{"id":131,"date":"2010-07-30T09:31:07","date_gmt":"2010-07-30T13:31:07","guid":{"rendered":"http:\/\/www.dontpapanic.com\/blog\/?p=131"},"modified":"2010-07-30T10:13:29","modified_gmt":"2010-07-30T14:13:29","slug":"enabling-anonymous-access-to-a-bcs-external-list","status":"publish","type":"post","link":"https:\/\/www.dontpapanic.com\/blog\/?p=131","title":{"rendered":"Enabling Anonymous Access to a BCS External List"},"content":{"rendered":"

I co-presented a webinar this week for ShareSquared<\/a> on using the Business Connectivity Service (BCS) to integrate application data into SharePoint.  A recording of the webinar is available here<\/a>.  One of the questions that came up in the Q&A was from someone who was having a problem exposing a Business Connectivity Service (BCS) External List for anonymous access on an Internet facing site.  They had already configured the BCS content type to authenticate using the BDC Identity (RevertToSelf authentication) and had setup AllowAnonymousExecute on all the method instances, but still were being required to authenticate in order to see the list.  According to them this worked in SharePoint 2007 BDC, but something was preventing it from working in BCS.  There wasn\u2019t really enough room in the Q&A document we published after the webinar to go into detail so this post will explain why it didn\u2019t work and a step by step solution to the problem.<\/p>\n

For the purpose of this post I will assume that you have already successfully configured an External Content type to use BDC Identity<\/em> as its security setting.  Using any of the other three settings (User\u2019s Identity, Impersonate Windows Identity, or Impersonate Custom Identity) won\u2019t work with anonymous access because they are all dependent on the logged on User\u2019s Identity and anonymous users have no identity.  You can read more about how to configure an External Content type to use the BDC Identity<\/em> setting in this post on the BCS Team Blog:  http:\/\/blogs.msdn.com\/b\/bcs\/archive\/2010\/03\/12\/authenticating-to-your-external-system.aspx<\/a>.<\/p>\n

The BDC Identity setting uses the Application Pool Identity of the Web Application as the security context for retrieving the data from database for an external content type.  But even if you use the BDC Identity setting an anonymous user will get an Access denied by Business Data Connectivity <\/em>error like the one in the screenshot below.<\/p>\n

\"BCSAccessDenied\"<\/a> <\/p>\n

The problem is that BCS requires that a user have access to the external content type in the BCS service application to access BCS data.  BDC Identity handles how the BCS service app gets the data from the backend data source, but does nothing to give an anonymous user access to the data in the service app itself.  This is one of the most frequently overlooked steps when configuring an external content type using SharePoint Designer (SPD) 2010.  After configuring an external content type in SPD you must set user permissions for the content type in Central administration.  These permissions are displayed in SPD, but can\u2019t be set in SPD.<\/p>\n

But anonymous users by definition aren\u2019t logged in so how can we set permissions for them in central admin?  There is a built-in group called NT Authority\\anonymous Logon<\/em> that represents all anonymous users. But when we try to add that group to the BCS permissions in Central Admin it fails, as you can see from the screenshot below.  So how can we give anonymous users permission to access a BCS external content type?<\/p>\n

\"bcs1a\"<\/a> <\/p>\n

The answer is that although you can\u2019t set these permissions in the user interface you can set them by editing the XML of the underlying BDC model directly.  The XML of the BDC model for the external content type includes <AccessControlEntry<\/font>> elements that specify what rights an individual user or group has to the BCS external content type.  Adding users to the BCS permissions in the UI creates additional entries in the XML of the model.  To give anonymous users access to the BCS model we need to add the following entry to several <AccessControlList<\/font>> elements in the BDC model\u2019s XML.<\/p>\n

<<\/span>AccessControlEntry<\/span> Principal<\/span>="NT Authority\\Anonymous Logon"<\/span>><\/span>\n  <<\/span>Right<\/span> BdcRight<\/span>="Execute"<\/span> \/><\/span>\n<\/<\/span>AccessControlEntry<\/span>><\/span><\/pre>\n