BCS: Login failed for user ‘NT AUTHORITYIUSR’


Following my previous post, I just ran into another issue recently that I though I’ll write a post on so that it helps the community.

So I created an external content type to perform CRUD operations against a test table in a test database.  Saved that ECT (and so the model) to the BCS service application on my SharePoint 2013 server.  Assigned permissions to “All Users (Windows)” (NT Authority\Authenticated Users) with Execute permissions on metadata store (something that should not be done on live environments but secured store must be leveraged, but since this is a test environment… I took this liberty).  Created an external list and browsed to it.  And I was greeted with the below error.

image

I had setup this ECT to use “User’s Identity” (PassThrough) authentication and since metadata store permissions for “NT Authority\Authenticated Users” granted execute permissions I really wasn’t expecting this particular error.

After reviewing IISRESETs, reviewing ULS logs and bit of probing, I stumbled upon this KB article: SharePoint impersonates the IUSR account and is denied access to resources.  Perfectly matches my scenario!

I went ahead and set the value for aspnet:AllowAnonymousImpersonation to false in the web.config file of the web application where I had the external list as mentioned in the KB article and (I did not do an IISRESET after this change but it is recommended) that fixed the issue!

image

Hope this helps someone out there who’s trying out the same or similar thing and running into “Login failed for user ‘NT AUTHORITY\IUSR’.’.” error.  I’d recommend this web.config change for other scenarios too where a seemingly straight-forward service call would fail with a similar error.

Comments (10)

  1. Great says:

    Thanks man, you saved my time!

  2. John says:

    You're the best! :*

  3. Tushar says:

    Hey Dude,

    This worked for me….Its really nice article…

    Thanks

  4. Joeprakash says:

    Is there no other impact on the SharePoint site if we set it to false?

  5. sridhara says:

    Joeprakash,

    I have personally not tested this against every single feature and installation/configurations of SharePoint so I can't comment on that.

    However, if you run into some other issue setting this web.config entry and isolated that problem is due to this web.config entry, please feel free to comment back and I'll try and take a look.

    Regards!

  6. Ravivarma says:

    It worked for me…Thanks!!!

  7. SumanGupta says:

    it worked fantastic…. Thank you so much

  8. Suresh Swathi says:

    Thank You dude its Worked for me

  9. Ujjwal Patel says:

    This has been always helpful for me….Cheers Sridhar !

  10. Roberto Vasquez says:

    It worked for me!  Thank you for the article