Making BCS work for anonymous users – Part 1

This article contain 2 parts and my aim is to cover some of the specific things (not the basics of BCS) that we need to consider when building BCS for public sites. Thus displaying external data to anonymous users using BCS needs some tweaks around security, etc…

Basic details on creating an external content types based on SQL Server tables can be found at, similarly external content types can be created based on Stored Procedures (SPROC) or User Defined Functions (UDFs) as well

Authentication for  External Data source –  via SharePoint Designer (SPD)

When we create an external content type using SPD2010, the screen where we specify the external data source information has 3 options for authentication mode for type ‘SQL Server’, shown below

The “Connect with User’s Identity” is the “PassThrough” authentication mode we had in MOSS 2007 BDC.  The other 2 relates to Single Sign On.  Now that we have Secure Store Service Application, we can use “Connect with Impersonated Windows Identity” OR if we are using claims token we can use “Connect with Impersonated Custom Identity”. All good but what if we want “RevertToSelf” authentication mode?

The BCS architecture still supports it, but unfortunately, it is not available to us in this initial screen.  If the authentication mode isn’t set to “RevertToSelf” in scenarios where users who don’t have specific object or metadata store permissions (anonymous users) would see errors like: “Login failed for user “NT AUTHORITY\ANONYMOUS LOGON” while browsing to external list.”

RevertToSelf or BDC identity authentication is not enabled by default on a BCS Service application on a SharePoint farm, therefore this option won’t appear in the SPD by default. Run the following Power Shell (PS) script to activate it. (make sure you replace the name of the BCS Service Application with the correct one)

Finally after running the above script we can change the authentication mode to “RevertToSelf” using SharePoint Designer (SPD), select the external content type and click the “Edit Connection Properties” in the ribbon, and in the “Connection Properties” dialog change the “Authentication Mode” to “BDC Identity” as shown below, this will allow the list to automatically connect to the external source for all kind of user.

Note: “BDC Identity” option would still be available even if we don’t enable “RevertToSelf’ in the BCS service application.  However, when we use it without “RevertToSelf” to self to true, SPD will throw up an error such as “The metadata object that has Name ‘xxxx’ has a Property with name ‘AuthenticationMode’ and value ‘ReverToSelf’. This value indicates that the runtime should revert to the identity of the application pool …”

Cool… the next and final step is to set the correct permissions (object permission) on the external content type via SharePoint Central Admin, I will cover this in my next post (Making BCS work for anonymous users – Part 2)..


4 comments on “Making BCS work for anonymous users – Part 1

  1. Nice weblog here! Additionally your web site lots up very fast!
    What host are you the usage of? Can I am getting your affiliate hyperlink to your host?
    I want my website loaded up as quickly as yours lol

  2. Boyd says:

    Wow, incredible weblog layout! How lengthy have you ever been
    running a blog for? you made running a blog glance easy.
    The entire look of your web site is wonderful, as neatly as
    the content material!

  3. I Think blog, “Making BCS work for anonymous users – Part 1 Deep into SharePoint” ended up
    being fantastic! I actuallycan’t agree with you even more! At last seems like Ifound a blog page worth reading through. Thanks, Nick

  4. Nagaraj Ganiger says:

    Thanks Bro. You saved my time 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s