Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. SharePoint: Anonymous users are prompted for credentials on an anonymous site

SharePoint: Anonymous users are prompted for credentials on an anonymous site

View products that this article applies to.

Summary

Consider the following scenario:

You have configured http://mySharePointSite for anonymous access at the site level (lists and libraries) and you wanted to prevent a specific group from accessing the SharePoint site, so you add the group at the web application level and assign the “Deny All” permission. 

Steps to reproduce:

1. Configure a web application.
2. Activate NTLM + Anonymous on default zone.
3. Create a new site collection.
4. Access the site collection.
5. Access "Site Settings/Site permissions" and activate anonymous access for the entire web site.
6. Access the "Shared Documents" list and break the permission inheritance.
7. Access the "Shared Documents" list, access the library permissions settings, click on Anonymous access and enable "View Items".
8. Access the Central Administration web site.
9. Access the web application and add a user policy to this web application (on all zones or default zone). Configure a "Deny All" access for an Active Directory group.
10. Check the "Anonymous access" on the “Shared Documents" list.

Result:
The "View Items" permission is disabled and anonymous users will be prompted for credentials when attempting to browse the “Shared Documents" list.

↑ Back to the top

More Information

This combination will never work.  In order for SharePoint to deny access to a certain user or group, the user must be authenticated.  Since anonymous users are not authenticated, SharePoint attempts to authenticate them in order to determine whether or not they are part of the group that was denied access.

Possible workarounds:

1. Assign the “Deny Write” policy for web application to the group instead of “Deny All”.

2. Extend your web application to a second zone. Use one zone as authenticated and assign the “Deny All” web application policy to only that zone. Use the second zone as the anonymous zone and configure anonymous access for that zone.

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2685979
Revision : 1
Created on : 1/7/2017
Published on : 3/14/2012
Exists online : False
Views : 287