Unattended service account and SSS in PerformancePoint and Excel Services

Unattended Service Account and SSS in PerformancePoint and Excel Services

References

Plan Excel Services authentication (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/ee662541(v=office.14).aspx
 
Create a connection from Dashboard Designer to an Analysis Services data cube by using PerformancePoint Services
http://technet.microsoft.com/en-us/library/ff191198.aspx

When creating data connections in either PerformancePoint Dashboard Designer or Excel, there are three options.

For Excel, the three options are

1. Windows Authentication
2. SSS
3. None

For Dashboard Designer, the three options are

1. Unattended Service Account
2. Use a store account (SharePoint 2013. SP2010 is different).
3. Per-user identity

The equivalence among these options are

1. Windows Authentication = 3. Per-user identity
2. SSS = 2. Use a store account
3. None = 1. Unattended Service Account

Use Windows Authentication to external data will require Kerberos authentication which can do the double-hop authentication among servers.

Since configuring either SSS or Unattended Service Account will use "Secure Store Service", there is big confusion about what user account will be mapped to the external account. Even many of the published the book cannot get this right.

When using "Unattended Service Account" in either PerformancePoint or Excel Service, this means that application pool's service account should be mapped to the external account. By mapping application pool's service account to external account, all users in the farm who have access to the application pages will have access to the data.

From MSDN

Unattended Service Account: The unattended service account is an account that is used by Excel Services to provide broad database access to all users in the farm. Use the unattended service account for accessing data that is not considered sensitive or where you do not want to restrict access to a certain group of users. For information about how to configure this scenario, see Configure Excel Services data refresh by using the unattended service account (SharePoint Server 2010).
(http://technet.microsoft.com/en-us/library/ff191191(v=office.14).aspx)

Unattended Service Account: The unattended service account is an account that is used by PerformancePoint Services to provide broad database access to all users in the farm. Use the unattended service account for accessing data that is not considered sensitive or where you do not want to restrict access to a certain group of users. For information about how to configure this scenario, see Configure the unattended service account for PerformancePoint Services (SharePoint Server 2013).
(http://technet.microsoft.com/en-us/library/jj819321.aspx)
 
When using "SSS" in either PerformancePoint or Excel Service, the current user's account/group needs to be mapped to the external account. This is different from the "Unattended Service Account" which use the application pool's account. Only the users who are mapped in the "Members" in the SSS configuration will have access to the data. This adds another layer of security.

The mistake I had seen (in the books) is that when configuration "Unattended Service Account", the SharePoint user's account is used in the "Members" of SSS instead of the application pool's account.

Another note about next

When SSS connecting the external data, it could pass the credential in two ways: one is the credential in the connection string. One is the "impersonation".

The data provider will determine which credentials will use.

None

When you select the None option, no credential retrieval occurs and no special action is taken for authentication for the connection. Excel Services does not try to delegate credentials, and it does not try to retrieve credentials that are stored for the user from the Secure Store database. Instead, Excel Services impersonates the unattended service account and passes the connection string to the data provider that handles authentication.
The connection string may specify a user name and password to connect to the data source or it may specify that the Windows identity of the user or computer that is issuing the request be used to connect to the data source. In either case, the unattended account is impersonated first and then the data source connection is made. The connection string and the provider determine the authorization method. Additionally, authorization can be based on either the credentials found in the connection string or the impersonated unattended account's Windows identity. For more information, see Unattended service account.

Unattended service account

Excel Services runs under a highly privileged account. Because Excel Services has no control over the data provider and does not directly parse provider-specific connection strings, using this account for the purposes of data access would be a security risk. To lessen this risk, Excel Services uses an unattended service account. This is a low-privileged account that is impersonated by Excel Services if either of the following conditions are true:

• Any time that it is trying a connection where the None authentication option is selected.
• Whenever the SSS (Secure Store Service) option is selected and the stored credentials are not Windows credentials. (This means that the call to the external data will have impersonated credential AND user name, password in the connection string).