Sharepoint 2010 Performance Point - advice on deploying Secure Store Service

I am in the process of deploying Performance Point but hesitating now after reading this

Microsoft advise :-

Create the secure store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases

Does this REALLY mean I have to find a separate middleware server, deploy this service and run a separate SQL server with just this database on it ? Has anyone deployed this service successfully on a WFE on a simple farm configuration.

Also, they recommend using Kerberos authentication to authenticate individual accounts, but my understanding is that if I have Sites which are not on the default ports (80 and 443), the CRAWL service will fail - it will only work on non-default ports using NTLM ? Seems to be a CATCH 22 !!!

I am proposing to set this service up on the WFE in common with all other services (it is fairly meaty 16GB box), and either :-

1. Create the database within the current SQL instance (which also contains the content and config databases)
2. Create a new SQL instance and create this database for the Secure Store ONLY on the new instance.

All recommendations welcomed !!

LVL 11
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin SmithSr. System EngineerCommented:
Can you provide the source that you found this advice?

I've deployed the Secure Store many times and have always used the same SQL server.  I guess I could see the value of using a seperate SQL box in EXTREME situations where security is of upmost importance.

Kerberos is always suggested my microsoft, for everything in SharePoint, not jsut secure store.  This is deffinately not a requirement.  As far as Search, it doesn't matter what port you are using for the site, but the Search requires a URL that uses NTLM.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TheGeezer2010Author Commented:
Hi Ach1lles

Thanks for your reply - I will go ahead and deploy on the WFE using same SQL then. Looks like I am a one-man supply of your points these days :-)
TheGeezer2010Author Commented:
My understanding od the CRAWL is that it will only crawl a web successfully if it is hosted on either 80 or 443 when Kerberos authentication is used. This link explains this :-

Known issues
SharePoint Server 2010 can crawl Web applications configured to use Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to default ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, SharePoint Server 2010 Search cannot crawl SharePoint Server 2010 Web applications that are configured to use Kerberos authentication if the Web applications are hosted on IIS virtual servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443). Currently, SharePoint Server 2010 Search can only crawl SharePoint Server 2010 Web applications hosted on IIS virtual servers bound to non-default ports that are configured to use either NTLM authentication or Basic authentication.

In view of this, one question please Ach1lles - which authentication method did you use when using NTLM - the single account or the individually mapped accounts ?

Any other tips for configuring this to work with Performance Point Services ?


Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Justin SmithSr. System EngineerCommented:
Hmm...didn't know that.

I don't understand your question "which authentication method did you use when using NTLM - the single account or the individually mapped accounts"
TheGeezer2010Author Commented:
Hi Ach1lles

Read that there were three methods of authenticating users :-

1. Kerberos via AD account
2. Single account used by all users
3. Individual accounts authenticated by alternative means

Basically, if you don't use kerberos you are stuck with 2 or 3.

I have created a domain account which will be used to retrieve data for Performnace Point, and which is stored in the encrypted database which hosts the Secure Store service. I presume therefore that this consitutes option 2 ?
Justin SmithSr. System EngineerCommented:
Correct, option 2, which is the unattended account and the most popular, and the only option that I've personally used.
TheGeezer2010Author Commented:
Sometimes avice and reassurance that even though you are not strictly adhering to the guidelines of Microsoft, that in practice the solution you are about to implement will actually work fine anyway. Ach1lles provided exactly this here.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.