Anonymous Users In SharePoint (Part 1) : Introduction
These days many public-facing sites allow users to view pages and perform some limited actions anonymously against various functionalities those site offers to their audience. Turning on anonymous access really requires thorough considerations and planning in advance because everyone visiting your site will be able to access the landing page at minimum and from there they have limited access to other parts of your site. This potentially can lead to a situation in which unauthenticated users can contribute to your site to an extent, use up server resources, discover users personal information and the content that you may not want them to be exposed to the public. Fortunately, in both Moss and WSS , you not only have the option to enable/disable anonymous access , you also have a fantastic granular control over how anonymous user experience should be when interacting with your site. This makes it a lot easier to turn a SharePoint site to a public-facing site exposed via internet which was one of the main goals in WSS 3.0 and MOSS 2007. In this article, I would like to give you a quick tour of how to enable anonymous access and what issues you or your anonymous users might face during this exercise. In part 2, I will be writing about some of the existing workarounds and solutions and finally in Part 3 I will be demonstrating how to turn them all into an even better (more real life) solution by coding the missing parts.
Through out these articles I assume that you have a basic understanding of forms based authentication (a.k.a FBA), you have created a site in default zone (a.k.a authoring zone) and extended it to an Internet zone (a.k.a public facing zone). Your default zone in protected either by NTLM or Kerberos and your internet zone is using a custom authentication provider. Now that you are ready , let’s get rolling!
Anonymous access must be granted at the web application level at the time that you create the web application and zones. It is a check box that you select and the end result is a <allow users=”*”/> element that is added to the web.config of the Zone for which anonymous access is enabled. Yes, you can always go back and enable or disable this by going to “Authentication Providers” page in Central Admin as illustrated in picture 1.
 |
|
Picture 1 |
Here is what would be added to the web.config when anonymous access is enabled.
- <authorization>
- <allow users="*"></allow>
- </authorization>
For anonymous users to be able to get to your SharePoint site via internet they have to cross two barriers:
I) IIS barrier : As I alluded to earlier, IIS barrier is handled in the web.config when you set up the zone to allow anonymous access in Administration Site.
II) SharePoint barrier : Site Administrators have to tell SharePoint to allow anonymous access by browsing to http://yoursite/_layouts/setanon.aspx and granting the right access control for anonymous users (Picture 2). You need to repeat this for all sites unless permission inheritance is turned on.
NOTE: if the <authorization> tag is not present in the web.config, then setannon.aspx has all its options grayed out.
 |
|
Picture 2 |
In additions to the settings in setannon.aspx page , each document library or list has separate settings for anonymous users in order to control how they can access and interact with the content.
Document Library :
 |
|
Picture |
Custom List (Called Annon List):
 |
|
Picture 4 |
As saying goes, the devil always lies in the details. Okay , what are the problems regarding the annonymous users in SharePoint? I am glad that you asked!
1) Anonymous access relies on the anonymous user account on the web server (IUSR anonymous account).
- In an FBA scenario where users are authenticated against a custom identity store and not AD , there is not a real configurable identity for anonymous user. This makes audience targeting at anonymous users (MOSS only) a bit challenging. For example when showing a web part targeted at people who have not signed in or a message shown to anonymous users only.
- Even in the default zone where IUSR anonymous account can be resolved, audience targeting at this account won’t work.
2) No matter what kind of permissions you grant to your anonymous users , there are still some restrictions when they interact with your site:
- Anonymous users can not upload, edit or attach files in Document libraries including Wiki libraries. This applies to both your authoring zone (which is always supposed to be protected by Windows Integrated Authentication) and FBA zone such as Internet zone. Look at the picture 3 above and note how some of the options are grayed out by default.
