For our multitenant (partitioned) environment, I wanted to use the Secure Store Service Application to store credentials for a database. To be specific; I wanted those credentials to be available for BCS to gain access to the database.<\/p>\n
When you provision your Secure Store Service Application with the -Partitioned flag in Powershell, some things change. The biggest notable difference if the service application management page which now states:<\/p>\n
“This Secure Store Service Application is partitioned. Unable to display Secure Store Target Applications.”<\/p>\n
All options you would normally use to manage the application are greyed out, and that’s kind of it. No way to create a new target application whatsoever. Ok, so what now? Well, it’s Powershell to the rescue again! I’ll explain which steps to take to add a new target application for your tenant.<\/p>\n
1. Setup some variables for easy use<\/strong><\/p>\n Just to get started, we’ll create some variables which are used in the script. Change these to match your own preferences.<\/p>\n 2. Create the Secure Store\u00a0Target Application<\/strong> Note that this creates a target application of type Group. If you need something else, change or parameterize the call.<\/p>\n 3. Create the fields used in the application<\/strong> 4. Create claim objects for principals<\/strong> The second line by the way, is the way to provide access to all of your users.<\/p>\n 5. Create the secure store application<\/strong> 6. Add the actual application credentials<\/strong> That’s it! Now you’ve added a new application in your Secure Store Service which holds credentials and can be used by users of your SharePoint environment to gain access without having to worry about credentials.<\/p>\n Here’s the script completely:<\/p>\n For our multitenant (partitioned) environment, I wanted to use the Secure Store Service Application to store credentials for a database. To be specific; I wanted those credentials to be available for BCS to gain access to the database. When you provision your Secure Store Service Application with the -Partitioned flag in Powershell, some things change.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[34],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p3KFR1-8f","_links":{"self":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/posts\/511"}],"collection":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/comments?post=511"}],"version-history":[{"count":0,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/posts\/511\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/media?parent=511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/categories?post=511"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.repsaj.nl\/index.php\/wp-json\/wp\/v2\/tags?post=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n$contextUrl = \"http:\/\/www.site.com\"
\n$ssta_name = \"AppName\"
\n$ssta_friendlyName = \"Friendly (display) app name\"
\n$ssta_contactEmail = \"contact@mail.com\"
\n$ssa_owner = \"CONTOSO\\sharepointadmin\"
\n$db_userName = \"CONTOSO\\dbuser\"
\n$db_password = \"p@ssw0rd1\"
\n<\/code><\/p>\n
\nThis is easy\u00a0enough, create a new object which holds the new target application. You will use this later on to create the actual application.<\/p>\n
\n$ssta = New-SPSecureStoreTargetApplication -Name $ssta_name -FriendlyName $ssta_friendlyName -ContactEmail $ssta_contactEmail -ApplicationType Group
\n<\/code><\/p>\n
\nIn this example I configure two fields: username and password. In other cases you might need more, so extend when needed. Also notice that there are multiple types of fields you can create. I chose Windows to gain access to a SQL database in this example.<\/p>\n
\n$usernameField = New-SPSecureStoreApplicationField -name \"Username\" -Type WindowsUserName -Masked:$false
\n$passwordField = New-SPSecureStoreApplicationField -name \"Password\" -Type WindowsPassword -Masked:$true
\n$fields = $usernameField,$passwordField
\n<\/code><\/p>\n
\nProvide two types of credentials: the administrators of the Target Application (who can manage the credentials) and the owners of the credentials (which users may access them)<\/p>\n
\n$adminClaims = New-SPClaimsPrincipal -Identity $ssa_owner -IdentityType 1
\n$ownerClaims = New-SPClaimsPrincipal -EncodedClaim \"c:0(.s|true\"
\n<\/code><\/p>\n
\nNext we’ll actually create the application in the secure store, using the target application object, the fields and credentials setup earlier.<\/p>\n
\nNew-SPSecureStoreApplication -ServiceContext $contextUrl -TargetApplication $ssta -Fields $fields -Administrator $adminClaims -CredentialsOwnerGroup $ownerClaims
\n$ssa = Get-SPSecureStoreApplication -ServiceContext $contextUrl -Name $ssta.Name
\n<\/code><\/p>\n
\nNow we’ve got the application setup, we need to provide it with the credentials for our remote system (database or others).<\/p>\n
\n$db_secUser = ConvertTo-SecureString $db_userName -AsPlainText -Force
\n$db_secPass = ConvertTo-SecureString $db_password -AsPlainText -Force
\n$credentialValues = $db_secUser,$db_secPass
\nUpdate-SPSecureStoreGroupCredentialMapping -Identity $ssa -Values $credentialValues
\n<\/code><\/p>\n
\n$contextUrl = \"http:\/\/www.site.com\"
\n$ssta_name = \"AppName\"
\n$ssta_friendlyName = \"Friendly (display) app name\"
\n$ssta_contactEmail = \"contact@mail.com\"
\n$ssa_owner = \"CONTOSO\\sharepointadmin\"
\n$db_userName = \"CONTOSO\\dbuser\"
\n$db_password = \"p@ssw0rd1\"<\/code><\/p>\n
\n# Create a new Secure Store Target Application object
\n$ssta = New-SPSecureStoreTargetApplication -Name $ssta_name -FriendlyName $ssta_friendlyName -ContactEmail $ssta_contactEmail -ApplicationType Group<\/code><\/p>\n# Create the fields for username and password
\n$usernameField = New-SPSecureStoreApplicationField -name \"Username\" -Type WindowsUserName -Masked:$false
\n$passwordField = New-SPSecureStoreApplicationField -name \"Password\" -Type WindowsPassword -Masked:$true
\n$fields = $usernameField,$passwordField<\/code><\/p>\n# Create the claim object for the administrators of the application
\n$adminClaims = New-SPClaimsPrincipal -Identity $ssa_owner -IdentityType 1
\n$ownerClaims = New-SPClaimsPrincipal -EncodedClaim \"c:0(.s|true\"<\/code><\/p>\n# Create the secure store application and retrieve it afterwards
\nNew-SPSecureStoreApplication -ServiceContext $contextUrl -TargetApplication $ssta -Fields $fields -Administrator $adminClaims -CredentialsOwnerGroup $ownerClaims
\n$ssa = Get-SPSecureStoreApplication -ServiceContext $contextUrl -Name $ssta.Name<\/code><\/p>\n# Create the credentialset (username, password) for the DB
\n$db_secUser = ConvertTo-SecureString $db_userName -AsPlainText -Force
\n$db_secPass = ConvertTo-SecureString $db_password -AsPlainText -Force
\n$credentialValues = $db_secUser,$db_secPass<\/code><\/p>\n# Update the credentialmapping for the application
\nUpdate-SPSecureStoreGroupCredentialMapping -Identity $ssa -Values $credentialValues<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"