While many people are still unaware of it, Excel 2010 (and even previous versions) is a very powerful business intelligence client. That’s right, I said Excel. And I don’t mean the classic grab some data, do some charts and email it around sort of Excel, I mean connecting it to Analysis Services cubes and performing fast, useful data analytics on known sets of data. It can also go off and do some pretty amazing things with the Data Mining add-in, or PowerPivot, but for now I’m going to restrict myself to using core capabilities, and getting them published to SharePoint.
To start with, it’s important to understand how SharePoint interacts with Excel. Of course, at it’s core, you can store Excel files in a SharePoint document library,and open them in Excel. However,starting with SharePoint 2007,SharePoint included Excel Services, which allowed you to open a spreadsheet directly in the browser (without having Excel installed or using any ActiveX trickery). It also provided an Excel calculation engine, that was programmatically callable. Why would that matter? A power user could develop a complex model with Excel, store it in SharePoint, which could then be used as a calculation “black box” for other things. The model could also be tweaked by the power user as necessary with them needing to worry about coding. Finally, you could expose part of the spreadsheet (and named range or object) through the Excel Services web part, which would truly allow you to incorporate Excel content into a dashboard.
SharePoint 2010 brings more to the table, including not only the browser consumption of spreadsheet content, but editing through the Excel Web Application.
However, all of this power does not come without its risks, and when interacting with external data, risks abound. Microsoft has done an excellent job of providing us with a highly secure infrastructure that allows us to do what we want here, but the only trouble is that it’s not always clear which approach to take. My aim in this article is to navigate through the process of connecting to an external data source (an analysis services cube, but the principle applies to others) in a particular scenario in a simple fashion. Our scenario is a fairly common one:
- One Front End SharePoint Server
- One SQL back end Server hosting the SharePoint databases
- One SQL server hosting the Data Warehouse and the Analysis Services cubes
- Kerberos not installed in the environment
In this environment, we have an authentication problem, the famous double hop problem. If I as a user ask the server to process a spreadsheet that connects to external data, it can’t just take my authentication token and pass it along to the external data source. What we need to do is to set up a proxy account (this has its own set of implications that I won’t get into here) and we’ll do that via the secure store service. If you’re using Kerberos, then you don’t have the double hop problem and the Secure Store part of this won’t apply, but then you’re probably busy enough dealing with Kerberos issues anyway….
If you’ve ever connected to external data, and then sent the file to someone else, you’ll know that they get prompted to verify that they want to connect to the data source and that they trust the connection. In this case, the author has created an embedded data connection. Embedded data connections are not allowed (or at least are strongly discouraged) on the server, because it has no way of verifying the authenticity of the connection.
The way that we deal with this in SharePoint is by creating a connection file, and then publishing it to a trusted location in SharePoint. Administrators need to take heed, in that by default, Excel Services trusts all SharePoint locations, which makes life easy, but not necessarily secure. The library that the connections are stored in should also utilize approval features, but this is not required. This walkthrough isn’t concerning itself with the security aspects, but they need to be considered in any real world situation.
Most of the steps below only need to be performed once, and connection documents can be reused, etc. However, this walkthrough is aimed at getting everything all set up from scratch.
We also don’t want to store our credentials in our connection string, so we will utilize the Secure Store service in SharePoint which will allow us to use, without necessarily knowing, a set of credentials. This will allows us to work around the double hop problem in a secure way. We will start with the setup of the Secure Store Service.
1. Set up the Secure Store Service ID
From Central Administration, navigate to Manage Service Applications, and click on your Secure Store application. If you don’t have one already, you’ll need to create one. You should know that SharePoint Foundation does NOT come with the Secure Store service. However, Search Server Express 2010 does come with it (and a few other things). Given that it’s free, it provides a nice option.
The Secure Store Service Application relies on both the Secure Store Service (duh) and the Claims to Windows Token service. You’ll need to make sure that they’re both started in the “Services on Server” Section in Central Administration System Settings.
The secure Store application requires an encryption key. If one has not already been created, you’ll see a message indicating that you need to do so. The process is simple, just click the “Generate New Key” button in the ribbon.
Once a key has been created, we need to create a new target application, which is essentially a set of credentials. This is the application that our connection strings will reference when they need to connect to a back end data source. You create a new application by clicking the “New” button in the ribbon. The New application screen then appears.
