Making BCS work for anonymous users – Part 2

We had a look at how the security/permissions needs to be configured using SharePoint Designer in the first article ‘Making BCS work for anonymous users – Part 1’.  In this article I will outline what changes needs to be done via Central Admin to complete the task and make the external content type accessible for anonymous users in internet facing sites.

Once the relevant changes (mentioned in Part1) are completed and external content types are available in the Central Admin (under the Business Connectivity Services) as shown below, object permissions needs to be set to external content types.

Select the external content type that you need to expose to external users and click the ‘Set Object Permission’ in the ribbon, the dialog shown below will popup where you can add users/groups and set specific permissions. Add the built-in user group ‘NT AUTHORITY\ANONYMOUS LOGON’ and set ‘execute’ permission.

 Note: In some cases SharePoint wouldn’t find the built in group ‘NT AUTHORITY\ANONYMOUS LOGON’ and therefore you cant set the permission using the UI,  although you can’t set these permissions in the UI you can set them by editing the XML of the underlying BDC model directly.  The XML of the BDC model for the external content type includes <AccessControlEntry> elements that specify what rights an individual user or group has to the BCS external content type.  Adding users to the BCS permissions in the UI creates additional entries in the XML of the model.  To give anonymous users access to the BCS model we need to add the following entry to several <AccessControlList> elements in the BDC model’s XML.

<AccessControlEntry Principal=”NT Authority\Anonymous Logon”>
  <Right BdcRight=”Execute” />

The easiest way to do this is, in Central Admin select the BCS service application you created and add the Execute right for a specific user.  This will give you an entry that you can do a search and replace on in the XML file later. Then export the BDC Model (with permissions) and edit it. Do a search and replace for the user you added and replace them with ‘NT AUTHORITY\ANONYMOUS LOGON’. Go back to Central Admin and use the Import button on the ribbon to import the edited BDC model into your BCS service app. (make sure you import with permissions).

That’s it, now the external data (may be in a external list or in Business data webparts) that is based on your external content type can now be accessed by anonymous users.

Thanks for reading the article and in my next article I will cover some areas on how to programmatically work with external content types.



7 comments on “Making BCS work for anonymous users – Part 2

  1. Ronak says:

    HI Thanks for sharing Knowledge.i would like to set anonymous access for only on External Content type and i can not find NT Authority\Anonymous Logon.please advise


  2. Kumar Shobhit says:

    Hi this is not working for me… the list still asks for authentication…. What might be wrong

    • Prashanth says:

      Have you given ‘NT Authority\Anonymous Logon’ execute permission? its hard for me to give you a solution without knowing your particular scenario that you are trying to handle

  3. bitmax says:

    Its not working…I import same you … ‘NT Authority\Anonymous Logon’ execute permission…in UI CA I can see it…but nor run …have message “Access denied BCS” for anonymous

  4. Thanks. It is working at my end.

  5. Riyaz says:

    Hi, thanks for sharing knowledge, I am doing these steps in SharePoint 2013 but I am getting the same error “Access denied by Business Data Connectivity”. Don’t above steps work for SP2013?

  6. […] We started the configuration of the External Content Type as explained in many blogs (Thanks Prashanth) […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s