Make BDC work with FBA

Making BDC (Business Data Catalog) work with FBA (Form Based Authentication) requires a bit of work. If you have a FBA site, drag & drop a BDC web part and reference it to a BDC entity, you might see the below error:

There are no Business Data Types loaded in the Catalog.

This is because the site that’s using form based authentication is not able to communicate with BDC that’s expecting NTLM credentials. You need to follow the below steps to make BDC work on a site that uses form based authentication:

1. First extend the default Shared Service provider to another zone.

2. Configure the other zone to use FBA.

3. Assign a form based authenticated user as secondary site administrator for Shared Service provider.

4. Grant this form based authenticated user privileges on BDC.

5. You should be able to make BDC work by setting the AuthenticationMode to either RdbCredentials or RevertToSelf (provided Anonymous access is enabled in the site).

Well, the above is in a nutshell. But if you are like me who needs a walk-through on the above, see the below section. I used the sample BDC application definition file for AdventureWorksDW SQL Server 2005 database available here. The BDC application definition file for AdventureWorks SQL Server 2000 database is available here.

Just in case you don’t have the sample AdventureWorks database(s) and would like to install it to get your hands dirty with BDC, you can download and install it from the below links:

AdventureWorks2000

AdventureWorks2005

The database sample provided for SQL Server 2005 is a little confusing as you can see once you visit the above link. Just remember that you need to download the sample database that’s named “AdventureWorksBI.msi” OR “AdventureWorksBICI.msi” to be used along with BDC application definition sample for SQL Server 2005. In case, you want to be able to use the BDC application definition sample for SQL Server 2000 against SQL Server 2005, then you need to download “AdventureWorksDB.msi” OR “AdventureWorksDBCI.msi”. I hope this part is clear. This is very important because I’ve seen a lot many customers downloading incorrect database and running into BIG issue before they even start with BDC.

For people like me, the complete steps are provided below:

1. We first need to extend the default SharedService provider to another zone that we will configure to use FBA. To do this follow the below steps:

a. Goto *Application Management* in your *SharePoint Central Administration site*.

b. Click *Web application list* and make sure the web application that’s hosting SharedService provider is selected.

c. Then choose *Create or Extend Web Application* option and the from the next screen choose *Extend an existing Web application*.

d. From the next screen make sure your default SharedService provider web application is selected in the *Web Application* dropdown.

e. Change the port number and leave the rest of the setting to their defaults.

f. In the *Zone* dropdown, choose *Internet* and hit *Ok*.

2. After this is done, open *Windows Explorer* and navigate to the root directory of the newly extended web application. For example, if the port at which the web application is extended is 200, you need to navigate to C:\Inetpub\wwwroot\wss\VirtualDirectories\200\.

3. Open the *web.config* file from this location and add the <connectionString/> data of your FBA authentication provider. You can pick this one up from your original FBA site’s web.config file.

4. After this, choose *Authentication Providers* under *Application Security* group from SharePoint Central Administration and you should see 2 zones displayed there.

5. Choose the *Internet* zone that we created, change the *Authentication Type* to *Forms* from the next screen and provide your *Membership provider Name*. For e.g., if you are testing using SQL server membership provider, you need to specify *AspNetSqlMembershipProvider* and hit *Save*.

6. After this, choose *Site Collection Owners* option under *Application Management* in central administration page. Make sure the SharedService provider URL is selected in *Site Collection* dropdown.

7. Search for any FBA users you might have created against the *Secondary Site Collection Administrator* option and you should be able to resolve the FBA user. This indicates that the extended SharedService provider is setup correctly and is also using FBA for authenticating users. Do an IISRESET at this point.

8. Now open the default SharedService provider web application, and choose *Business Data Catalog permissions* under *Business Data Catalog* section.

9. From the next screen, hit *Add Users/Groups* and type in the FBA authenticate user and you should be able to resolve it. Provide full control for this user.

10. Now, browse to the extended URL (e.g., https://servername:200/ssp/admin) and you should be able to login using the FBA credentials.

11. You should be able to upload the BDC application definition now.

12. Finally, you should make sure the FBA web site is using the currently extended Shared Services provider. Note: you will not be able to see the extend web application, however, make sure the FBA site is listed under the original Shared Services provider that you just now extended.

13. After this do an IISRESET and now you should be able to get the BDC working.

I hope this post is informative and useful.