There are a couple of things to note on this screen. Firstly, the Target Application ID is the ID that you will be using when you set up your connection below. You can name it what you like, but you’ll need to remember what it is. The Display Name and the Contact E-Mail need to be filled in, but the important thing to note is the Target Application Type field. If this is to be used by more than one person, you need to make sure that it is set to Group. By default, it is set to Individual, which doesn’t work so well in a shared environment. Take it from me – I found out the hard way. When this is filled in, click Next, and you’re presented with the following screen.
The Administrators are just that – the people who will set the properties of this set of credentials. The Members are the people that will be allowed to use this credential set in connections, External Lists etc. In the example above it’s set to anyone authenticated, which again, I wouldn’t recommend in production…..
When done, click OK, and we’re done right? Not so fast. We never actually set the credentials for this application, just everything around it. To do that, we select the application, and click the “Set (credentials)” button in the ribbon, or hover over the ID in the list and select “Set Credentials” from the dropdown.
In the subsequent screen you enter the account and the password (twice) of the credentials that are to be used as a proxy. Click OK and you’re done. A couple of things to note. If using a Windows account the name should be in DOMAINACCOUNT format. The proxy account is NOT a managed account, and if the password changes, you’ll need to come back here to update it. The proxy account should be a least privileges account, with access only to the things that are absolutely necessary to retrieve the appropriate data, or whatever its purpose is. Don’t add it to the Domain Administrators group.
OK, now step 1 is done. Whew.
2. Set up a Data Connection Library
The next thing we need to do is to set up a library to store our data connections. If you’ve set up a BI Site already (to use PerformancePoint), you can use the libraries there. Depending on your requirements, I find that it’s often a good idea to centralize this library and use it from different locations, but your requirements may vary. What we want to create is a Data Connection Library. This library will be used to store connections for both the Office Applications (ODC) and InfoPath UDC).
From the Site Actions menu on the site where it is to be located, select More Options, the, in the subsequent dialog box, Filter by Library, and select Data Connection Library. Give it a name (Don’t use spaces here, you can always come back and add them later, but we don’t want spaces in the internal name), and click Create
What makes this library special is that it uses the “Office Data Connection File” and the “Universal Data Connection File” content types. You could always add these content types to any old document library and achieve the same effect. You could also include Reporting Services connections if you’re using Reporting Services in integrated mode.
This library also needs to be registered as trusted in the Excel Services Application. This is done through the Manage Service Applications section of Central Administration. Simply click on your Excel Services application, click Trusted Data Connection Libraries, and add the URL of your library, if not already there.
3. Set up a Library to house the Excel Reports
You can store the Excel Report that we’ll be creating below into any document library in the Site Collection. If you have set up a BI Center, then you already have a “Reports” library, whose purpose is to do just that. Oddly, by default, this library isn’t set up to contain Reporting Services reports (.rdl files), but that isn’t relevant to my task here.
You simply need to create a new document library, and for the purposes of this example, I’ll call mine Excel Reports (original, huh?)
You’re now ready to create our connection. We’ll use Excel to do that.
4. Create And Store The Connection File
Open a new Spreadsheet in Excel. Click on the Data tab, then click the “From Other Sources” button and choose “From Analysis Services” (obviously, if you’re using something else, choose that).
Enter in the name of your server, and click Next, Select the Database and Cube that you want to connect to, and then click Next again. We’ll need to do a couple of things in the last screen that appears.
First, select “Always attempt to use this file to refresh data”. Then, click the “Authentication Settings” button. This is where it gets interesting.
s Authentication is what you would use if the data resides on the same machine as the SharePoint front end, or your organization is using Kerberos. With this setting, the credentials of the user are used to connect to the data source.If you select None, then the credentials identified as the “Unattended Service Account” (if configured) in the Excel Services configuration will be used. You can only use one of these accounts, and when configuring it, it too will use the Secure Storage Service. We want to select our credential set and we do so by selecting SSS, and entering the ID of the credential set that we created in step 1 above.
Next, we need to save this connection into the SharePoint data connection library that we created in step 2. Click the Browse button, enter the URL of the library in the Address bar, choose a name and click save.
Finally, When you’re done, click finish, and fill out the metadata form that pops up with any comments or keywords that you might want to use later to fine the connection document. Now we have a connection document in the connection library.
