The Truth Behind Anonymous Access in SharePoint 2007

     Setting up anonymous access in SharePoint 2007 is a tedious process at best.  You have to first configure the Internet Information Server (IIS) to allow anonymous access on the base web server.  Then you have to configure SharePoint for anonymous access.  MOSS 2007 has fine-grained permissions for everything from pages to list and document libraries… in theory.  Problem is, it doesn’t really work.  Let’s say you have a typical installation and it is set up for anonymous access.  You create a Photo Gallery library and add some photos.  You then create a page and the ”This Week in Pictures” web part so you can display a link to the photo gallery that allows people to view a slideshow.  You go into the gallery’s permissions and set the anonymous access permissions to “view”.  Done!

     Not.

     If you log out and try to view the slideshow anonymously, you will be asked to authenticate.  Now, this completely doesn’t make sense.  You go back and double and triple check your permissions.  It all seems correct.  What gives?

     What gives is Microsoft doesn’t think you really want the list to be anonymously accessible… they think you only want items in the list to be anonymously accessible.  Confused?  I was.  See, if you log in and navigate directly to a list item… copy the URL… log out… then try to view the item in the list… you can.  No problem.  But, if you try to view the list itself - forget about it.  Authenticate or perish.

     You CAN fix it… well, fixing it implies a bug, but it is a FEATURE, right?  (Warning, the following requires access the SharePoint server and a command prompt.)

     See, there is this “feature” called “ViewFormPagesLockDown” that cripples anonymous access in SharePoint.  If you want anonymous users to be able to access list items as well as the whole list, you have to deactivate the feature via the command prompt on the server.  That’s not really the difficult part.  And, here is the link that gives better instructions that I’m willing to spend the time to try and re-write here.  If you are familiar with the command prompt, you can turn this “feature” off in less than 5 minutes.

     Easy-peasy… uh, not so fast.  The rub (there’s always a rub) is that you now have to go into your site and turn off - and then back on again - anonymous access for every site in your collection.  From the top down.  Unless all of your subsites are inheriting permissions from the parent.  Some of mine were, but that didn’t seem to do the trick all the way down the hierarchy… so, I did unique permissions for each subsite just to be sure.  Hours it took me.  Hours.

     Hours that I could’ve spent doing something else.  Anything.

     So, that’s it, right?  Well… no.  Let’s say you want to be able to give anonymous users the ability to post data to a InfoPath form library?  You navigate to the permissions for the library, select the settings for anonymous access and - POOF! - everything other than “view” is ghosted out.  Again, you go back and double and triple check all your anonymous settings again, then lean back and start scratching your head.

     Didn’t we just fix that?  Microsoft strikes again with their second-guessing your ability to decide for yourself what you want anonymous users to access.  If you look at the URL of anonymous access permissions for the list, you’ll see something like this:

http://yoursite.com/_layouts/setanon.aspx?obj=%7BCADC86EA%2DA800%2D49D9%2DB4FC%2DDEEC93679CEB%7D%2CDOCLIB

     If you change the last little part of that URL to “LIST” instead of “DOCLIB”, you’ll magically be able to access those ghosted permission levels.  Why did Microsoft block access to those permission levels in such an obscure way?  I haven’t the faintest idea.

     Now, my last issue is that I want to be able to allow the People Search function in SharePoint to be available to anonymous users.  That opens up lots of possibilites… like dynamic staff directories so parents (this is a school district) can easily access the contact information of all the teachers and administrators.  Can it be done?  From what I’ve read so far, no.  But, with this system’s labyrinth of configuration menus, and weird command-line hacks to do things that it should do out of the box, I can’t definitively say it won’t work right now. Anonymous access in SharePoint 2007 is not intuitive at all.

     I’ll let you know when I know - or you can follow along.  Until then, you will be assimilated.