Make BDC work with FBA



Making BDC (Business Data Catalog) work with FBA (Form Based Authentication) requires a bit of work.  If you have a FBA site, drag & drop a BDC web part and reference it to a BDC entity, you might see the below error:


 


There are no Business Data Types loaded in the Catalog.


 


This is because the site that’s using form based authentication is not able to communicate with BDC that’s expecting NTLM credentials.  You need to follow the below steps to make BDC work on a site that uses form based authentication:


 


1.       First extend the default Shared Service provider to another zone.


2.       Configure the other zone to use FBA.


3.       Assign a form based authenticated user as secondary site administrator for Shared Service provider.


4.       Grant this form based authenticated user privileges on BDC.


5.       You should be able to make BDC work by setting the AuthenticationMode to either RdbCredentials or RevertToSelf (provided Anonymous access is enabled in the site).


 


Well, the above is in a nutshell.  But if you are like me who needs a walk-through on the above, see the below section.  I used the sample BDC application definition file for AdventureWorksDW SQL Server 2005 database available here.  The BDC application definition file for AdventureWorks SQL Server 2000 database is available here.


 


Just in case you don’t have the sample AdventureWorks database(s) and would like to install it to get your hands dirty with BDC, you can download and install it from the below links:


 


AdventureWorks2000


AdventureWorks2005


 


The database sample provided for SQL Server 2005 is a little confusing as you can see once you visit the above link.  Just remember that you need to download the sample database that’s named “AdventureWorksBI.msi” OR “AdventureWorksBICI.msi” to be used along with BDC application definition sample for SQL Server 2005.  In case, you want to be able to use the BDC application definition sample for SQL Server 2000 against SQL Server 2005, then you need to download “AdventureWorksDB.msi” OR “AdventureWorksDBCI.msi”.  I hope this part is clear.  This is very important because I’ve seen a lot many customers downloading incorrect database and running into BIG issue before they even start with BDC.


 


For people like me, the complete steps are provided below:


 


1.       We first need to extend the default SharedService provider to another zone that we will configure to use FBA.  To do this follow the below steps:


a.        Goto *Application Management* in your *SharePoint Central Administration site*.


b.       Click *Web application list* and make sure the web application that’s hosting SharedService provider is selected.


c.        Then choose *Create or Extend Web Application* option and the from the next screen choose *Extend an existing Web application*.


d.       From the next screen make sure your default SharedService provider web application is selected in the *Web Application* dropdown.


e.        Change the port number and leave the rest of the setting to their defaults.


f.         In the *Zone* dropdown, choose *Internet* and hit *Ok*.


2.       After this is done, open *Windows Explorer* and navigate to the root directory of the newly extended web application.  For example, if the port at which the web application is extended is 200, you need to navigate to C:\Inetpub\wwwroot\wss\VirtualDirectories\200\.


3.       Open the *web.config* file from this location and add the <connectionString/> data of your FBA authentication provider.  You can pick this one up from your original FBA site’s web.config file.


4.       After this, choose *Authentication Providers* under *Application Security* group from SharePoint Central Administration and you should see 2 zones displayed there.


5.       Choose the *Internet* zone that we created, change the *Authentication Type* to *Forms* from the next screen and provide your *Membership provider Name*.  For e.g., if you are testing using SQL server membership provider, you need to specify *AspNetSqlMembershipProvider* and hit *Save*.


6.       After this, choose *Site Collection Owners* option under *Application Management* in central administration page.  Make sure the SharedService provider URL is selected in *Site Collection* dropdown.


7.       Search for any FBA users you might have created against the *Secondary Site Collection Administrator* option and you should be able to resolve the FBA user.  This indicates that the extended SharedService provider is setup correctly and is also using FBA for authenticating users.  Do an IISRESET at this point.


8.       Now open the default SharedService provider web application, and choose *Business Data Catalog permissions* under *Business Data Catalog* section.


9.       From the next screen, hit *Add Users/Groups* and type in the FBA authenticate user and you should be able to resolve it.  Provide full control for this user.


10.    Now, browse to the extended URL (e.g., http://servername:200/ssp/admin) and you should be able to login using the FBA credentials.


11.    You should be able to upload the BDC application definition now.


12.    Finally, you should make sure the FBA web site is using the currently extended Shared Services provider.  Note: you will not be able to see the extend web application, however, make sure the FBA site is listed under the original Shared Services provider that you just now extended.


