In the recent two posts I wrote about a security related problem we found when tried to access an external data source from the SharePoint 2010 Timer service process.
The key to the solution seems to be the information one can found on this MSDN page.
As it states, “The user security token is not available in every context. Without the security token, PassThrough security will not work.”
As you may know, PassThrough is the standard and usually recommended authentication method to an external data source, but in this case we should switch to an alternative one.
The trivial solution would be to use the RevertToSelf authentication. Since this type of authentication is not recommended in a production environment, it is disabled by default. Before using it, you should enable it, for example with the help of PowerShell (see an example here).
After you enabled RevertToSelf, you can find the equivalent BDC Identity option in the list of the available authentication modes:
(To access the settings above, you should select the External Systems view at the administration of the Business Data Connectivity Service, then click the name of the external system you would like to manage, and then click the name of the external system instance.)
After you selected BDC Identity authentication mode, you can use this code to access the external system:
The other, and recommended option for authentication is to use the Secure Store Service (SSS).
Note: Secure Store Service is not included in SharePoint Foundation 2010, so this option is unfortunately limited for SharePoint Server 2010 Standard and Enterprise versions.
Create a target application in SSS,
then set the credentials of an account with permissions for the external system.
Next, configure your external system to Impersonate Windows Identity, set the name of the Secure Store Target Application Id as created in the previous step, and set Secure Store Implementation as Microsoft.Office.SecureStoreService.Server.SecureStoreProvider, Microsoft.Office.SecureStoreService, Version=220.127.116.11, Culture=neutral, PublicKeyToken=71e9bce111e9429c.
After you configured your external system instance as described above, you can use this code to access the external data from the timer process job / event receiver:
Important to note, that based on the MSDN article mentioned at the beginning of this post, workflows and sandboxed solutions might suffer from the same security problem, so if you have such issues accessing an external data source, the solutions described above might help you in these cases as well.