Sharepoint External Content Type

Jun 25, 2012 at 7:55 PM

I have created a model into SQL Server 2012 MDS.

I have deployed MDS Data Sample Web site ang generate a web service for the model

I have created an External Content Type in Sharepoint 2010 and also an External List.

The account used to access externallist has full access in MDS

When I try to "getall" page I get "Access is denied."

Help, please!

Using service trace viewer i found this error in log:

Server stack trace:
System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown
[0]:
System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.IService.MetadataGet(MetadataGetRequest request)
Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.ServiceClient.Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.IService.MetadataGet(MetadataGetRequest request)
Microsoft.Samples.MDS.CustomAppUtilities.MdsWebService.ServiceClient.MetadataGet(International International, MetadataResultOptions ResultOptions, MetadataSearchCriteria SearchCriteria, OperationResult& OperationResult)
Microsoft.Samples.MDS.CustomAppUtilities.ServiceClientExtensions.GetModelVersions(ServiceClient client, Guid modelId)
Microsoft.Samples.MDS.CustomAppUtilities.MDSEntityCRUDOperations.GetVersionByPolicy(ServiceClient client, VersionPolicy policy, String versionData, Guid modelId)
Microsoft.Samples.MDS.CustomAppUtilities.MDSEntityCRUDOperations.GetVersionByPolicy(ServiceClient client, Type t, Guid modelId)
MDSData.MDEP.ModelDataService.get_versionId() in c:\inetpub\wwwroot\MDSData\Services\MDEP.cs:line 92
MDSData.MDEP.ModelDataService.Partner_GetAll(Int32 skip, Int32 top, String orderBy) in c:\inetpub\wwwroot\MDSData\Services\MDEP.cs:line 220
SyncInvokePartner_GetAll(Object , Object[] , Object[] )
System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

ALSO IN MDS log

</MetadataGetRequest>
    DateTime=2012-06-25T19:49:24.3024334Z
MDS Verbose: 0 : Successfully obtained the current Windows principal from the host context.
    DateTime=2012-06-25T19:49:24.3024334Z
MDS Information: 0 : Successfully obtained the current windows identity: Name=NT AUTHORITY\IUSR, SID=S-1-5-17 from the windows principal.
    DateTime=2012-06-25T19:49:24.3024334Z
MDS Information: 0 : Session support is enabled for the current request for user NT AUTHORITY\IUSR.
    DateTime=2012-06-25T19:49:24.3024334Z
MDS Information: 0 : MDS user information needs to be refreshed for user NT AUTHORITY\IUSR.
    DateTime=2012-06-25T19:49:24.3024334Z
MDS Verbose: 0 : Principal NT AUTHORITY\IUSR is not a member of group EPC\MDSAdministrators according to the external security directory.
    DateTime=2012-06-25T19:49:24.3180330Z
MDS Information: 0 : Principal name NT AUTHORITY\IUSR was parsed into domain name NT AUTHORITY and account name IUSR.
    DateTime=2012-06-25T19:49:24.3180330Z
MDS Information: 0 : No domain is specified. Attempting to get a global catalog searcher.
    DateTime=2012-06-25T19:49:24.3180330Z
MDS Information: 0 : Principal IUSR was NOT found by directory searcher.
    DateTime=2012-06-25T19:49:24.5676266Z
MDS Warning: 0 : Information for principal NT AUTHORITY\IUSR could not be obtained from the external security directory. Ensure the account is valid and the MDS service account has permissions to query Active Directory and/or the local SAM database.
    DateTime=2012-06-25T19:49:24.5676266Z
MDS Error: 0 : Access denied. No MDS user exists for NT AUTHORITY\IUSR and no group memberships permit the user access.
    DateTime=2012-06-25T19:49:24.5676266Z
MDS Verbose: 0 : Response message:
<MetadataGetResponse xmlns="http://schemas.datacontract.org/2004/07/Microsoft.MasterDataServices.Services.MessageContracts" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
  <OperationResult xmlns:a="http://schemas.microsoft.com/sqlserver/masterdataservices/2009/09">
    <a:Errors />
    <a:RequestId>5b6d9c67-7357-403d-a097-e4284490d29b</a:RequestId>
  </OperationResult>
  <Metadata xmlns:a="http://schemas.microsoft.com/sqlserver/masterdataservices/2009/09">
    <a:AttributeGroups />
    <a:Attributes />
    <a:DerivedHierarchies />
    <a:DerivedHierarchyLevels />
    <a:Entities />
    <a:ExplicitHierarchies />
    <a:MemberTypes />
    <a:Models />
    <a:VersionFlags />
    <a:Versions />
  </Metadata>
</MetadataGetResponse>
    DateTime=2012-06-25T19:49:24.5676266Z
MDS Critical: 0 : Services threw an unhandled exception!
System.ServiceModel.FaultException: Access is denied.
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
    DateTime=2012-06-25T19:49:24.5832262Z

 

 

Coordinator
Jun 26, 2012 at 2:22 AM

 

What identity is the application pool running the generated web services? Sounds like it’s the low-privilege IUser account. Try changing it to the same account that the MDS web site app pool runs under.

David

 

Jun 26, 2012 at 7:20 AM

Thank you for the answer.

I have changed app pool running generated web service to the one MDS web site runs under. I got exactly the same errors !

Checked w3wp.exe. It runs with the right identity.

What ca I do?

Is there a way to use the same identity that call generated web service to call MDS services?

Coordinator
Jun 26, 2012 at 12:00 PM

Ok.

My next guess is that you have the web services are impersonating the caller, and that's the IUSER account.  You can either turn off impersonation so that the call to MDS is made by the App Pool identity of the web service.

       <system.web>

    <identity impersonate="false" />
  </system.web>
span>

Or configure BCS to connect using a different account.

Business Connectivity Services security overview (SharePoint Server 2010)

http://technet.microsoft.com/en-us/library/ee661743.aspx

David