BCS: Login failed for user ‘NT AUTHORITYIUSR’

Following my previous post, I just ran into another issue recently that I though I’ll write a post on so that it helps the community.

So I created an external content type to perform CRUD operations against a test table in a test database.  Saved that ECT (and so the model) to the BCS service application on my SharePoint 2013 server.  Assigned permissions to “All Users (Windows)” (NT Authority\Authenticated Users) with Execute permissions on metadata store (something that should not be done on live environments but secured store must be leveraged, but since this is a test environment… I took this liberty).  Created an external list and browsed to it.  And I was greeted with the below error.

image

I had setup this ECT to use “User’s Identity” (PassThrough) authentication and since metadata store permissions for “NT Authority\Authenticated Users” granted execute permissions I really wasn’t expecting this particular error.

After reviewing IISRESETs, reviewing ULS logs and bit of probing, I stumbled upon this KB article: SharePoint impersonates the IUSR account and is denied access to resources.  Perfectly matches my scenario!

I went ahead and set the value for aspnet:AllowAnonymousImpersonation to false in the web.config file of the web application where I had the external list as mentioned in the KB article and (I did not do an IISRESET after this change but it is recommended) that fixed the issue!

image

Hope this helps someone out there who’s trying out the same or similar thing and running into “Login failed for user ‘NT AUTHORITY\IUSR’.’.” error.  I’d recommend this web.config change for other scenarios too where a seemingly straight-forward service call would fail with a similar error.