BCS and External List Learning – Part2
In Part1, I covered a specific scenario related to viewing external list and BDC throttling settings. In this post, I’ll cover a similar specific scenario but related to authentication.
When we create an external content type using SPD2010, the screen where we specify the data source information has 3 options for authentication mode as shown in Screen1.
The “Connect with User’s Identity” is the “PassThrough” authentication mode we had in MOSS 2007 BDC. The other 2 relates to SSO. Now that we have Secure Store Service Application, we can use “Connect with Impersonated Windows Identity” OR if we are using claims token we can use “Connect with Impersonated Custom Identity” [This is my guess at this point in time, will post another blog or update this post when I get a chance to confirm it] types.
This is all good. But what happens in scenarios when we are required to use “RevertToSelf” authentication mode???
The BCS architecture still supports it, but unfortunately, it is not available to us in this initial screen. If the authentication mode isn’t set to “RevertToSelf” in scenarios where users who don’t have specific object or metadata store permissions, we would see errors like: “Login failed for user "NT AUTHORITY\ANONYMOUS LOGON" while browsing to external list.”
Below are steps we need to follow to get this corrected!
1. We have to first enable BCS model to accept “RevertToSelf” as one of the authentication modes. Yes, it’s disabled by default. We can do this using SharePoint 2010 Management Console.
2. As shown from the above commands, the “ReverToSelfAllowed” property is set to false by default. We can now change it to true.
3. Now, we can set RevertToSelf authentication mode in our external content type. To do this, open the external content type in SPD2010, click the external system name against “External System” property in the “External Content Type Information” section. And change the “Authentication Mode” property to “BDC Identity” as shown in Screen2.
Note that the “BDC Identity” option would still be available even if we don’t enable revert to self in the BCS service application. However, when we use it without setting revert to self to true, we’ll see an error shown in Screen3.
Hope this was helpful! Stay tuned for more learning notes on BCS in SharePoint 2010.