Mixed Anonymous and Secure Content with SharePoint 2010

In this tutorial i’m going to step you through how to set up a SharePoint 2010 publishing portal with both anonymous and secure content.

1. Create a new Web Application in Central Admin. Make sure that you select ‘Yes’ for Allow Anonymous.  All other values can remain at the defaults. For this example I’m going to use FBA Claims based authentication.

2. Using central admin, create a site collection on the web application you just created.  In this example I’m creating a publishing site.

3. Visit the site you just created. You will be asked to authenticate.  This is because even though ‘Allow Anonymous’ was turned on at the web application level, it still has to be specified at the site level. You will be shown the default home page.

4. First we’ll create a new Home page that will be the page anonymous users will see when they first access the site.  From Site Actions, choose New Page and call it “Home”. When the new page appears, just type in a quick welcome message and save it.

5. With a publishing site the content will need to be both published and approved before it will be visible by anonymous users. To publish the page, click ‘Submit’ on the ‘Publish’ tab and follow the wizard.  Once the submission is complete, approve the page by clicking ‘Approve’ on the ‘Publish’ tab and follow the wizard.  Note that to approve the page, you will first have to add your user to the ‘Approvers’ group under ‘People and Groups’ in ‘Site Settings’. The page is now published, and will be visible to anonymous users once we enable anonymous access.

Note that any resources that have been added to the page, such as images from the Images library, will also have to be published and approved before they can be viewed by anonymous users.

6. Under ‘Site Settings’, ‘Welcome Page’ set the welcome page to be the new ‘Home’ page we just created.

Now when we got to our site root page, we’ll be redirected to the ‘Home’ page we just published. If you sign out and visit Pages/Home.aspx, you’ll notice that you’ll be prompted to enter your credentials, so we still need to enable anonymous access to the page.

7. Sign back in to the site.  Go to ‘Site Settings’, ‘Site Permissions’. Click on ‘Anonymous Access’. From the ‘Anonymous users can access: ‘ dialog, choose ‘Lists and Libraries’ and click OK. Alternatively you can click ‘Entire Web Site’, which will make everything available anonymously, however I prefer to define exactly which resources have anonymous access.  By choosing ‘Lists and Libraries’ your entire web site is still secured.  You have to directly configure each List/Document Library to enable anonymous access. If you sign out and visit Pages/Home.aspx, you will notice that you will still be prompted to authenticate to view the page.

8. Now anonymous access needs to be enabled on the ‘Pages’ library. Go to ‘View all site content’, ‘Pages’. Click ‘Library Permissions’ on the ‘Library’ tab. Click ‘Stop Inheriting Permissions’. Click ‘Anonymous Access’. Select ‘View Items’ in the ‘Anonymous Access’ dialog and click OK. Now all of the content in the ‘Pages’ library will be accessible anonymously.  Note that you can ‘Manage Permissions’ and ‘Stop Inheriting Permissions’ for individual items (including folders) in the library, if you want to prevent them from having anonymous access. Unfortunately you cannot enable anonymous access on individual items, only the whole library.

Now if you sign out of the site and visit Pages/Home.aspx, you’ll be able to view it and won’t be prompted to authenticate.

9. There’s another problem you might notice.  Home.aspx is our default page, and allows anonymous access, however if we visit the site root we’re still prompted to authenticate.  This is because we chose the more secure option of allowing anonymous access on ‘Lists and Libraries’ instead of the ‘Entire Web Site’. PowerShell needs to be used to allow anonymous access to the site while keeping the ‘Lists and Libraries’ settings. Run the following PowerShell commands (based on instructions from http://stackoverflow.com/questions/1338809/anonymous-access-to-a-sharepoint-site-root) – substitute your own SPWeb address:

$web = Get-SPWeb http://demo2010a:42076
$web.AnonymousState = [Microsoft.SharePoint.SPWeb+WebAnonymousState]::Enabled
$web.AnonymousPermMask64 = "Open, ViewPages"

Note that if you look at ‘Anonymous Access’ under ‘Site Permissions’, it will say ‘Entire Web Site’ – however you will still need to explicitly specify which lists and libraries have anonymous access, just as if it was set to ‘Lists and Libraries’.

