Sharepoint 2010 BCS Login failed for user “NT AUTHORITY\ANONYMOUS LOGON”

Karim Zaki

Login failed for user “NT AUTHORITY\ANONYMOUS LOGON”

This resulted from the fact that apparently the Business Data Connectivity Service wasn’t passing the current user’s credentials to access the external data, although the “Connect with User’s Identity” had been selected on the external content type creation.

 

Problem

Pass through authentication not working for BCS on a WebApplication which is Claims based and using Kerberos.

While you try to access the External List based on User’s Identity  you received the following error

Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’

PreReq

In this post I will talk about the reason and what are the different workarounds for this issue. I will not be discussing the steps of how to create Web Application in Kerberos or how to set up SPN

Reason

For Service Applications which are not claims aware have the ability to utilize claims to windows token service to convert Claims token. At this time BCS does not leverage C2WTS. More details can be found in the following Guide

http://download.microsoft.com/download/B/B/F/BBF0C6F3-6E36-4979-8C43-DE165AD7AE34/SP2010%20Kerberos%20Guide.docx

Workaround 1 –  Revert to Self (BCS Authentication)

By Default Revert to Self is disabled. We will need to run following CMDlets from PowerShell to enable it

Get-SPServiceApplication

#Copy the ID of BCS Service Appliction

$bcs = Get-SPServiceApplication -ID “BCS ServiceApp ID”

$bcs.RevertToSelfAllowed = $true

$bcs.update()

 

PS C:\Users\SPSadmin> Get-SPServiceApplication

 

$abc = Get-SPServiceApplication –id ID

 

PS C:\Users\SPSadmin> $bdc.RevertToSelfAllowed = $true

PS C:\Users\SPSadmin> $bdc.Update()

 

 

 

 

Afterwards, restart the Business Data Connectivity Service and the list should be working fine.

 

We will need to modify External Content type by using SharePoint designer and have it use BDC Identity


 

Select BDC Identity under Default and Client TAB and click on OK.

Now it will let all the users browse to the external list.

Note – Whenever end user brows to the external list, it is the BCS AppPool account which is used to pull the data and not the User’s Identity. Please ensure that BCS App Pool have permissions on the database.

Now it will use the user account which is assigned to the Apppool to connect to SQL

So make sure to give it permission on SQL

 

 

References:

http://blogs.technet.com/b/harmeetw/archive/2011/08/28/getting-login-failed-for-user-nt-authority-anonymous-logon-when-browsing-external-list-on-a-claims-kerberos-web-application.aspx

http://blog.ozzie.eu/2012/04/sharepoint-2010-bcs-login-failed-for.html

3 Comments

  1. Pingback: Sharepoint Anonymous User | Machoupichou

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.