP2010: Creating Secure Store Target Applications in a partitioned service app

For our multitenant (partitioned) environment, I wanted to use the Secure Store Service Application to store credentials for a database. To be specific; I wanted those credentials to be available for BCS to gain access to the database.

When you provision your Secure Store Service Application with the -Partitioned flag in Powershell, some things change. The biggest notable difference if the service application management page which now states:

“This Secure Store Service Application is partitioned. Unable to display Secure Store Target Applications.”

All options you would normally use to manage the application are greyed out, and that’s kind of it. No way to create a new target application whatsoever. Ok, so what now? Well, it’s Powershell to the rescue again! I’ll explain which steps to take to add a new target application for your tenant.

1. Setup some variables for easy use

Just to get started, we’ll create some variables which are used in the script. Change these to match your own preferences.


$contextUrl = "http://www.site.com"
$ssta_name = "AppName"
$ssta_friendlyName = "Friendly (display) app name"
$ssta_contactEmail = "contact@mail.com"
$ssa_owner = "CONTOSO\sharepointadmin"
$db_userName = "CONTOSO\dbuser"
$db_password = "p@ssw0rd1"

2. Create the Secure Store Target Application
This is easy enough, create a new object which holds the new target application. You will use this later on to create the actual application.


$ssta = New-SPSecureStoreTargetApplication -Name $ssta_name -FriendlyName $ssta_friendlyName -ContactEmail $ssta_contactEmail -ApplicationType Group

Note that this creates a target application of type Group. If you need something else, change or parameterize the call.

3. Create the fields used in the application
In this example I configure two fields: username and password. In other cases you might need more, so extend when needed. Also notice that there are multiple types of fields you can create. I chose Windows to gain access to a SQL database in this example.


$usernameField = New-SPSecureStoreApplicationField -name "Username" -Type WindowsUserName -Masked:$false
$passwordField = New-SPSecureStoreApplicationField -name "Password" -Type WindowsPassword -Masked:$true
$fields = $usernameField,$passwordField

4. Create claim objects for principals
Provide two types of credentials: the administrators of the Target Application (who can manage the credentials) and the owners of the credentials (which users may access them)


$adminClaims = New-SPClaimsPrincipal -Identity $ssa_owner -IdentityType 1
$ownerClaims = New-SPClaimsPrincipal -EncodedClaim "c:0(.s|true"

The second line by the way, is the way to provide access to all of your users.

5. Create the secure store application
Next we’ll actually create the application in the secure store, using the target application object, the fields and credentials setup earlier.


New-SPSecureStoreApplication -ServiceContext $contextUrl -TargetApplication $ssta -Fields $fields -Administrator $adminClaims -CredentialsOwnerGroup $ownerClaims
$ssa = Get-SPSecureStoreApplication -ServiceContext $contextUrl -Name $ssta.Name

6. Add the actual application credentials
Now we’ve got the application setup, we need to provide it with the credentials for our remote system (database or others).


$db_secUser = ConvertTo-SecureString $db_userName -AsPlainText -Force
$db_secPass = ConvertTo-SecureString $db_password -AsPlainText -Force
$credentialValues = $db_secUser,$db_secPass
Update-SPSecureStoreGroupCredentialMapping -Identity $ssa -Values $credentialValues

That’s it! Now you’ve added a new application in your Secure Store Service which holds credentials and can be used by users of your SharePoint environment to gain access without having to worry about credentials.

Here’s the script completely:


$contextUrl = "http://www.site.com"
$ssta_name = "AppName"
$ssta_friendlyName = "Friendly (display) app name"
$ssta_contactEmail = "contact@mail.com"
$ssa_owner = "CONTOSO\sharepointadmin"
$db_userName = "CONTOSO\dbuser"
$db_password = "p@ssw0rd1"


# Create a new Secure Store Target Application object
$ssta = New-SPSecureStoreTargetApplication -Name $ssta_name -FriendlyName $ssta_friendlyName -ContactEmail $ssta_contactEmail -ApplicationType Group

# Create the fields for username and password
$usernameField = New-SPSecureStoreApplicationField -name "Username" -Type WindowsUserName -Masked:$false
$passwordField = New-SPSecureStoreApplicationField -name "Password" -Type WindowsPassword -Masked:$true
$fields = $usernameField,$passwordField

# Create the claim object for the administrators of the application
$adminClaims = New-SPClaimsPrincipal -Identity $ssa_owner -IdentityType 1
$ownerClaims = New-SPClaimsPrincipal -EncodedClaim "c:0(.s|true"

# Create the secure store application and retrieve it afterwards
New-SPSecureStoreApplication -ServiceContext $contextUrl -TargetApplication $ssta -Fields $fields -Administrator $adminClaims -CredentialsOwnerGroup $ownerClaims
$ssa = Get-SPSecureStoreApplication -ServiceContext $contextUrl -Name $ssta.Name

# Create the credentialset (username, password) for the DB
$db_secUser = ConvertTo-SecureString $db_userName -AsPlainText -Force
$db_secPass = ConvertTo-SecureString $db_password -AsPlainText -Force
$credentialValues = $db_secUser,$db_secPass

# Update the credentialmapping for the application
Update-SPSecureStoreGroupCredentialMapping -Identity $ssa -Values $credentialValues

One thought on “SP2010: Creating Secure Store Target Applications in a partitioned service app

Leave a Reply

Your email address will not be published. Required fields are marked *