Now if you sign out and visit the root of the site, you should be redirected to Pages/Home.aspx and not asked to authenticate. We finally have controlled anonymous access!

10. The other part of this tutorial is to show you how to have secure content mixed in with your anonymous content.  Now that you can control which content is available anonymously, adding secure content is very straightforward.  I had mentioned earlier that you can secure content within a library with anonymous access by clicking ‘Stop Inheriting Permissions’.  The problem with this is that by default a document will have anonymous access, and you will have to specify exactly which documents are secure.  For that reason it’s better to keep secure pages in their own library with anonymous access turned off.  For this tutorial we’re going to create a child site called ‘User’.  It’s ‘Pages’ library will not allow anonymous access, so all of it’s content will be secured.

Select ‘Site Actions’,’New Site’ and create a new ‘Publishing Site with Workflow’ called ‘User’. Click Create.

11. Edit the default page and add some custom content. Save, Publish and Approve the page.

As the new site’s Pages library is secured by default, nothing additional has to be done to secure it.  Notice that if you sign out and visit the site root, you can still access Pages/Home.aspx (although you won’t see a link to the User site). If you attempt to access ‘User/Pages/default.aspx’, you will be asked to authenticate.

Congratulations! You now have a SharePoint 2010 site with both mixed and secure content.

If you’d like to learn how to access your mixed content over both http and https see: Mixed Http and Https Content with SharePoint 2010


8 responses to “Mixed Anonymous and Secure Content with SharePoint 2010”

  1. @SPJeff Avatar

    Great post, thanks Chris! One thing I did differently on a recent build. Instead of running the above PowerShell, I simply enabled IIS URL ReWrite . This way the root redirect to “/SitePages/Home.aspx” happens before SharePoint even sees the request. It helped me keep secure content on the root (without a second child site).


  2. Eric Schrader Avatar

    Any info on why step #8 needs to be done if its inheriting from the parent, which allows “view items” for anonymous users? This is a bug that drove me nuts. The permissions change for this also does not replicate with the SharePoint content deployment path/job and needs to be done on each environment.

    1. Chris Coulson Avatar

      As far as I know, a list can’t inherit the anonymous access settings, at least not through the UI, as they’re not defined at the site level. Perhaps there’s a way through PowerShell, but if there is i’m not familiar with it. The way anonymous access was is set in the permissions does seem pretty wonky – it’s as if it was just bolted on as an afterthought.

  3. Robert Avatar

    Great Post!

  4. Harshad Avatar

    Really great post.

    I have one SharePoint site which is enabled for anonymous access.

    I have few document libraries and every document library has default.aspx page. If I provide full path in browser, SharePoint doesn’t ask for credentials and it opens anonymously. But if I provide path upto document library, SharePoint ask for credential and then redirect to appropriate default.aspx within document library.

    I want to avoid this credential asking pop-up and browser should open appropriate default.aspx page of that document library.

    1. Chris Coulson Avatar

      Unfortunately iis default pages won’t work with SharePoint, as they don’t actually exist in the iis folder. SharePoint handles which document to return from the database based on the url – which might be triggering the authentication prompt.

      You might want to try this, which looks like it allows you to specify the default welcome page to specific folders:

      The other alternative that should work is to use the iis 7 url rewrite module to setup redirects to the default page based on the url of the folder. There’s a bit of information on doing this in my blog post:


      The other option (if it’s an option) is to choose ‘Entire Web Site’ for the anonymous access level – I expect that will fix it as well.

  5. Mauro Avatar

    Very Good! The information about this final configuration using Power Shell was great!

  6. Sunit Avatar

    Excellent article! Thanx a lot for sharing this information.

Leave a Reply

Your email address will not be published. Required fields are marked *