Accessing the SharePoint Secure Store through code

The Secure Store Service in SharePoint 2010 is a shared service that provides a secure storage and mapping of credentials such as account names and passwords which can be used for accessing external systems.

In this article, I’ll demonstrate how to setup a new Target Application in SharePoint 2010 as well as demonstrate how to access this information through code. We will use the Secure Store to store information needed to access an external database which will be used by our SharePoint application.

Ensure the Secure Store Service is active

  1. In Central Administration, open the “Manage Services on Server” link under the System Settings heading.
  2. Verify the Secure Store Service is started.     
  3. image
  4. In Central Administration, open the “Manage Service Applications” link. If you don’t already have a Secure Store Service Application in your farm, you will need to create one.     
  5. image

Create a new Target Application

  1. In Central Administration, open the “Manage Service Applications” page and then manage the Secure Store Service Application. 
  2. Click New
  3. Complete the Target Application Settings. The Target Application ID is used to reference the Target Application. In this scenario, the Target Application Type is setup to group so that we can add some users later on.     
  4. image
  5. Click Next.
  6. Setup the required fields which will hold the credentials and database information. By default, you will see just a Windows User Name and Windows Password field. You can rename these and click on the “Add Field” link to add some new fields which will store the server name and database name we will use to create a connection string. (It’s also possible for this scenario just to have only one field which contains the entire connection string)     
  7. image
  8. Click Next.
  9. Add the application Administrators and Members. Administrators can manage this Target Application, while users added to the Members box will be mapped to this Target Application.     
  10. image
  11. Click Next.
  12. Now we have created the Target Application, but we have yet to add the credentials. Hover over the new Target Application and select “Set Credentials”.     
  13. image
  14. Enter the information necessary for accessing the database.     
  15. image
  16. Click Ok when finished.

Access the Target Application programmatically

  1. For this application, I created a static class called SecureStoreUtility.cs which contains a couple of methods that handle reading the Target Application and generating a connection string from that information. It should be pretty self explanatory.  The GetConnectionString method accepts the SPServiceContext as well as the Target Application ID which we created earlier. The GetValues method returns a Dictionary collection of all of the key/value pairs contained within the Target Application we created. We simply grab those values and generate a connection string out of it.
using

Microsoft.Office.SecureStoreService.Server;

using

Microsoft.SharePoint;

using

System;

using

System.Collections.Generic;

using

System.Linq;

using

System.Runtime.InteropServices;

using

System.Security;

namespace

MyProject {

public

static

class

SecureStoreUtility {

public

static

string

GetConnectionString(SPServiceContext serviceContext,

string

applicationID) { Dictionary

<

string

,

string

>

credentials

=

SecureStoreUtility.GetValues(serviceContext, applicationID);

string

server

=

credentials[

"

Server

"

];

string

database

=

credentials[

"

Database

"

];

string

username

=

credentials[

"

UserName

"

];

string

password

=

credentials[

"

Password

"

];

string

connectionString

=

String.Format(

@"

Data Source={0};Initial Catalog={1};Integrated Security=SSPI;User Id={2};Password={3};

"

, server, database, username, password);

return

connectionString; }

private

static

Dictionary

<

string

,

string

>

GetValues(SPServiceContext serviceContext,

string

applicationID) { var secureStoreProvider

=

new

SecureStoreProvider { Context

=

serviceContext }; var values

=

new

Dictionary

<

string

,

string

>

();

using

(var credentials

=

secureStoreProvider.GetCredentials(applicationID)) { var fields

=

secureStoreProvider.GetTargetApplicationFields(applicationID);

for

(var i

=

0

; i

<

fields.Count; i

++

) { var field

=

fields[i]; var credential

=

credentials[i]; var decryptedCredential

=

ToClrString(credential.Credential); values.Add(field.Name, decryptedCredential); } }

return

values; }

private

static

string

ToClrString(

this

SecureString secureString) { var ptr

=

Marshal.SecureStringToBSTR(secureString);

try

{

return

Marshal.PtrToStringBSTR(ptr); }
finally

{ Marshal.FreeBSTR(ptr); } } } }
  1. You should now be able to call “SecureStoreUtility.GetConnectionString(SPServiceContext.Current, “DatabaseConnectionString”)” from elsewhere in your application and you will be returned the full connection string to your database generated from the information in the Target Application we created earlier.

string

connectionString

=

SecureStoreUtility.GetConnectionString(SPServiceContext.Current,

"

DataBaseConnectionString

"

);