Lately, I am working on SharePoint 2010 and Azure projects. This involves using various approaches such as Business Data Connectivity with SQL Azure data and web roles. During development, I found a repeatable problem that fouls up the BDC Service Application when working with Azure web roles. Fortunately, it can be fixed.
My environment is a single Windows 2008 R2 server with SharePoint 2010 and Visual Studio 2010 on the image. I have installed v1.4 of the Azure SDK.
To reproduce the problem, simply make a new Azure web role project in Visual Studio 2010. Run the project in debug mode. Now go to Central Administration>Manage Service Applications>Business Data Connectivity Service. You will receive an "Access Denied" message.
Furthermore, it doesn't matter what account you log in under - even the SHAREPOINT\SYSTEM account. Everything is denied.
Well it turns out that Azure is making changes to IIS when it runs. In particular, it is changing the Anonymous account from "IUSR" to "Application Pool". This is causing the SharePoint STS to stop working correctly so it can't communicate with the service application. Interestingly, other service applications do not appear to be affected.
The solution to the problem:
1. Open the IIS Manager
2. Click the server name
3. Double-Click the Authentication Feature
4. Right-Click "Anonymous Authentication" and select Edit from the context menu.
5. Set the identity of the Anonymous Account to a Specific User instead of "Application Pool".
6. Save changes and everything is working again.
Note that Azure will change this setting every time you run in debug mode. If you want a permanent fix, use the SHAREPOINT\SYSTEM account as the Anonymous User account and the application pool account for the Default app pool. Obviously, this is only valid for development environments.