- Anonymous users can not fully contribute to Lists, discussions or surveys. For example , they cannot attach files to the list items (FBA zone only). As shown in the picture 4 above , in custom lists you can specify that Anonymous users CAN add items to a list. Well, an item might include an attachment right? , but in actuality when they attach a file to the item they will be redirected to a log in page. It simply means that they CAN NOT. 😉
I have tried above limitations in our custom list and for both zones. below is the result:
 |
|
| Picture 5 |
I don’t really mean to insult your intelligence , but just as FYI , thumbs are not part of the List – I just added them to the picture to show you which operations went through without requiring anonymous user to log in 🙂
3) (Credit to Doug Ware – See his comment below and his post here) Turning on anonymous access in one zone has the unfortunate behavior of giving all authenticated users the same rights as an anonymous user on all of the zones in the web application.I (as Doug Ware :)) encountered this recently when I had one zone set up that did not allow anonymous access and the Restricted Read permission level. I extended the site to another zone and configured it for anonymous access to the entire site. The members on the original zone were then able to browse the list because the configuration gave them more rights than Restricted Read even though the zone they were using was not configured for anonymous access! Based on my reading of the documentation it was by design.
Now that you know some of the issues with regards to anonymous access in SharePoint, let me walk you through couple of solutions in part 2.
Great articles Reza! I added a post to my blog linking to them.
Since I hate to just link without adding anything, I’ll point out one quirk in anonymous access that you didn’t mention. Turning on anonymous access in one zone has the unfortunate behavior of giving all authenticated users the same rights as an anonymous user on all of the zones in the web application.
I encountered this recently when I had one zone set up that did not allow anonymous access and the Restricted Read permission level. I extended the site to another zone and configured it for anonymous access to the entire site. The members on the original zone were then able to browse the list because the configuration gave them more rights than Restricted Read even though the zone they were using was not configured for anonymous access!
Based on my reading of the documentation it was by design. That said, it’s no secret that I find the design lacking and that is one more reason why I use FBA when I want anonymous access; uniform control of authorization via Permission Levels.
Doug, You are absolutely right. I didn’t notice this when I wrote the post (heads down in FBA zone ) , but now I know and that’s why it is part my post ;). Thanks for the heads up.
Hello
I’ve just followed this tutorial and make anonymous access to
view and add items in my custom contact list . but after I ‘ve added this anonymous access I got error in my contact.aspx form to add items this error message as follows:
The data source control failed to execute the insert command.
but when I chek the list I find that the data is stored successfully . I don’t know why this error happen….
can spmeone tell how to solve it…..
Tamer,
I just gave it a try and I can’t reproduce the issue on my side. I don’t think there is any association between Guest Account and the error you are getting.Check out this :
http://farm4.static.flickr.com/3048/2335634362_1a9c728fa5_b.jpg
Hello Reza
Thanks for answering ,believe me I got this error only when Make anonymous access is checked……
Okay, I am confused 🙂 You get this error when anonymous access is enabled or you get this error when you apply the solution in these article (which obviously requires anonymous access to be enabled at first place)? When anonymous access is enabled you can go to “Custom Contact List > Settings > Permissions > Anonymous Access” and give them full permission. Then they will be able to add items no matter Guest Account feature is enabled or disabled. Is this stage where you get the error? or when you enable Guest Account feature that gives your guest account (anonymous user) the ability to attach a file? They are two different things ….
Check this out , I tried by setting anonymous access to additems and Guest Account *disabled*. Result is here:
http://farm4.static.flickr.com/3251/2334927199_23c5d446da_b.jpg
Hello
Actually I have a list and a form page to add items to the list .When anonymous access add item feature is off , any user can view only and adding items is for only permitted users and works properly . but when when I switch on ‘add items’ for anonymous users, the items are stored but every time I submit in the form it shows the error
Is this form page a custom aspx page that you have developed on your own?
Yes I’ve developed this page and converted all controls into asp.net controls but without any code behind or code blocks.. as I told you b4 it works without error message only when an user is permitted and has username and password to access
That’s great and this is the only difference between your environment and mine as I am using the out of the box UI to insert the contact list items. What happens if you NOT insert the new item using your form page. Try it on a brand new custom list that’s not using your custom contact list definition.
Hi Reza,
Thanks for great article! I did help a lot. I am trying to use WSS object model (SPSite, …) to insert into Sharepint document library through web services developed by me. Then I call these services from different applications including classic ASP. When I am using Integrated Authentication it works fine. However Integrated authentication is not always available and I have to use anonymous authentication. I did try the same code for Anonymous Authentication and it does give me error message on Sharepoint objects.
