SharePoint Experts, Information Architects, Expert Witness

SICG provides a broad array of business and technology consulting from architecture to design to deployment of global systems with a focus on surfacing data in the enterprise. We focus on the "How", not just the possible. Contact me direct: or call 704-873-8846 x704.

Search This Blog

Thursday, December 6, 2012

SharePoint BCS 2010/2013 - Login failed for IUSR account

Using the Business Connectivity service (BCS) in either SharePoint 2010 or SharePoint 2013 you may come across the message “login failed for <system>\IUsr account” when you try to display the external list in SharePoint. You may wonder why since this account has nothing to do with SharePoint (and for those of you that are not aware of this account, it is the default IIS account – used when a user is not authenticated). This is similar to the old 'double hop' issue we've had with SharePoint since 2003.

The problem is simple – when accessing data OUTSIDE of SharePoint (and not using Kerberos), it may default to the IUSR account when attempting to access the data.

The best fix is to ensure that all services are properly assigned and that the SharePoint Web Services are not running as Local System. However, a quick fix (or until you find the proper one) is to simply grant the IUSR account access to the data source (or database).

By default, the IUSR account is designated by the system name (as a local account); for example server1\iusr. However, you will find that you cannot add the account that way in SQL Server – instead, use NT AUTHORITY\IUSR and you’ll be able to add it. Be sure to grant the proper permissions in the database in question and also grant public access to the master database.

After adding, return to SharePoint and refresh – all should be good!

No comments: