Excel Services – File Access Method

10/04/2011

תגיות: , ,
אין תגובות

Hi friends,

We are now involved in a very big excel based dashboarding. I will share with you some of the things we have run into –> so it makes easy for you. I hope.

File Access Method – This setting determines the authentications method used by the ECS to get workbooks from trusted file locations other than SharePoint document libraries. You have two options for this setting:

Impersonation – This is default. The end-user account is used to access the workbooks.

Process Account – The ECS process account will be used to access the workbooks.

Process Account:

Excel Services allows the process account to be used to read workbooks from UNC or HTTP locations. Although this is not a classic spoofing threat, the result is similar: users are allowed to read a workbook, even though they might not have permissions to it.

You should use SharePoint document libraries rather then UNC or HTTP locations to ensure that the end user’s credentials are used to verify the permissions. For UNC and HTTP locations, you should use impersonation rather than the process account. Using impersonation requires setting up Kerberos-constrained delegation to the UNC or HTTP server, which makes this deployment more difficult.

If you must use the process account, ensure that it is acceptable for all authenticated users to have permissions to those files.

Add a trusted file location

http://technet.microsoft.com/en-us/library/cc261678.aspx

Manage Excel Services trusted file locations

http://technet.microsoft.com/en-us/library/cc263009.aspx

Impersonation

Impersonation enables a thread to run in a security context other than the context of the process that owns the thread. Select this option to require Excel Calculation Services to authorize users who try to access workbooks stored in UNC and HTTP locations.

Note: Selecting Impersonation has no effect on workbooks that are stored in Microsoft Office SharePoint Server 2007 databases. In most server farm deployments in which front-end Web servers and Excel Calculation Services application servers run on different computers, impersonation requires constrained Kerberos delegation.

Process account

If Excel Calculation Services application servers are opening workbooks from UNC shares or HTTP Web sites, the user account cannot be impersonated, and the process account must be used.

Under Connection Encryption, select Not required if you do not want to encrypt communications with the front-end of Excel Services, or select Required to use encryption for all communication with the front-end of Excel Services.

Consider deploying Internet Protocol security (IPsec) or Secure Sockets Layer (SSL) to encrypt data transmission between Excel Calculation Services application servers, data sources, client computers, and front-end Web servers. If you decide to require encrypted data transmission, you will have to manually configure IPsec or SSL. You can require encrypted connections between client computers and front-end Web servers while allowing unencrypted connections between front-end Web servers and Excel Calculation Services application servers.

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. שדות החובה מסומנים *