Sunday, March 29, 2015

Anonymous access of SharePoint content in authenticated SharePoint context

Intranets, or better Digital Workplaces, provides employees with access to business information and functionalities. Typical the access is authorized, role-based and sometimes on individual level. In both cases it is requires that the intranet users are first authenticated to next check the authorization for the authenticated visitor. This is why intranets are typically authenticated, while external-facing sites have anonymous access enabled.
Webapplications utilize resources of diverse types for branding the site: css, images, and javascript code. Authorization on these items is most times unnecessary, as it is “code” and not (role) sensitive information. SharePoint-based portals often store these static resources as ‘content’ in a SharePoint style library. In Office 365 context it is the only possible approach to provision branding resources, deployment to the layouts folder requires access to the SharePoint farm.
SharePoint authentication handling adds some overhead to the basic execution of the http request. For instance in case of NTLM authentication, each http connection between client and SharePoint must negotiate the authentication state via the NTLM handshake, adding 2 requests (type 1 and type 2) before SharePoint responds on the actual client request. Although this overhead is in absolute value small on indivual request level, the impact can become noticable when the number of http requests increases.
So I considered it a good idea to enable anonymous access on the style library, and as such avoid this authentication-overhead for the static resources retrieved from SharePoint content database. The result is that direct retrieval of any resource stored in the style library does not involve authentication processing. However, to my initial surprise the authentication is still applied when the resource is retrieved in context of an authenticated SharePoint page. I compared the http requests send from the 2 different situations, and noticed that in the situation requested from authenticated SharePoint context the http request includes the NTLM authentication header. And in that case, even although the style library on itself does allow anonymous access, as the http request includes NTLM authentication information, IIS “honors” this and still sets up the NTLM authentication handshake with the browser.
Conclusion: anonymous access to SharePoint data is not possible whenever that data is retrieved in context of an authenticated SharePoint page on the same webserver domain. Successful anonymous access requires to break out of the authenticated SharePoint context. E.g. by storing the static resources in another webapplication and have the authenticated SharePoint page refer to the resources on that other webapplication and thus another domain for which the authentication cookie from the authenticated SharePoint page does not apply.

No comments:

Post a Comment