5. Create The Excel Content
When you’re done creating the connection document, Excel will prompt you to insert a pivot table or chart. Choose the location, and Excel will insert it for you, and put you in pivot edit mode. You can select your dimensions and measures, and build your chart accordingly. When you’re ready, your worksheet should look something like this.
Later, we’ll want to show just the chart on a dashboard page, and to do that, we need to make sure that our chart has a logical name, so we need to do that, as highlighted above. Any named range can be published out to an Excel Services web part. When ready, it’s time to publish to SharePoint, but we also want to set some file properties first. These properties are very well hidden….
Click on the “File” tab to go to the backstage. Once in the backstage, click on the “Save and Send” tab on the left hand side. Then click on “Save to SharePoint”. Your screen will appear as follows:
Finally, we need to click on the Publish Options button. This allows you to control what gets used by Excel Services, and what appears when the spreadsheet is opened in the browser. It also lets us define parameters which can be used by the Excel Services web part, but I won’t be using parameters here. I will however choose to publish only my chart and my pivot table to Excel Services, so I click on the dropdown option in the Show tab, change it to “items in the workbook”, and check my two items.
Finally I can click OK, then click on “Save to SharePoint” and save the spreadsheet in the library created in step 3 above.
6. Test the File and Publish the Chart in a Dashboard
Navigate to the library that you stored the report and click on it. The file should open in a browser, and you should see the first item (alphabetically) that you set to publish above.
You can switch between published items, using the view dropdown highlighted above. Once you’ve gotten this far, everything is working, and we’re ready to put our chart into a dashboard page.
All that we’ll need to know is the name of the item, and the address of the spreadsheet. In our case, our item is “Chart 2” and the URL of the spreadsheet is http://uvspdev2010/ExcelReports/MySpreadsheet.xlsx. Navigate to anywhere in the site collection that you’d like to show the chart. I’m going to use a team site. From the destination, select Site Actions – Edit Page (or select Edit from the ribbon). Place your cursor where you want the chart to appear, click the Insert tab on the ribbon and click the Web Part button. Select the Business Data category, Choose the “Excel Web Access” part and click insert.
Once added, click on the “Click here to open the tool pane” link, and enter all desired parameters. The two crucial parameters are Workbook and Named Item. When adding content to a dashboard, I find that it is better to remove all of the buttons and web part chrome, but that’s totally dependent on the use case. When ready, my web part parameters look something like this:
At this point, you can click OK, and you should see your item on the page in context.
Congratulations – you’re done!!
This was meant to be a “Hello World” walkthrough, and thus, I’ve left out quite a bit. You can add slicers and all kind of cool BI functions to your sheet, and they’re work in the browser. This is showing data in a cube, and therefore the chart will be updated when the cube is. You can also use parameters in Excel and drive them through filter web parts and connections on the display pages.
There ARE a lot of moving parts here, but once the infrastructure is set up, power users can do some pretty spectacular things using just Excel and SharePoint, and they can do so in a fully managed environment. Oddly enough, chances are that your power users probably already know both of these tools.
Nice tutorial. Very humorous too, especially this part:
“Once you’ve gotten this fart, everything is working, and we’re ready to put our chart into a dashboard page.”
Didn””t know you had to get the farts to get everything working, lol.
Thanks jake… I really should read these things over before I post them. Hopefully there is some humour… but that was unintentional! Of course, it””s probably accurate….
[…] http://whitepages.azurewebsites.net/2010/12/connecting-to-cubes-and-external-data-with-excel-in-share… […]
After i click on publish/Save, it is throwing an error on the site as below
“The file that you selected could not be found. Check the spelling of the file name and verify that the location is correct. Make sure that the file has not been renamed, moved, or deleted”
I have followed all the steps as you have mentioned. But, could not able to tract why it is throwing this error.
Your help on this is truly appreciated.
[…] Connecting to Cubes and External Data with Excel in SharePoint (excellent blog post from John White) […]
Nice tutorial, but I always have a problem with the “Refresh all connections” I get the message “An error occurred during an attempt to establish a connection to the external data source. The following connections failed to refresh: … “. I verified all parameters and the Log. It seems that the Excel Calculation can get the account, the log give “CredentialsDatabase.Init: Failed creating database type credentials because the unattended account is not available”, and “UnattendedAccount.GetCredentialsFromStore: Expecting Windows credentials in SsCredentials.”.
So the refresh does not work
@Roland – Have you set up an entry in the Secure Store Service?
John, thanks for a great post, I was trying to figure out what I did wrong and you spelled it out very clearly!