13.  After this do an IISRESET and now you should be able to get the BDC working.


 


I hope this post is informative and useful.

Comments (17)

  1. I have gotten a number of requests about how to make this work. I"m working on a POC right now where

  2. Roni says:

    Hi, great! did all the above and FBA works fine

    I have one basic important issue that I can’t resolve – anonymous access does not work! I keep geting “you do not have permission…” when ever I log anonymously.

    the authentication mode is “RevertToSelf” and my application pool identity user is a domain user known to the SQL server DB and have the proper permissions.

    I just dont know what to do…please help.

  3. sridhara says:

    Hi Roni,

    Are you saying if you login anonymously, you are not able to add a BDC web part using the entities you’ve loaded?  If that’s the case, then give IUSR_MACHINENAME account read-only privilege on your BDC database.

    Cheers,

    Sri

  4. Farrukh says:

    Hi Sridhara,

    By going through all these steps i have successfully crawled the business data. but in search i am facing following error:

    "A non-Windows authentication system is in use. Microsoft Single Sign-on service requires Windows authentication."

    I am using RdbCredentials and don’t have any other option.

    Thanks,

    Farrukh

  5. feng says:

    Hi Roni,

    I am having the same problem. Have you found a solution to it?

    Thanks

    Feng

  6. sridhara says:

    Farrukh/Feng,

    You receive this error:

    "A non-Windows authentication system is in use. Microsoft Single Sign-on service requires Windows authentication."

    because the content access account that’s used by search needs to be a NT account.  Unfortunately, this is a limitation.  A workaround in this case would be to extend the web application that you have setup with FBA to use NT authentication.  In that case, search will be performed by NT account and you shouldn’t see this error.

    Hope that helps!

    cheers,

    Sri

  7. sumit says:

    I have another issue writing an App Def file for my web service… where can I write you for help??

  8. Pallavi says:

    Hi Sri…

    Can you help me with an issue i m facing while writing App Def File for my WCF service

  9. sridhara says:

    Pallavi,

    Sorry, I am not that familiar with WCF yet…! Perhaps you can use this: http://msdn2.microsoft.com/en-us/library/ms733069.aspx.  It however, talks about hosting WCF service in a managed windows service.  Hope this is useful.  There are very few document available on specific scenarios for WCF.

    Sri

  10. celerity12 says:

    I am not understanding the step 12

    Finally, you should make sure the FBA web site is using the currently extended Shared Services provider.  Note: you will not be able to see the extend web application, however, make sure the FBA site is listed under the original Shared Services provider that you just now extended.

  11. meera says:

    Is it possible to import profiles from aspnetdb(SqlProfileProvider) to BDC and from BDC to MYSIte in MOSS2007 ?Pls suggest

  12. sridhara says:

    Hi Meera,

    Yes it is possible.  The way you go about this would be:

    1. Create a BDC application definition XML that pulls user profile related information.

    2. In your SSP’s user profile settings, create a new import connection with your BDC application as the source.

    3. Map profile properties with the corresponding files from the source and do a profile import.

    Cheers,

    Sridhar

  13. Ven says:

    Hi Sridhar,

             Even I would like to see some samples of creating BDC XML files for WCF service and consuming them through the Object Model rather than through the Built-In webparts. I did a sample which gives me an error like this.

    {"The Property named ‘LobSystemName’ has an invalid value; this LobSystem does not have a WebServiceProxy registered in the metadata database. "}

    Please help me.

    Ven

  14. memo says:

    Hi Sridhar,

    Thank you for your article. I have done all steps until step 9 without any problem but in step 9 the FBA user (AspNetSqlMembershipProvider:admin) cannot be resolved. Do you have any idea?

    Thank you again.

  15. dcombiths says:

    I’m using MOSS 2007 Enterprise.  The site I’m using to search the BDC is setup using NTLM as the default and extended using FBA.  The search works fine for items within the site.  However when I try to search the BDC I only get results back when I’m logged in using NTLM.  I already followed this helpful blog.  After crawling the content using FBA in the SSP the total items crawled is 18 and however the scope only shows 1 item.  When I crawl the BDC again using NTLM the scope updates to contain all 18 items.

    Any help?