Sharepoint anonymous access to layouts folder in anonymous web application

2
votes

I have a Sharepoint Foundation server 2013 with a Web Application deployed, a root Site Collection and another Site Collection in this Web Application. The Web Application is configured for Anonymous Access, the second Site Collection requires Sharepoint authentication (MS TMG).

I have Application Pages that are deployed to the server (scope = web), these Application Pages are used within the second Site Collection by users and so require authentication, which works as desired. Those Application Pages must also be accessible anonymously, they are of course in the _layouts folder and so are included in the root Site Collections _layout path, this part does not work.

I can access anonymously the root server address https://myserver.mycompany.co.uk/ (maps to https://myserver.mycompany.co.uk/_layouts/15/start.aspx#/SitePages/Home.aspx which is turn maps to https://myserver.mycompany.co.uk/SitePages/Home.aspx). I cannot however get anonymous access to https://myserver.mycompany.co.uk/_layouts/15/mysite.ApplicationPages/MyPage.aspx?QueryString=etc It requires authentication and of course works when I provide authentication.

Suggestions? More info required?

3
sharepointpermissionssharepoint-2013

3 Answers

3
votes
// This
public partial class DoWithComment : UnsecuredLayoutsPageBase
{
    // And this was required as well
    protected override bool AllowAnonymousAccess
    {
        get
        {
            return true;
        }
    }
}
1
votes

If your app pages need to be accessible via anonymous access, your pages should inherit from Microsoft.SharePoint.WebControls.UnsecuredLayoutsPageBase instead of LayoutsPageBase

See: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.webcontrols.unsecuredlayoutspagebase.aspx

-1
votes

Apart from Colin's answer there is indeed a case when the above does not work (SharePoint 2013 with SP 1).

  • SharePoint is accessed via Windows Authentication.
  • User utilizes Chrome (my version is 35) to access page.
  • User has been logged off from different browser or user's domain login is locked.
  • User tries to access the anonymous page.
  • User gets the login popup from Chrome.

My only workaround was to create a HTTP module to remove all the cookies including WSS_KeepSessionAuthenticated cookie on BeginRequest. Most probably removing the WSS_KeepSessionAuthenticated is only required but I'm pasting original code which removed every cookie as the issue is quite hard to reporduce.

public class SPNoAuthModule : IHttpModule
{
    public void Dispose(){ }

    public void Init(HttpApplication context)
    {
        context.BeginRequest+=context_BeginRequest;
    }

    private void context_BeginRequest(object sender, EventArgs e)
    {
        var app = (HttpApplication)sender;
        var context = app.Context;
        if (context.Request.FilePath.ToUpper().EndsWith("YOURPAGEADDRESS"))
        {
            var cookieNames = context.Request.Cookies.AllKeys;
            foreach (var cookieName in cookieNames)
            {
                context.Request.Cookies.Remove(cookieName);
            }
        }
    }
}

And of course register it in proper Web.config in c:\inetpub\wwwroot\wss\VirtualDirectories\YOURAPPNAME:

<modules>
    <add name="YOURMODULENAME" type="YOURNAMESPACE.SPNoAuthModule, YOURASSSEMBLYNAME, Version=YOURVERSION, Culture=YOURCULTURE, PublicKeyToken=YOURKEYTOKEN" />
</modules>