Do you think this model would work (using anonymous authentioncation for inserting wiki)?
I do appreciate your time.
Thanks,
Farhad
Farhad,
In order to use SharePoint Object Model to execute code you need to be authenticated so SharePoint knows what level of access you have. Your issue has nothing to do with anon access to SharePoint described in these articles.You need to elevate the prvilage using SPSecurity.RunWithElevatedPrivilages for the section of your code that is responsible for creating the sites. This will elevate the security context from no security context (anon call) to the security context of which your web service application pool is running under.Please please make sure make you completely undrestand the security issue you in which are putting yourself.
For more information read “Elevation of Privilege in Your Code” section at the following article :
http://www.microsoft.com/technet/community/columns/secmvp/sv0408.mspx
Many Thanks Reza!
It did really help.
I do really appreciate your time and Help.
Thanks again,
Farhad
Reza,
I set up a “Contact Us” feature in WSS 3 by creating a Custom List in the Browser. Then I created a web part page to hold the entry form. I created the entry form with SPD by selecting my list as the Data Source and inserting the fields I wanted the Anonymous User to complete as a New Item Form into a web part zone on the page. This was very slick and quick to do.
I then set up a work flow to operate on the list when a new row is created. All works like a champ with a logged-in user.
Anonymous is enabled at Central Site Admin, the Site itself and the list per the instructions you gave here. (AD is the authentication provider) I even created a user that is “anonymous web server access account”, gave them contribute permissions to the list and assigned them to the Site Visitors Group.
As an Anonymous User I complete the form and when the save button is pressed an error page loads stating “the data source control failed to execute the insert command”, the record is created in the list (the “created by” field is not populated), and the associated workflow does not fire. If I browse Anonymously directly to the list and use the New Item command I get an error page that says “an unexpected error has occurred”, but the list is populated (again no “created by)”. I have noticed when inspecting the list properties in SPD that the “allow anonymous upload to this directory” is not enabled no matter how I change the list permissions. Don’t know whether that matters or not.
Any ideas on where I’m going wrong?
I decided to recreate my list since a lot of fooling around with permssions was done after the original list was created. Wonders never cease, everything works perfectly!!
I have no idea why, but please ignore my long post.
Cool article. There is one more limitation for anonymous users: In custom DataForm webparts (created with SharePoint Designer) they can delete list items, but they get asked for username and password. If they cancel and return to the same page the item is deleted, but it’s very annoying.
I spoke too soon on success. My testing was without the workflow. Once I created a workflow trigging on new items in the list, I’m right back to the same error and same behavior. Deleting the workflow does not solve the problem. I have tested on three new lists and get the same behavior once a workflow is added. I have heard workflows are picky on security, but this is ridiculous. Anyone have any ideas?
Jim ,
Is this a custom workflow you have written? Do you get the same behavior with OOTB workflows?
Dear All,
Are you sure that there is no way in which anonymous users can’t add attachments to a custom list??
because i tried it, searched for a solution, but till now i didn’t figure it out!!!
Ehab , have read all three parts?
Dear all,
I think there is no straight forward way to let anonymous users attach documents to a list.
I have tried a coding way and finally it worked 100%…
Ehab, for the FBA zone , yes you are right and that’s why I introduced all those solutions in Part3. However, For Windows zone as indicated in the picture 5 above, they CAN attach documents to the list.
I’m finding out that the dealbreaker with anonymous access is the association with the SPD created workflow. I’m concerned with gathering information on a SPD custom form for a list on our public facing MOSS site. Anon users can fill in the form, hit submit, and all is well. Design a workflow and associate it with the list and the form will bomb any time that the workflow is initiated. And once the workflow association is made with the list via SPD, it cannot be be dis-associated later.
I’m not a developer so code oriented solutions are beyond my current skillset. But it looks like I’m going to have to move in that direction.
