Sharepoint External Content Type

Jun 25, 2012 at 8:55 PM

I have created a model into SQL Server 2012 MDS.

I have deployed MDS Data Sample Web site ang generate a web service for the model

I have created an External Content Type in Sharepoint 2010 and also an External List.

The account used to access externallist has full access in MDS

When I try to "getall" page I get "Access is denied."

Help, please!

Using service trace viewer i found this error in log:

Server stack trace:
System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown
System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.IService.MetadataGet(MetadataGetRequest request)
Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.ServiceClient.Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.IService.MetadataGet(MetadataGetRequest request)
Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.ServiceClient.MetadataGet(International International, MetadataResultOptions ResultOptions, MetadataSearchCriteria SearchCriteria, OperationResult& OperationResult)
Microsoft.Samples.MDS.CustomAppUtilities.ServiceClientExtensions.GetModelVersions(ServiceClient client, Guid modelId)
Microsoft.Samples.MDS.CustomAppUtilities.MDSEntityCRUDOperations.GetVersionByPolicy(ServiceClient client, VersionPolicy policy, String versionData, Guid modelId)
Microsoft.Samples.MDS.CustomAppUtilities.MDSEntityCRUDOperations.GetVersionByPolicy(ServiceClient client, Type t, Guid modelId)
MDSData.MDEP.ModelDataService.get_versionId() in c:\inetpub\wwwroot\MDSData\Services\MDEP.cs:line 92
MDSData.MDEP.ModelDataService.Partner_GetAll(Int32 skip, Int32 top, String orderBy) in c:\inetpub\wwwroot\MDSData\Services\MDEP.cs:line 220
SyncInvokePartner_GetAll(Object , Object[] , Object[] )
System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)


MDS Verbose: 0 : Successfully obtained the current Windows principal from the host context.
MDS Information: 0 : Successfully obtained the current windows identity: Name=NT AUTHORITY\IUSR, SID=S-1-5-17 from the windows principal.
MDS Information: 0 : Session support is enabled for the current request for user NT AUTHORITY\IUSR.
MDS Information: 0 : MDS user information needs to be refreshed for user NT AUTHORITY\IUSR.
MDS Verbose: 0 : Principal NT AUTHORITY\IUSR is not a member of group EPC\MDSAdministrators according to the external security directory.
MDS Information: 0 : Principal name NT AUTHORITY\IUSR was parsed into domain name NT AUTHORITY and account name IUSR.
MDS Information: 0 : No domain is specified. Attempting to get a global catalog searcher.
MDS Information: 0 : Principal IUSR was NOT found by directory searcher.
MDS Warning: 0 : Information for principal NT AUTHORITY\IUSR could not be obtained from the external security directory. Ensure the account is valid and the MDS service account has permissions to query Active Directory and/or the local SAM database.
MDS Error: 0 : Access denied. No MDS user exists for NT AUTHORITY\IUSR and no group memberships permit the user access.
MDS Verbose: 0 : Response message:
<MetadataGetResponse xmlns="" xmlns:i="">
  <OperationResult xmlns:a="">
    <a:Errors />
  <Metadata xmlns:a="">
    <a:AttributeGroups />
    <a:Attributes />
    <a:DerivedHierarchies />
    <a:DerivedHierarchyLevels />
    <a:Entities />
    <a:ExplicitHierarchies />
    <a:MemberTypes />
    <a:Models />
    <a:VersionFlags />
    <a:Versions />
MDS Critical: 0 : Services threw an unhandled exception!
System.ServiceModel.FaultException: Access is denied.
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)



Jun 26, 2012 at 3:22 AM


What identity is the application pool running the generated web services? Sounds like it’s the low-privilege IUser account. Try changing it to the same account that the MDS web site app pool runs under.



Jun 26, 2012 at 8:20 AM

Thank you for the answer.

I have changed app pool running generated web service to the one MDS web site runs under. I got exactly the same errors !

Checked w3wp.exe. It runs with the right identity.

What ca I do?

Is there a way to use the same identity that call generated web service to call MDS services?

Jun 26, 2012 at 1:00 PM


My next guess is that you have the web services are impersonating the caller, and that's the IUSER account.  You can either turn off impersonation so that the call to MDS is made by the App Pool identity of the web service.


    <identity impersonate="false" />

Or configure BCS to connect using a different account.

Business Connectivity Services security overview (SharePoint Server 2010)