Restricting Anonymous Access to Specific Pages in a SharePoint Site

A question came up several months ago in one of the Developer Panel presentations at the Best Practices Conference about whether access to individual pages could be restricted on a SharePoint anonymous access site. One my friends who was on the panel replied that he didn’t think it was possible. Since I had previously researched that question for a client I pointed out that it was indeed possible, but that it was not an intuitive process. My friend then jokingly asked whether I had Blogged on how to do it and when I responded "No" he pointed out that I shouldn’t be discussing things in public that I hadn’t Blogged on. It was a joke, but he was right. I left the conference fully intending to blog about the process the next week, but never got around to it.  Its now the end of the year and things are slowing down a bit so I plan to fix that issue by blogging on several topics that have fallen by the wayside in the last year. This is just the first.

In a normal anonymous access ASP.NET web site access to specific pages can be restricted by modifying the NTFS security permissions on the specific file to exclude the IUSR_computername user from having read access to the file. But this model raises two issues when trying to do the same thing in a SharePoint anonymous access environment. First, SharePoint doesn’t make use of the IUSR_computername account specified in IIS for anonymous access, so changing the SharePoint permissions associated with this account will have no effect. Second, although security permissions can be configured at the Web site, List/Library, or item level in SharePoint anonymous access can only be configured at the first two of those levels. Adding the IUSR_computername account as a SharePoint user and restricting item level permissions for that user has no effect on the permissions granted to an anonymous user.  So on the surface there appears to be no way to configure anonymous access rights on a specific page or file to require that viewers of that page be authenticated.

But if you dig a little deeper into how anonymous access really works in SharePoint you discover that there is a way to require anonymous access for specific pages and files. First, you need to understand that anonymous access users in SharePoint are actually provided the same permissions that a user with the Limited Access permission level is given.  When you configure anonymous access at the Web site, List or Library level in SharePoint you are telling SharePoint to allow all non-authenticated users access to objects at that level as though they had the Limited Access permission level.  By default this permission level will be inherited by all objects below it in the hierarchy.  It is this Limited Access permission level that gives anonymous users access to list items and documents.  But that only works if security inheritance isn’t broken.  If you edit the specific permissions on a list item or document, that item will only have the permissions you assign to it.  Since you can’t manually assign limited access and anonymous access is not configurable at item or document level this security setting will prevent anonymous users from accessing the list item or document.  When an anonymous user tries to access a document or list item that has specific security settings they will be prompted to log in.

Speaking at the New Zealand Community SharePoint Conference 2009

New Zealand SharePoint Community Conference
 
I’ll be traveling halfway around the world next week to speak at the New Zealand Community SharePoint Conference in Wellington, New Zealand.  I’m really looking forward to the trip, even if it is the middle of winter in New Zealand right now.  My wife and I plan to stay in New Zealand for a week after the conference ends to do some sightseeing.  I just got a new Digital SLR camera that I’m hoping to try out so you may even see some pictures if you stay tuned.
 
Abstracts for my talks are listed below.  If you happen to be anywhere near Wellington next week stop in and join us.  There’s going to be a lot of good content. I hope to see you there and hope you’ll find my talks useful.  You can register using the following link:
 
 
Anonymous Access: Everything you always wanted to know, but didn’t know to ask
Enabling Anonymous Access in SharePoint isn’t just a matter of flipping a switch in IIS manager.  Anonymous Access must be enabled in IIS and then configured in SharePoint.  But there are also situations where this basic configuration isn’t sufficient.  In this talk we’ll review how to enable and configure anonymous access for SharePoint web sites, lists, and libraries.  Then we’ll turn our attention to strategies that can be used overcome specific problems with SharePoint anonymous access.  We’ll demonstrate solutions and workarounds for questions like:
  1. How do you require authentication for some items while maintaining anonymous access for the rest?
  2. What content from a personal MySite can be accessed via anonymous access?
  3. How do you enable anonymous responses to a discussion list?
  4. Can BLOGS and Wiki sites be used in an anonymous access site collection?
 
