Summit 7 Team Blogs

Anonymous Users Need Love (or data), Too

When I’m logged into a site sometimes I stare at the page

and in the back of my mind I hear my conscience rage

Telling me I need some data that I just don’t see

For the first time I wonder just how can it be

Okay, so I’m not LL Cool J and no one wants to hear me rap, but recently I was presented with a need to share external content through SharePoint to anonymous users. Sounds simple, right? Turns out, not so much.

First, we had to set up a site that had anonymous access, that’s the easy part!

Next set an account that can manage the Metadata Store permissions in the Business Connectivity Service Application.

  1. Go to Central Admin
  2. Manage Service Applications
  3. Click beside the Business Data Connectivity Service Application
  4. Click Manage
  5. Click on “Set Metadata Store Permissions”
  6. Add the account
  7. Give it ALL permissions

This was a simple SQL database table that needed to be viewed, so we used SharePoint Designer 2010 to create the external content type.

  1. Open the Site
  2. Click on External Content Types
  3. Click New External Content Type
  4. Name the content type
  5. Click on “Click here to discover external data sources and define operations”
  6. Click Add Connect
  7. Select SQL Server and then click OK
  8. Enter the database server, the database name, and select connect with user’s identity (make sure the user actually does have access to the database, at least as “datareader”) and then click OK
  9. Expand the data source
  10. Select the table you will be using and then right-click on it to create the operations (since this was going to an anonymous site, we only wanted read item and read list)
  11. Save the connection and the External Content Type (ECT)

Since this was going to be anonymous access, we had to set up the ECT to be able to read no matter who was logged on. So we decided to use Revert To Self in the connection. What this means is that the connection will be made with the credentials from the account used as the application pool identity. You will have to make sure this account has permissions to the database you are connecting to as well. This is really the only method I’ve found that will allow anonymous users access in any manner. Don’t worry, you can set permissions on the data in the service application after you have created the ECT.

  1. Go back to the External Content Types gallery in SPD2010
  2. Click on your new ECT
  3. Click Edit Connection Properties.
  4. Change the Default Authentication Mode to BDC Identity

You will probably get a warning that you cannot set it up this way unless you have turned on the ability to use revert to self. If you haven’t, open PowerShell and run these commands. In SP2010, revert to self is disabled by default due to security, however, you will need this ability for anonymous users to have the ability to read external data.

$bcsapp = Get-SPServiceApplication | where {$_ -match "Business Data Connectivity Service"}
$bcsapp.RevertToSelfAllowed = $true;

Next you will need to set permissions on the new ECT you have create

  1. Go to Central Admin
  2. Manage Service Applications
  3. Manage Business Connectivity Service
  4. Select External Content Types in the drop down
  5. Select the ECT by checking the box next to it
  6. Click Set Object Permissions
  7. Type NT AuthorityAnonymous Logon and then click Add
  8. Give execute permissions (this is all you can give to anonymous users, anyway!)

Now you can create your external list

  1. Go to the site
  2. Create a list by clicking on Site Actions and create External List (if that is not there, you will need to turn on the Team Collaboration Lists feature)
  3. Name your list
  4. Select whether or not to display on quick launch (your choice)
  5. Select your ECT
  6. Click Create
  7. View data if the ECT is set up correctly, you will see data since you are a logged in user.

I followed these steps. however, every time I went to the list it either logged me in or prompted for credentials. How do I truly get an anonymous user access? After a bit of testing I discovered that I could create a DVWP with this list and view the data as an anonymous user. So what was the issue?

Well turns out I was working in a publishing site, as you might have guessed by the second step in creating the external list. In SharePoint 2010 the publishing site comes with the ViewFormPagesLockdown feature activated as well as all sorts of other security features to prevent anonymous users from seeing things they shouldn’t. Since this was truly a public facing site, I could not turn off this feature.

If you run into this same issue, just create a page and add a DVWP web part to the page to be able to view it anonymously. It works, I promise.

This post is cross-posted from here.


The sample scripts are not supported under any Summit 7 Systems standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Summit 7 Systems further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Summit 7 Systems, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Summit 7 Systems has been advised of the possibility of such damages.

About Lori Gowin