SharePoint 2010: Retrieving Credentials from Secure Store Service

Microsoft has replaced the Single Sign-On service in SharePoint 2007 with the Secure Store Service (SSS).  With this change also comes a pretty big overhaul of the API set.   If you have written any custom applications, web parts or utilities that used the SSO service in 2007 you may be required to rewrite or update your code to reflect these changes.  Currently there is very little information on the Secure Store Service API outside of the list of classes on MSDN.   I have, however, managed to write a simple sample console application that can retrieve the credentials of the currently logged in user for an application configured in SSS.

To use the following sample code you will need to add a reference to the following assemblies:

  • Microsoft.BusinessData
  • System.Web
  • System.Web.DataVisualization
  • Microsoft.Office.SecureStoreService.Server
  • Microsoft.SharePoint

The Microsoft.Office.SecureStoreService.Server assembly was not immediately available on my SharePoint 2010 beta installation.  After much searching I located it in a CAB file and had to extract it out in order to use it.  On my server it was located in C:Program Files (x86)MSECacheoserver2010GlobalSearchosrchwfe.cab.  Most of the other assemblies can be found in either the .NET tab of the references dialog box in Visual Studio or by browsing to c:program filescommon filesmicrosoft sharedweb server extensions14ISAPI.  

Update (6/4/2010):  Microsoft has posted a KB article explaining how to reference the Microsoft.Office.SercureStoreService.dll file from the GAC.  http://support.microsoft.com/kb/982263

Before using this code you will need to configure the Secure Store Service on SharePoint 2010 with at least one application.  To retrieve credentials you will also need to have set the credentials for the specified application and associate it with a user account that will be running this sample code.

Before running the sample code replace SERVERNAME with your own SharePoint 2010 server URL and APPLICATIONID with an application ID stored in SSS.  Also ensure that you have the target framework set to 3.5 and the platform target set to Any CPU in Visual Studio.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Microsoft.SharePoint;
using Microsoft.Office.SecureStoreService.Server;
using Microsoft.BusinessData.Infrastructure.SecureStore;

namespace SSSTEST
{
    class Program
  
{
        static void Main(string[] args)
        {
            //Retrieves the current users application username and password.
          
SecureStoreProvider prov = new SecureStoreProvider();
            using(SPSite site = new SPSite(http://SERVERNAME))
            {
                Console.WriteLine(site.RootWeb.CurrentUser.Name);
                SPServiceContext context = SPServiceContext.GetContext(site);
                prov.Context = context;
                string appID = "APPLICATIONID";
                try
              
{
                    SecureStoreCredentialCollection cc = prov.GetCredentials(appID);
                    foreach (SecureStoreCredential c in cc)
                    {
                        IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(c.Credential);
                        string sDecrypString = System.Runtime.InteropServices.Marshal.PtrToStringUni(ptr);
                        Console.WriteLine(sDecrypString);
                    }
                }
                catch(Exceptionex)
                {
                    Console.WriteLine("Unable to get credentials for application "+ appID);
                    Console.WriteLine(ex.Message);
                }
                Console.ReadLine();
            }
        }
    }
}

0 thoughts on “SharePoint 2010: Retrieving Credentials from Secure Store Service”

  1. Thanks for the post! We use the following extension method to convert secure string (please note the dealloaction of the pointer):

    public static string ToClrString(this SecureString s)
    {
    var ptr = Marshal.SecureStringToBSTR(s);

    try
    {
    return Marshal.PtrToStringBSTR(ptr);
    }
    finally
    {
    Marshal.FreeBSTR(ptr);
    }
    }

  2. Is it also possible to write credentials to the store by code? How do I have to do this?

    While examining the object-model, I have not found anything useful :-/

Leave a Reply