Migrating ASP.NET Apps: Four ways to convert them to SharePoint
The establishment of a new SharePoint Portal frequently involves the temporary or permanent migration of an existing ASP.NET application to the new SharePoint environment.  There are at least four different ways that this can be accomplished.  Choosing the correct method is a matter of balancing the amount of effort involved against the resulting functionality and performance.  In this talk we’ll demonstrate the following four approaches and discuss the strengths and weaknesses of each approach.
  1. Using a Page Viewer web part to display the existing website from inside SharePoint.
  2. Configuring the ASP.NET website to run from a Virtual Directory inside the SharePoint Web Application 
  3. Converting the existing ASP.NET web pages and code beside files to run inside a SharePoint web site. 
  4. Refactoring the ASP.NET web site as a set of Web Parts in the SharePoint site.

SSWUG Spring vConference

SSWUG conference
 
I spent last Friday in Tucson, AZ recording three sessions for the upcoming online SharePoint conference being hosted by the SSWUG.  In these times of tight budgets and restricted travel this is just the conference you need to learn more about SharePoint.  Even better I can provide you with the following VIP code, SPVPSTSP09, which will get you a $10 discount when you register for the conference.  Even better the VIP code can be used in combination with other codes like early bird or alumni.
 
Abstracts for my talks are listed below.  I hope you’ll attend the conference and will find my talks useful.  You can register using the following link:
 
 
 
Configuring SharePoint Anonymous Access: Tips and Tricks
Enabling Anonymous Access in SharePoint isn’t just a matter of flipping a switch in IIS manager.  Anonymous Access must be enabled in IIS and then configured in SharePoint.  But there are also situations where this basic configuration isn’t sufficient.  In this talk we’ll review how to enable and configure anonymous access for SharePoint web sites, lists, and libraries.  Then we’ll enumerate some "Tips and Tricks" for overcoming specific issues with SharePoint anonymous access.  We’ll demonstrate solutions and workarounds for questions like:
1) How do you require authentication for certain files and list items while maintaining anonymous access for the rest of a list?
2) How do you enable anonymous responses to a discussion list?
3) Can BLOGS and Wiki sites be used in an anonymous access site collection?
Migrating ASP.NET Applications: Four ways to convert them to SharePoint
The establishment of a new SharePoint Portal frequently involves the temporary or permanent migration of an existing ASP.NET application to the new SharePoint environment.  There are at least four different ways that this can be accomplished.  Choosing the correct method is a matter of balancing the amount of effort involved against the resulting functionality and performance.  In this talk we’ll review the following four approaches and discuss the strengths and weaknesses of each approach.
1) Using a Page Viewer web part to display the existing website from inside SharePoint.
2) Configuring the ASP.NET website to run from a Virtual Directory inside the SharePoint Web Application
3) Converting the existing ASP.NET web pages and code beside files to run inside a SharePoint web site.
4) Refactoring the ASP.NET web site as a set of Web Parts in the SharePoint site.
 
Microsoft Single Sign-On Service: Configuring SSO for SharePoint Designer Data Sources
DataFormWebParts are a very flexible and powerful way to display and format data, including data from external databases like SQL Server.  One of the biggest issues involved in creating and using SQL data sources in SharePoint Designer is the lack of support for Windows Authentication to the database.  The best solution to this is configuring and using the Microsoft Single Signon Service to authenticate in the data source.  In this talk we’ll demonstrate how to configure and use the Microsoft SSO service when creating a SQL data source in SharePoint Designer.
 
UPDATED 4/1/2009
You can see a brief excerpt of my SSO talk for the upcoming conference at http://www.vconferenceonline.com/speaker.asp?id=Pstork .  Watching the video will help you decide whether attending a virtual conference is worthwhile or not.

SharePoint Best Practices Conference

Best Practices Conference Logo

I just got back from the second SharePoint Best Practices Conference, and if anything this was even better than the first.  Of course the weather was wonderful.  I left Cleveland on Sunday with it snowing and arrived in San Diego to sunny temperatures in the 70s.  The hotel staff were terrific, the other speakers were knowledgeable, and there were lots of attendees looking for answers.  I did two presentations and promised that I would post my slides as soon as I got home.  They’ll also be coming out on a Post Conference DVD, but that may take 6 weeks or so.  So PDFs of the slides from my talks are posted below for download.

PDF  Anonymous Access Best Practices

PDF  Publishing (Web Content Management) Best Practices

We’re already talking about the third SharePoint Best Practices Conference so if you missed this one keep an eye out for the next one.  Most conferences focus on the “HOW“ to do SharePoint.  This conference focuses on the “WHY“.  You don’t want to miss the next one.