MOSS 2007 interesting authentication behavior

  • Article

I have an interesting problem to share with you; I came across a site collection where any authenticated users can log in with their account without giving them explicit permissions in any groups. It is interesting since usually this is the other way around - users gets denied. These users had no write permissions but could see all document libraries and lists. You might think that it’s easy, authenticated users were added with Full read in web application policies, but it wasn’t. The solution is more elegant in fact, anonymous access was enabled on the site collection and then it was turned off in the web application authentication provider page. This resulted in an interesting situation, the web still had it’s anonymous access enabled, however since it is unchecked on the authentication providers, you cannot see the setting in advanced permissions in the site settings page.

Enable anonymous access is disabled

Anonymous setting is missing

After the anonymous access is enabled in the authentication providers page an application pool recycle happens and after refresh in IE the setting appears in advanced permissions / settings.

anonyous setting can be seen

Now it is possible to turn off anonymous access to fix the behavior.

anonymous settings page1

Setting it to nothing and turning off the checkbox the anonymous access solved the problem.

If you cannot allow an application pool recycle or enabling anonymous access, you can access the page directly and set anonymous access option to nothing on the web.

Open https://server/sites/testsite/_layouts/setanon.aspx and you will see this, showing the previous setting disabled.

anonysettingspage

If you need to check this from powershell, you can use this script sample to check the setting and the details of the assigned permission.

[Reflection.Assembly]::Load("Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c")
$site = new-object Microsoft.SharePoint.SPSite("https://bobmoss32:8000")
$web = $site.OpenWeb()
$web.AllowAnonymousAccess
True
$web.AnonymousPermMask64
ViewListItems, ViewVersions, ViewFormPages, Open, ViewPages

The AllowAnonymousAccess property is read-only, however you can use the AnonymousPermMask64 to turn anonymous access off if you have permissions and on Windows 2008 you have started the powershell with “run as administrator”

$web.AnonymousPermMask64 = [Microsoft.SharePoint.SPBasePermissions]::EmptyMask
$web.Update();

To set “Lists and Libraries” use

$web.AnonymousPermMask64 = [Microsoft.SharePoint.SPBasePermissions]::Open
$web.Update();

To set to Entire Web site

$web.AnonymousPermMask64 = [Microsoft.SharePoint.SPBasePermissions]::ViewListItems -bor[Microsoft.SharePoint.SPBasePermissions]::ViewVersions -bor[Microsoft.SharePoint.SPBasePermissions]::ViewFormPages -bor[Microsoft.SharePoint.SPBasePermissions]::Open -bor[Microsoft.SharePoint.SPBasePermissions]::ViewPages
$web.Update();