Larry
Hello Reza,
I was wondering about a way to contact a list moderator when an anonymous user adds a list item and the user can’t see other items, only their own. As everyone knows you can’t setup alerts for lists that people can only read their own and I’m having issues with setting up workflows as anonymous users can’t start those either.
Any ideas would be great, and I’m running AD for authn (SSL) and an extended site for anonymous users.
Thank you for your time in advance.
Reza,
Sorry for the slow reply from your June question. I did not get a notification you had responded (may have overlooked checking the box). I guess I have learned the same lesson that Larry Cross mentions above on this. When one of our developers gets some time I plan to have them look into this. In the meantime, shame on Microsoft for crippling (or not supporting) this capability for anonymous users!
Jim
Hi,
Good article and alot of good comments.
I was wondering if anyone could tell if item level anonymous access is achievable in MOSS 2007. We all know that site and list level anonymous access works like a charm but my issue is with item level.
The scenario is that anonymous users can view a list and its item’s properties like a contact list’s phone, address etc. But in that contact list each authenticated user is allowed to ONLY edit his or her contact properties. Here comes the big issue as soon as you assign rights to the authenticated user you need to break parent inheritance and POOF! that particular items disappears from anonymous users list view.
Now on unique permission of an item there is no option to allow anonymous access !! (can be found on item view’s Manage permission link)
Any insight would be really helpful.
Thanks.
Hello Jim Thomas -> about the anon access issue – I’m fortunate to have just acquired some time from our inhouse .Net developer. She is right now looking to see how programmatically enable initiating a workflow triggered from an anonymous user submitting a new item to a custom list via SPD created custom form.
If successful I’ll post the solution here if you or anyone would be interested.
Larry
Ronald,
I just confirmed that in your case you can use ItemAdded event handler to send the email using SPUtility.SendEmail method. Works like a champ with anon users.
Umir,
Follow other part of this blog post. You can map anon users to a virtual account -say Guest that can be seen all over the place no matter you inherit or break the inheritance.
Guys and Gals,
Wonderful comments. Haven’t had time to dig into WF issue. If anyone came up with a solution that you think may be beneficiary to others please email me at [MyFirstName]@dev[NOSPAM]horizon DOTTTT com. Thnkx . Keep rolling guys…
Hi Guys,
If the listitem is created by anonymous users, then Created By and Modified by will be blank and workflows won’t fire on ItemAdded.
Solution to this is impersonation, when you are writing the code which adds item in the list.
Make sure the user you are impersonating has appropriate permissions on the list to add items.
Sample Code for this is
{
3 using(SPSite site = new SPSite(SPContext.GetContext(System.Web.HttpContext.Current).Site.Url))
4 {
5
6 using (SPWeb parentWeb = site.OpenWeb())
7 {
8 string userName = ConfigurationManager.AppSettings[“contactUsUser”];
9 SPUser user = parentWeb.AllUsers[userName];
10 ////YOU CAN ALSO HARD CODE THE USER AS BELOW
11 //SPUser user = parentWeb.AllUsers[“DOMAIN\\USER_NAME”];
12 SPUserToken token = user.UserToken;
13
14 using (SPSite s = new SPSite(SPContext.Current.Site.Url, token))
15 {
16 using (SPWeb web = s.RootWeb)
17 {
18 DO YOUR LOGIC FOR ADDING THE LISTITEM HERE
19 }
20 }
21
22 }
23
24 }
25 });
I created a way to be able to target anonymous users as an audience. You can read about it here:
http://bphillips76.spaces.live.com/blog/cns!F9B548E4C21D6166!442.entry
In about a week or so, a SharePoint solution package (WSP) will be available at http://www.codeplex.com/features if you don’t want to make the web.config changes or compile the code yourself.
Well….we finally found a way to have an anonymous user kick off the list associated workflow. By the way, we are not using Forms Authentication, but rather Windows authentication – so this narrows the field of solutions a bit.
We took the example from Andrew Connell about creating a code-behind approach for non-layout pages. The two essential elements to get the anon/workflow working are to (1) use elevated privs and (2) allow unsafe updates. So we are doing the basic form user/interface in SPD and the codebehind in VS….and end up with a filename.aspx and filename.cs.
So from a technical standpoint the problem is solved, but now I have to determine the degree of risk associated with using allowunsafeupdates while adding a new item to the list. I would be grateful for any advice that could be provided regarding this risk and the possible attack vectors it faces.
Superb Thread….thanks everyone.
Larry
Hi Larry,
You are right as we need to elevate priveleges and do impersonation.
I think you are confusing the problem by limiting it to create forms in SPD and code in VS.
I fixed this where web part had the form and which adds item to a list.
Later, business user created a Workflow on item added event on the list and workflow was not firing for anonymous users.
Main thing to understand is when you are adding items to a list.. that should be done via impersonating a account which has permissions on the list. Item can be added in the list via.. usercontrol.. webpart, app page etc…
Have a look at my code in the above post it will make the things clearer.
I have created a way to target anonymous users as an audience in MOSS. You can get the source code and binaries from CodePlex at http://www.codeplex.com/features. You can read more about it here: http://bphillips76.spaces.live.com/blog/cns!F9B548E4C21D6166!442.entry
Thanks,
Bryan
Ajay – I like your solution, as I have been struggling with what Jim and others in this post have as well, with kicking off workflows via anonymous users.
So, to my question: Can you tell me where you put that code you posted above…and how it is you deploy it?
thanks,
Tom
Tom,
The above was used in web part contact us form, when someone filled the form, I added user to list and on ItemAdded Sharepoint designer workflow was sending emails.
Web part was deployed in GAC.
Tell me what’s your scenario and I can give you more details.
Cheers
A
I am trying to use a form to post results in html to a page.
On pressing “submit”, the user is presented with login screen (ie username and password) even though I have anonymous users enabled with “Entire Web site”
Thanks in advance for any solution.
When you say that FBA makes anonymous targeting a “bit challenging” do you mean “impossible”
We want to display a “new users register here” web part for anonymous users, but also are using FBA. Any advice?
No I don’t mean impossible.
In your particlar case, all you need to do is to check the authentication cookie , if It is not presented it means user hasn’t logged in yet, so you need to render the link:
Pesudo code:
if (context != null )
{
If( Condition to check if code executes in FBA zone)
{
//Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = context.Request.Cookies[cookieName];
if (null == authCookie)
{
//Render the link to register new users
}
}
}
@Mark nevermind….didn’t see page 2 🙂
@Umair Khan
Hi Umair,
I know its been a while since your posting. I am running into the exact same issue as you have mentioned here. Once I break inheritance at the item level, I am unable to grant anonymous access to the list item. Did you resolve this issue? I would greatly appreciate your help.
Thanks
I would like to quote you on my documentation:
https://student.stonybrook.edu/tltworkshop/Docs/1/Workshops/Permissions.pdf
Please let me know if this is ok.
Thanks,
Nichole
Hi,this looks like the right place to ask about fba/anonymous user problem.I have fba site where anonuser is turned on from CA and can ‘view entire site’ turned on from site settings>advanced permission.This is a publishing site.I turned on the lockdown feature,turned off anonymous access (from advanced permission>set to “nothing”) and turned back on (view entire site).But I can sitll browse to /pages/forms/allitems.aspx pages as a anonymous user.Doesn’t this feature work with FBA or I’m not doing it right?Thanks in advance
Hello,this looks like the right place to ask about fba/anonymous user problem.I have fba site where anonuser is turned on from CA and can ‘view entire site’ turned on from site settings>advanced permission.This is a publishing site.I turned on the lockdown feature,turned off anonymous access (from advanced permission>set to “nothing”) and turned back on (view entire site).But I can sitll browse to /pages/forms/allitems.aspx pages as a anonymous user.Doesn’t this feature work with FBA or I’m not doing it right?Thanks in advance
Hello,
I followed a quick two steps process to set anonymous access on a web application; however, I still get this login screen prompting for userid and password. I usually hit the “Cancel” button. Any suggestions on how to avoid this?
Salam,
Man y Moshkeli dashtam Omidwaram btonin Komakam Konid,MAn yek Survey Ijad kardam va ba inke User anonymous Enable va Sayere Setting roye List ,vali baz vaghti ro in List miram ,User and password mikhad:( Marahele In page ro ham anjam dadam va nashod,Che rahi bman Pishnahad mikonid ?
