Advancing Productivity and Operational Efficiency through Cloud Services and Apps


Business Connectivity Services

SharePoint 2010 Business Connectivity Services (BCS) – Breakdown of Authentication Modes and other Security Considerations

The Microsoft Business Connectivity Services Team Blog is quickly becoming one of my favorite SharePoint blogs. Their most recent posting, Authenticating to Your External System,  does an excellent job of breaking down the available authentication modes available.

Security is one of the most important things to consider when connecting to external systems using Business Connectivity Services, and this article is a great place to get started. Check it out at:

(BCS) Business Connectivity Services Team Blog

Looking for a good source of technical information on SharePoint 2010 Business Connectivity Services. Check out the Business Connectivity Services Team blog at 

digg_url = “”;digg_title = “(BCS) Business Connectivity Services Team Blog”;digg_bgcolor = “#FFFFFF”;digg_skin = “compact”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;

BCS External List Error – Cannot Connect to the LobSystems (External System)

There are several good posts out there providing examples and step by step instructions on how to create external content types with SharePoint 2010 BCS. Unfortunately most fail to provide any warnings or guidance around Authentication; which should be, without a doubt, one of the most important things to consider. Most of these examples work flawlessly… until you try to view your external content type with another user account lacking some sort of access to the external system; and you encounter an error that resembles the following: Cannot connect to the LobSystem (External System)

Fortunately, the solution is likely simple… But you’ll have many thing to consider; what kind of access you need to grant to which accounts, do those accounts need to be mapped back to equivalent accounts in the external system, whether or not to map AD groups rather than individual accounts to accounts in the external systems, and many more that will quickly become apparent fairly quickly.

Of course if you are reading this post, you’ve likely ran into the error and are looking for a solution. Unfortunately there isn’t a one size fits all, and I wouldn’t necessarily consider it an error; more of a warning, a heads up, that you may have not thought the whole thing through. This will definitely be a subject upon which many best practices will come to surface. But, while I can’t give you the right solution for your particular scenario (there are many ways to skin this cat;) I should be able to point you in the right direction.

Chances are that if you followed one of the many posts which describe how to do this, you chose “Connect with User’s Identity” when creating your connection.



You’ll quickly come to realize that in most scenarios not all users have direct read or write access to external systems, often times they don’t even use a Windows Identity. Fortunately, our solution (or at least part of it,) is right under our noses:

If you are wondering what the Secure Store Application ID is, it refers the Secure Store Service, which you’ll want to do some reading on. I recommend you start here ( for a short but good description, and follow up here ( for detailed steps on how to set it up.

Essentially, you’ll need to create a Secure Store Service Application of type “Individual” or “Group” with several options for each. An application of type “Individual” will require you to map each user to a unique set of credentials (there is an option to create a page from where users can specify there own credentials.) An application of type “Group” will allow you to map a unique set of credentials to a specific AD Group; I suspect this will be the most common scenario.


You’ll then be prompted to configure the various fields which may be required to provide credentials to the external data source. If the external system uses Windows Authentication, the default ones should work just fine.


Next, you’ll need to specify the administrators and members of the target application (read the description of each carefully)

Finally, select your application and specify the credentials that will be used to connect. The Secure Stored Service Application will use these credentials whenever anybody from the specified group tries to connect to the external system.


Now, reconfigure your connection to use the ID of the Secure Store Application in my case “My Secure Store Application”, perform an IIS Reset, and you are likely done.

If by any chance you are not, and instead you receive: “Access denied by Business Data Connectivity.” You’ll need to go to Central Admin > App Management > Manage Service Applications > Business Data Connectivity; and grant your users access to your External Content Type.


digg_url = “”;digg_title = “BCS External List Error – Cannot Connect to the LobSystems (External System)”;digg_bgcolor = “#FFFFFF”;digg_skin = “compact”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;

Building Solutions with Business Connectivity Services and VS 2010 – SPC 2009 Session Highlights

The demos on this presentation where moving a little too fast for my taste, would have preferred 1 demo covering the topic deeper instead off multiple demos that just felt like they were flying by. That’s not to say that there wasn’t useful information, some of the highlights below:

Solution Types

  • No Code Solutions
    • Everything is managed by the runtime
    • Can connect to:
      • Existing WCF
      • SQL Server Databases
      • .NET Objects
    • SharePoint Designer
    • SharePoint SDK (XML i.e no code)
    • Surface Data in External Lists
      • Connect External Lists to Outlook, SPW
    • Customize InfoPath forms
    • Outlook Taskpane and Ribbon
    • Word Quickparts
    • Web Part Pages
  • Code
    • Visual Studio
    • Reusable
    • Can be incorporated into solutions that require no code
    • Custom Connectivity for data aggregation and transformation
    • Require business logic in code

digg_url = “”;digg_title = “Building Solutions with Business Connectivity Services and VS 2010 – SPC 2009 Session Highlights”;digg_bgcolor = “#FFFFFF”;digg_skin = “compact”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;

Blog at

Up ↑

%d bloggers like this: