Daniel Reed
.NET, SharePoint and Graphic Design
Posted by mirata on Jun 11, 2011 in SharePoint | 1 Comment

This is the second time in one week that I have been burned by group policy issues.

We had a report from a client that the BCS component of their site was failing. It was reporting anonymous access denied, which of course there is plenty of material you can find on Google. But on a bit of investigation, it seemed like the actual Service Application was failing. I tried to go to the settings via Central Administration and received the following error:

The BDC Service application Business Data Connectivity Service is not accessible. The full exception text is: The HTTP request was forbidden with client authentication scheme 'Anonymous'.

Hmm. Thats not good. We talked to their IT department, and they said they were not aware of any changes that would affect the site. But I always take those comments with a pinch of salt. Things get changed all the time.

The Solution

Upon investigating the logs in the 14 hive, there was a little more information. The messages prior to the error indicated the precise web address that SharePoint was connecting to in order to interact with the BCS service application. From here, it was easy to find the correct IIS web site that controls BCS. Incidentally, directory for these service applications reside under the 14 hive.

Changing authentication schemes and web.config settings didn’t seem to make a difference. After all, anonymous access was already enabled, After a lot of poking around without much success, we finally came across this..

That shouldn’t be there. As soon as it was deleted, everything returned to life.

Lessons Learnt

URLScan is an ISAPI filter, and was installed by group policy across all the machines without consultation. As I mentioned, this is the second time in one week where group policy has put people on missions for multiple days at a time trying to solve very black-box problems.  This illustrates to me in a very clear way that we need to do our best to avoid these problems. And it involves participation of everyone.

  • Be very clear to outline the control you need placed over DEV, TEST and PROD environments. Don’t let any updates get rolled out without testing.
  • Group policy issues are especially annoying because they are not considered updates for a machine, but they do affect it very directly. Watch out for them.
  • Do your best to consult with the client about the reasons for tight control and potential implications.
  • If all else fails and they ignore you, make sure to bill all the time you spend running round in circles!
1 Comment
  • Thanks Daniel :) . This blog post was a life saver.
    I set up identical environments in Prod and UAT and this was the teeny weeny difference between the 2 environments. It took me 2 weeks to get to your blog (guess will have to polish my google kills ;) …..but this did it for me. U rock

Leave a comment

Spam Protection by WP-SpamFree