Problems with anonymous access for External Lists using Publishing Feature

While setting up external lists on a SharePoint 2013 Site Collection for anonymous access we came across a problem. We started the configuration of the External Content Type as explained in many blogs (Thanks Prashanth) :

1. Create the External Content Type in SharePoint Designer
2. Give execute permissions to a specific user (i.e. Max Mustermann) for the External Content Type, the BDC Model and the External System via central administration.
bild1
4. Export the External Content Type from SharePoint Designer (There is an option to export the External Content Type from Central Administration as well, but it doesn’t export all the details. You have to use the export function of SharePoint Designer).bild2
5. Open the exported bdcm-File in text editor. The exported file includes <AccessControlEntry> elements that specify what rights an individual user or group has to the External Content Type. Adding users to the BCS permissions via Central Administration creates additional entries in the XML of the model.  Look for <AccessControlList>-Entries in the whole document and replace the entries that where created for Max Musterman with the following:

Before After
<AccessControlList>
[…]
<AccessControlEntry Principal="domain\max.mustermann">
<Right BdcRight="Execute" />
</AccessControlEntry>
</AccessControlList>
<AccessControlList>
[…]
<AccessControlEntry Principal="NT Authority\Anonymous Logon">
<Right BdcRight="Execute" />
</AccessControlEntry>
</AccessControlList>

bild3
6. Save the file and go back to central administration.
7. Delete the External Content Type and the connected bdcm model and external system from business data connectivity service.

bild4
8. Import the bdcm-File into Central Administration with Permissions.bild5

We noticed that this scenario worked on most of our SharePoint servers, but not on every server. It took me a while to find out what the difference between the server configurations was. At first I found out, that it doesn’t work on the servers, where the SharePoint Publishing Feature is enabled. But it didn’t help to just disable the feature. After some googling I found the solution (Thanks Russ). There is a hidden feature named ViewFormPagesLockDown, which, if enabled, prevents anonymous user from accessing certain areas of a site collection.

9. You can disable it via PowerShell.

$lockdown = get-spfeature viewformpageslockdown

disable-spfeature $lockdown -url https://sitecollection

bild6

After disabling the feature via PowerShell, anonymous users where able to access my external list.

And if the list still isn’t loading, check if the anonymous users have  permissions on the root site collection to see the rendering templates, or just change the redering-mode of the list to server-side rendering.

Leave a Reply

Your email address will not be published. Required fields are marked *