Thank you for your tutorial.
I am facing an annoying issue and i thought that maybe you can help me.
So, I don’t have any problem to create, publish or see a workbook in the browser. No problem either when I add it in a dashboard. No problem to oppening it again in Excel.
The problem start when I try to apply a filter on this workbook. I recieve the following error message:
“The file that you selected could not be found. Check the spelling of the file name and verify that the location is correct.
Make sure that the file has not been renamed, moved, or deleted.”
Can you help me? This issue is really driving me crazy…
Thanks in advance
Question: I am a user, not an admin, and I am having a hard time getting this too work, since I am the first in my organization to request these settings. IT has told me to use a SSID, which didn’t work.
Through our correspondence I have come to know the target application ID,which is different than the SSID they told me about. Should I be entering this or the Proxy ID.
Thx John for the excellent post and the presentation at Toronto SharePoint User Group Meetup.
Question: Does this best practice change any in light of the new SharePoint 2013 delegation feature called “EffectiveUserName”?
In what scenarios is it still warranted to configure Kerberos with SPNs?
Hi, this is an excellent article.
Is it possible to connect from SharePoint 2010 to a cube on SQL 2012 R2.
It works OK with the cube on SQL 2008 R2 but now the developers want to move the cube on to SQL 2012 R2.
Roman – SharePoint 2013 does utilize EffectiveUserName. This significantly reduces the reliance on Kerberos for fine-grained permissions. I maintain that fine-grained permissions shouldn’t be used unless necessary, but it does provide an effective solution.
Vadim – thanks. The version of SQL Server is irrelevant for these connections. You should be just fine with that.
Thanks James for your prompt response – much appreciated.
Great article John, I do however have a situation where I have the Trusted Data Connection Folder set up in SharePoint – that works nicely; I have an SSAS Tabular setup with some roles – working great. I have a Secure Store Service Target application created. and I can create a fresh excel solution which uses the ODC, connects to the SSAS Tabular cube, save it to my SharePoint Document Library (I am just re-using the PowerPivot Gallery Location… ) and the solution come up in SharePoint and just works… BUT…
I have solutions developed and working in Excel using an embedded connection (NOT starting from the ODC file located in my SharePoint Trusted Connection Folder, but simply the Connection was created in Excel and embedded within the workbook.) Initially the developer uploaded it to SharePoint and, of course it can’t trust the embedded connection, it needs to reference the ODC file save in SharePoint. We change the connection to reference the the ODC in SharePoint. In Excel the solution continues to work… when rendered in Excel Services, no such luck. I see that another person is getting the exact same problem here:
I don’t have 50 Reputation points to comment at this point on SuperUser – as I just registered.
Is there a reliable way to transition existing applications from an embedded ODC to one stored on SharePoint without killing the connection?
Hey Scott – thanks!
It’s ugly. You essentially need to save off the ODC to a trusted library, and then replace the connection in Excel to use the ODC – if memory serves, you need to go through the process of locating the file, etc in the connection. Once you get through that, it should work OK. Of course, it’s a whole lot easier to just tell Excel Services to trust embedded connections….. 🙂
It was a little worse with regards to swapping the connection… I had to rename the .xlsx to .zip and modify the connections.xlsx, save it, copy it into the zip file, then rename it back to .xlsx. It worked after that, BUT then there we other issues… Question… How does one get Excel Services to trust embedded connections? I’m not sure that is a great idea for my client, but now I’m curious. Please don’t tell me it is easy, as I might start to cry… 🙂
Start crying…. it’s pretty easy IF you have access to it.
It’s in the Trusted File Location properties for the Excel Service Application in Central Admin. Open that up, and navigate to the “External Data” section, then select “Trusted data connection libraries and embedded”. It’s the embedded part….
I have configured secure store to access external data. In my case it is multidimensional cube and working fine. Proxy user has read access over cube. All other users that will access cube data through the rights of proxy user. Security is implemented for SSAS users at cube. How can I make sure that no ssas user can access the data of other user. I am asking this question because proxy user has read rights at the cube if other users are taking rights of proxy user then they access data of other user well.Please correct me if am wrong.
Not like that
mental clients are asked if we select the data in cube in SharePoint browser then that time it will be save in excel SharePoint
I said it cannot be possible but again and again my client is asking how can it possible
is there any solution in SharePoint browser it can possible ot not cube data can be changed or not