Enable anonymous access to SharePoint 2013 – Part 1- Configure Web Application and SiteCollection
This blog post describes how you can enable anonymous access to your SharePoint environment, anonymous access is often used when creating public facing websites.
Update 04/11/2014 Added FAQ item open office documents for anonymous users.
Part 1: Configure Web Application and Site Collection – This Article
Part 2: Configure for CSOM and REST Api
Preparing the Web Application
On Web Application level your IIS sites needs to know that it needs to accept anonymous requests, enabling anonymous access in SharePoint will enable the Anonymous Authentication provider for the Web Application across the Farm.
Configure anonymous access
Central Admin
- Login to Central Administration
- Open Manage Web applications
- Select the Web Application where you want to enable Anonymous Access for
- Click on Authentication Providers in the ribbon and select the Zone
- Select Enable Anonymous Access, then click Save to update all IIS instances in the Farm
PowerShell
#Enable anonymous access on webapplication Write-Host -ForegroundColor White " - Set Anonymous access to webapplication" $WebApp = Get-SPWebApplication -Identity http://root.contoso.com #In this sample anonymous access is set to the default zone $Zone=[Microsoft.SharePoint.Administration.SPUrlZone]::Default $i = $WebApp.IisSettings[$Zone] if($i.AllowAnonymous -ne $true){ $i.AllowAnonymous = $true $WebApp.Update() $WebApp.ProvisionGlobally() }else{ Write-Host -ForegroundColor White " - Anonymous access already set" }
Client callable settings
By default not all operation are allowed for anonymous users, some operations are blocked
With PowerShell you can get a list of restricted types with the following PowerShell code:
$wa = Get-SPWebApplication -Identity “http://root.contoso.com” $wa.ClientCallableSettings.AnonymousRestrictedTypes
Most interesting restricted type is the method GetItems on SPList, this means that it is not possible to retrieve List items with the client object model.
Enable restricted types
With PowerShell it is possible to remove the restrictions of the types that you want to allow anonymous users to use.
Write-Host “Remove Anonymous restricted type GetItems." $webApp = Get-SPWebApplication -Identity $webApplication $webApp.ClientCallableSettings.AnonymousRestrictedTypes.Remove( [Microsoft.SharePoint.SPList],“GetItems”) $webApp.Update()
Configure site collection for anonymous access
After anonymous access is enabled on the Web Application the site collection needs to be configured for anonymous access, anonymous access can be set through the user interface or by PowerShell.
Site Settings
-
Open Site Settings on the root web of the site collection
-
Open Site Permissions
-
Select Anonymous Access in the ribbon
-
Select Entire Website and click **Ok
**
PowerShell
The same settings can be set with the following PowerShell Script
$siteCollectionUrl = “http://anonymous.contoso.com” $web = Get-SPWeb $siteCollectionUrl $web.AnonymousState = [Microsoft.SharePoint.SPWeb+WebAnonymousState]::Enabled $web.AnonymousPermMask64 = “Open, ViewPages, ViewListItems” $web.Update()
Be aware that anonymous settings has to be set on all sites and lists where you need anonymous users to have access, pay attention to broken security inheritance!
It is now possible to access the site collection anonymous, the following blog post will focus on accessing the site collection anonymous with the Javascript Object Model (JSOM) and REST Api Index.
FAQ
Q: How to open Office documents for anonymous users without getting an 401 Unauthorized exception
A: Add the “OpenItems” permission to the default AnonymousPermMask64, there is a blog post from Anthony with a PowerShell script to update the permission mask.