Anonymous Access: Everything you always wanted to know, but didn't know to ask
Enabling Anonymous Access in SharePoint isn’t just a matter of flipping a switch in IIS manager. Anonymous Access must be enabled in IIS and then configured in SharePoint. But there are also situations where this basic configuration isn't sufficient. In this talk we’ll review how to enable and configure anonymous access for SharePoint web sites, lists, and libraries. Then we'll turn our attention to strategies that can be used overcome specific problems with SharePoint anonymous access. We'll demonstrate solutions and workarounds for questions like:
1) How do you require authentication for some items while maintaining anonymous access for the rest?
2) What content from a personal MySite can be accessed via anonymous access?
3) How do you enable anonymous responses to a discussion list?
4) Can BLOGS and Wiki sites be used in an anonymous access site collection?
1. Anonymous Access Everything you always wanted to know, but didn't know to ask Paul Papanek Stork, SharePoint Server MVP, MCT, MCSE+I, MCSA, MCSD, MCDBA, MCITP, MCPD Paul.Stork@Mindsharp.com
2. About the Speaker… Paul Papanek Stork, MVP, MCT, MCSE+I, MCSA, MCSD, MCDBA, MCITP, MCPD Senior Instructor/Consultant at Mindsharp http://www.mindsharp.com Paul.Stork@mindsharp.com Contributing Author, Developer’s Guide to Windows SharePoint Services 3.0 & Microsoft Office SharePoint Server 2007 Best Practices Author, upcoming October 2009MCTS: Windows SharePoint Services 3.0 Configuration Study Guide (70-631) by Wiley
3. Agenda Configuring Anonymous Access How Anonymous Access Works Advanced Configuration Problem Workarounds Unresolved Problems
4. Basic Configuration IIS Configuration Turn on in IIS manager or Central Admin Web Site Choose Entire Web (Read Only) Lists and Libraries Lists and Libraries View Only for Libraries Add, View, Edit, and Delete for Lists
5. How It Works Does not use IUSR_computernameaccount Uses Limited Access permission level Potential problems (example Search Results page) Inheriting from LayoutsPageBase prevents non-authenticated access ViewFormPagesLockdown Feature prevents access to _Layout pages like AllItems.aspx Anonymous Access permissions granted to users on All Zones
6. Configuring Anonymous Access This demo will explore the basic techniques used for configuring anonymous access. We will also look at some of the potential problems.
7. Advanced Configuration Securing specific files in an anonymous access site. Enabling Browsing and Read/Write access to anonymous lists. Verifying security on 12 hive files
8. Requiring Authentication for Specific Files Anonymous Access not configurable at the List Item or File level List Items and Files INHERIT permissions from Lists or Libraries Breaking Inheritance will require Authentication to access the List Item or File
9. Write Access to Lists Lists and Libraries doesn’t allow access to root URL Solution: Configure Web Access First Break Inheritance on List/Library Configure List Anonymous Access
10. Security on 12 hive files Turn off ViewFormPagesLockdown Feature UnsecuredLayoutsPageBase class Abstract class Create inherited class for custom pages
11. Advanced Configuration Techniques This demo will explore some of the advanced configuration techniques available when configuring anonymous access in SharePoint.
12. Problem Work Arounds Access to _Layouts pages Remove Inherits= Subclass UnsecuredLayoutsPageBase Anonymous Access MySite Grant Anonymous Access to child site of MySite Declarative (SPD) Workflows (post SP1) Submission by eMail fires workflow BLOG comments CodeplexAnonymous Comment Feature for SharePoint Blog
13. Problem Workarounds This will demonstrate some of the potential workarounds for problems encountered when configuring anonymous access.
14. Unresolved Problems Anonymous File Upload Read/Write Access is allowed to lists, but not libraries Potential Workaround – Anonymous Access Membership provider Access to MySite root Redirection logic requires authentication No Potential Workaround
15. Thank you for attending! Please be sure to fill out your session evaluation!
Editor's Notes
Enabling Anonymous Access in SharePoint isn’t just a matter of flipping a switch. Anonymous Access must be turned on in IIS and then configured in SharePoint. In addition to this basic configuration there are a variety of ways that SharePoint can be tweaked to fine tune how anonymous access works. In this talk we’ll review how to enable and configure anonymous access for SharePoint web sites, lists, and libraries. We’ll also look at the Best Practices involved with controlling anonymous access to specific files, search results, discussions, and other SharePoint capabilities. Finally, we’ll examine how to do all this within the context of a secure web site.
Typically, you create a class in a code behind (.aspx.cs) file that derives from UnsecuredLayoutsPageBase. Your .aspx file, in turn, inherits from your custom page class. For example, the c:Program FilesMicrosoft Sharedweb server extenstions12TEMPLATELAYOUTSlogin.aspx page that ships with Windows SharePoint Services 3.0 inherits from an internal class named LoginPage which itself inherits from UnsecuredLayoutsPageBase.http://community.bamboosolutions.com/blogs/bambooteamblog/archive/2008/10/15/secure-a-sharepoint-application-page.aspx
Declarative workflows run as the person who triggered the workflow either manually, or by adding or editing an item. • Individual workflow actions can be made to elevate permissions. • The RTM version of the server allowed workflows to run as SharePoint System, but had a security vulnerability. • In SP1 the security problem was fixed, but declarative workflows can no longer be triggered by the SharePoint System account. • In the SharePoint Infrastructure public update box administrators can allow email enabled lists to trigger workflows as the last person to save the workflow when an item is created via email. Run “stsadm.exe –o setproperty –propertynamedeclarativeworkflowautostartonemailenabled –propertyvalue yes” on the patched server to enable this. So when building a declarative workflow take a moment to consider under what user context the workflow is running so you can better plan what the workflow is able to do.