Custom BDC Model Impersonation

Question

I've created a custom BDC model for reading flat files. It works great when the file is local, but now I need to roll it to test and read a shared UNC. When I direct it to read the same file from a UNC it errors Access is denied.

I used netmon to see traffic heading to my UNC is coming from the System process, not my w3wp process. My server's System process of course is running under System and cannot access UNC shares.

So for a quick fix I used some basic hard coded impersonation in my code just to prove it out, and it works. I setup my impersonation to use my sp_business account (which is what the BDC service is using) and it works great.

Now to my questions:

Can I impersonate the account that the BDC is using? I don't want to hard code anything, I want it to assume the account the service is using.

If that's not possible I will create a secure store account and grab that for impersonation. I'd rather not as that increases administration, but it's better than hard coding it.

Update

My latest attempt looks like

    <LobSystemInstance Name="YellowPagesLOBSystemInstance">
      <Properties>
        <Property Name="ShowInSearchUI" Type="System.String">x</Property>
        <Property Name="SsoApplicationId" Type="System.String">BDC</Property>
        <Property Name="SsoProviderImplementation" Type="System.String">Microsoft.SharePoint.Portal.SingleSignon.SpsSsoProvider, Microsoft.SharePoint.Portal.SingleSignon,Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c</Property>
      </Properties>
      </LobSystemInstance>
  </LobSystemInstances>

Do I need to do something in my code to then reference this, to impersonate?

Update

I failed to mention, or think about, the fact that my site is using claims based authentication with forms, using AD. I created a new web app using NTLM and created my external list and it worked.

How do I know what account is actually accessing the file? My user account has permissions, how do I know it's the sp_business account and not mine?

Update

After further testing and banging head off keyboard, I determined that my FBA site is the route of the issue. Using SharePoint Designer, the FBA site cannot see the external content type, nor create new ones simply to a SQL database. The NTLM site can see it and connect to the same SQL database. I'll chase this down and see if it resolves.

Update

I was missing permissions on the BDC metadata store, so setting that fixed my previous SPD issue. I created another external content type through SPD for the sake of ensuring i'm not crazy, and that worked on both sites (connecting to SQL). My bigger issue remains:

From the server console

• NTLM site loads custom BDC
• NTLM site loads OOTB sql ECT
• FBA site doesn't load custom BDC
• FBS site loads OOTB sql ECT

From my local workstation

• NTLM site doesn't load custom BDC
• NTLM site loads OOTB sql ECT
• FBA site doesn't load custom BDC
• FBS site loads OOTB sql ECT

Answer 1

I got this to work using impersonation within the code.

Answer 2

In your BDC try setting the AuthenticationMode to RevertToSelf

<LobSystemInstances>
  <LobSystemInstance Name="MyLOBInstance">
    <Properties>
      <Property Name="AuthenticationMode" Type="System.String">RevertToSelf</Property>
    </Properties>
  </LobSystemInstance>
</LobSystemInstances>

You may also need to enable RevertToSelf authentication using PowerShell

$serviceApp = Get-SPServiceApplication | where {$_ -match "Name of your BCS Service App"}
$serviceApp.RevertToSelfAllowed = $true
$serviceApp.Update()