I am running SharePoint 2010 with SQL 2012, I am trying to get Business Connectivity Services (BCS) running but I am facing a double-hope authentication issue.
Everytime I try to connect to the external BCS list created in SharePoint designer, I get the error `Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'`.
In the event viewer on the SQL server I see a login failure for an anonymous user from the SP server IP address.
Background information below:
I have the following AD domain accounts:
- SP_Farm - main website pool
- SP_Services - for SharePoint services (including BCS)
- SQL_Engine - SQL database engine
I have enabled Kerberos under SharePoint Central admin.
I then created the following with SetSPN:
- SetSPN -S http/intranet mydomain\SP_Farm
- SetSPN -S http/intranet.mydomain.local mydomain\SP_Farm
- SetSPN -S SPSvc/SPS mydomain\SP_Farm
- SetSPN -S MSSQLSvc/SQL1:1433 mydomain\SQL_DatabaseEngine
- SetSPN -S MSSQLSvc/SQL1.mydomain.local:1433 mydomain\SQL_DatabaseEngine
I then delegated the AD accounts for `any authentication protocol` to the following:
- SP_Farm -> SP_Farm (http service type, intranet)
- SP_Farm -> SQL_Engine (MSSQLSvc, sql1)
- SP_Service -> SP_Service (SPSvc)
- SP_Service -> SQL_Engine (MSSQLSvc, sql1)
Despite the above, credentials are not passed from the client through the SharePoint server to the SQL server, only the anonymous account is used.
If I set a username and password with the Secure Store Service and set the external list to use the impersonated credentials, the list works.
Any ideas what I have missed and what can be tried next?