Albate Majoeye ma yek sub-Site ,Momkene az Setting Master Site Bashad?
Montazere Pasokhe shoma hastam,Motshakeram.
@Zahra shahin
It cannot be caused by masterpage, cause if that was the case you should have got it all over the site. For testing, break the list inheritance and give a;ll groups full access to see if this solves your problem.
Salam,
Kheyli Mamnon az Inke Pasokhe soalam o dadid.Emtehan kardam,Nashod 🙁 Dar Blog e shoma jaei baraye Define User Guest ,GOfte shode? CHon Onha az rahe User Guest In moshkele anonymous ro Goya hal kardan …
CHon Nemikham Hoselaton o az Yek soale Tolani,Sat Bbaram ,Moshkel ro KHolase Khedmateton Arz kardam …
Rasti Mohandes CHand soal mitonam Bporsam?
Hi,
My site only renders correctly if I’m logged in..
I have a Root site and a subsite. I have style sheets in both the root and the subsite.
The anonymous user can access the entire site but when the page renders is not applying the style sheet located in the root site.
I do not need my anonymous users to navigate to the actual style sheet list. I just need the page to be able to apply all the styles in the style sheet library from the root site.
Any ideas? I have done everything I’ve found on internet
1. Allowing anonymous access to the entire site
2. Recreated the site with anonymous access from the beginning
3. Enable view access to the root style sheet library
4. Enable and disable ViewFormPagesLockDown.. although this does not seem to apply in my scenario…
I’ve been trying to fix this issue for hours..
@Jim Thomas
Jim, any luck with the workflow being kicked off by an anonymous user?
Thanks,
-Denish
Denish,
No luck. We basically gave up.
Regards,
Jim
@Jim Thomas
Guys, when you get a developer-created workflow kicked off for an anon users, don’t you get an out-of-memeory exception?
All,
I have read all of these comments and have found that they relate in some part to two issues that I currently have, one in particular though: I have a contacts list with anonymous access, which has been working fine for several weeks. This morning I added a workflow through SharePoint Designer. Oh, dear, now when adding an item as the anonymous user I get an out of memory error, the item does add successfully but the error is frustrating. I then removed the workflow, deleted it in designer, did an iisreset, and a server reboot, still the same error. However, I checked the list in SharePoint manager, in the event receivers section there were two receivers associated with the list. I removed them and now the list works fine, no need to recreate the list, which is very good news for me. I will live without the workflow for now but will have a look at the rest of the feed in more detail later, since it seems that this may be possible if I take a different approach.
@David Saynor yeah, workflow for anonymous users causes an infinite loop which in turn causes the web front end To go outta memory. The issue has been fixed in SP 2010.
@Reza Alirezaei
Reza,
I tried exactly that (using the ItemAdded event handler to send an email using SPUtility.SendEmail) as an anonymous user (and I even used the SPSecurity.RunWithElevatedPrivileges method), but I still get the dreaded “the data source control failed to execute the insert command” error. How did you avoid that?
-Ted
salam aghaye Alirezaei,
mamnoon az matlabe mofidetun,
man ba sharepoint 2010 yek publishing portal sakhtam va anonymous access ro ham roye entire website gharar dadam ,vali alan vaghti adrese site collection ro mizanam azam user va pass mikhad,daghighan eine zamani ke anonymous access ro taeen nakarde boodam!
be nazaretun moshkel az kojast?
kheili mamnoon misham javab bedid
@SD
hi. you need to disable lockdownfeature and then give the anonymous access to the particular list or library.after that if u want can enable lockdown feature..
Cheers..
sankeerth
Particularly well-researched write-up Anonymous Users In SharePoint (Part 1) : Introduction!
Always keep writing.
Hi, so far you know, is there a Limitation for anonymous users, to sync i.e. a SharePoint contact list in Outlook ? I always get a logon prompt when I try to sync. My Goal is to allow Sync without to sing in, perhaps you can help me. Thanks