Introduction
I am starting a set of posts regarding the ability of SharePoint 2010 foundation to be used to build Internet-facing web sites. In this one we are just going to perform configuration and creation operations so as we can obtain a SharePoint Foundation site collection that can be used to publish content on the Internet and therefore, available for anonymous users.
Business benefits - The "why" part of the post
In
SharePoint 2007 the Internet-facing publishing was rather based on the use of
the publishing part of SharePoint, its CMS.
However, the team sites that
were a part of the collaboration area of SharePoint 2007 are now with the new
wiki pages of SharePoint 2010 a way to help people to publish formal content.
The team sites are now described in the SharePoint 2010 documentation as a
solution to encourage one-to-many communication and also a solution to offer a
structured exchange of information.
Therefore the team sites of
SharePoint Foundation are now mature enough to be used as a base to build
Internet-facing web sites and are a new and more cost effective opportunity
offered by SharePoint 2010 to publish content on the Internet. The free
SharePoint Foundation team sites can be now seen as a severe competitor to the
licensed SharePoint CMS!
For further information, see the Microsoft documentation:
Comparison
of Enterprise Wikis with Team Sites
Plan
Internet presence sites (SharePoint 2010 Foundation)
And this
Ted Pattison's video:
Sites
as Collections of Pages
(See how Sites in SharePoint 2010 just become a
collection of pages. Unlike before pages now play a key role in the structure of
a site... )
I have just found
elements of comparison when considering SharePoint Server 2010 Publishing Sites
vs. SharePoint Foundation 2010 Sites:
SharePoint Server 2010 Publishing
Sites vs. SharePoint Foundation 2010 Sites
After requirements gathering
is complete, first decide whether to base the website on Microsoft SharePoint
Foundation 2010, or on a server running Microsoft SharePoint Server 2010 with
the Publishing Features enabled. Publishing sites are built on SharePoint
Foundation, and there are many advantages to building engaging Internet-facing
websites with publishing sites. Some of the benefits of creating a brand with
SharePoint Server publishing sites and SharePoint Foundation sites include the
following:
Enables content authors to create webpages with a more robust
rich-text editing experience than SharePoint Foundation sites offer.
Includes master pages that target publishing sites and that use specific
code assemblies that take advantage of publishing Features.
Easier
control of web navigation from the web UI, and more options are available to the
designer.
Uses the Web UI to easily change a master page and to apply
master pages to all subsites below the current site.
Uses page layouts
to create templates at the page level. Uses text layouts to accomplish a form of
simple page layout. Text layouts are not configurable.
Use the $SPUrl
token to target HTML assets with URLs that are relative to either the site
collection ($SPUrl;~sitecollection/) or site root ($SPUrl:~site/)
source: Real World Branding
with SharePoint 2010 Publishing Sites
Audience
I will avoid using development operations in this first post in order it can be useful to system administrators. Of course it is also targetted for developers so as they can configure their development machine, but they won't have to launch Visual Studio here.
1 - Extending an existing SharePoint Foundation Web Application
Assume
you have created a SharePoint Foundation web application using NTLM
authentication (that is the default mode).
Go to the SharePoint 2010 Central
Administration of your SharePoint Farm, click the "Manage web applications" link
then on the displayed list of the available
web application select the one you want to open to anonymous users.
The
buttons of the SharePoint 2010 ribbon are now usable, so click on
Extend.
The Extend pop-up appears.
Type
the name of the new web application
Type 80 for port
Define a host
header
Select Allow Anonymous because we are planning anonymous access
For
the zone, choose Internet, because we plan to extend the existing web
application for an Internet access.
So as you will obtain the following screen shots
Then,
click the "OK" button to create the web application.
Nothing has
changed in the web application list, but if you navigate to the Alternate Access
Mappings page of the central administration (in the System Settings
section), then click on the "Edit Public Zone URLs" link and select the
extended web application you will notice taht the zone was properly created.
You can also check in IIS7 that the IIS web site for the Internet zone is now available
2 - Testing the anonymous acces
As
we have defined previously a custom host header for our Internet site we have to
modify the host file of our development machine in order to be able to acces the
site as an anonymous user.
So open the hosts file of your machine located at
:
C:\Windows\System32\drivers\etc
and add the following entry:
127.0.0.1 www.mycompany.com
Now open a browser and browse to this url. You access your SharePoint team site as an anonymous user and simulate an Internet acces.
if you cannot access to the site with an anonymous access, browse to the http://www.mycompany.com/_layouts/setanon.aspx page, you will be prompted for authentication, use the site coll administrator to authenticate in NTLM mode, switch anonymous access to Entire site, click OK (in the screen shot, url is wrong, sorry).
If you select Lists and libraries, anonymous users will be able to view items only for those lists and libraries that have enabled permissions for anonymous users.
However
how interesting this option is, it will force administrator to break inheritance
for each lists for those they want to grant access for anonymous
users. You will also notice that for those lists, the SharePoint Forms pages are
also accessible to anonymous users. For example, if you grant access to
anonymous users for the site pages library of a Foundation team site, anonymous
users might be able to get to
http://www.mycompany.com/SitePages/Forms/AllPages.aspx.
Typically
you don't want this, so how do you prevent anonymous users from accessing these
pages?
In SharePoint Server, where the publishing features
are available we would activate the lockdown feature especially
provided by Microsoft for avoiding this problem.
By
the way, It is amazing to think to activate
within SharePoint Foundation the lockdown feature which was formerly
reserved to the SharePoint CMS .
Yes and no.
Now the team sites must be
seen as a collection of pages. They get closer to the SharePoint CMS a lot.
On this subject you should watch the Ted
Pattison's video (See how Sites in SharePoint 2010 just become a collection
of pages. Unlike before pages now play a key role in the structure of a site.).
Updated 2011 october 26th
3 - An alternative to the lockdown Feature
Unfortunately, this feature is not available for SharePoint foundation. So I made an adaptation for WSS 3.0 and SharePoint Foudation 2010 that you can download as a SharePoint solution (.wsp) on Codeplex:
Custom lockdown feature for wss 3.0 and SharePoint 2010 Foundation
If
you want to use it, download the .wsp and deploy it. It will be globally
deployed anyway because the feature handler .dll will be placed in the
GAC.
Then you should not need to install the feature because it will be
automatically installed at deployment time, but if the automatic
installation had failled, you could install it by excuting this within a
command prompt:
stsadm -o installfeature -name viewformpageslockdowncustom
then activate the feature for your site collection with this other instruction:
stsadm -o activatefeature -name viewformpageslockdowncustom -url http://www.mycompany.com
But, beacause we already have anonymous access enabled, we need to go disable it, then enable it again. Go to the _layouts/setanon.aspx page, switch anonymous access off, click OK, then go back and set it to entire site, then click OK.
Anonymous
users should now get an authentication prompt when they try to navigate to a
form page. For example,
http://www.mycompany.com/SitePages/Forms/AllPages.aspx.
4 - Setting custom error page for error 401 (forbidden) within Sharepoint 2010
(The
following section is dedicated to Sharepoint 2010 since you will not find the
following xml tags in the web.config of wss 3.0.)
Now we are going to do
an amazing thing. We are going to change the web.config file of the web
application corresponding to the Internet access so as anonymous user won't
be prompted anymore for authentication if they try to acces to an unauthorized
url but be redirected on a custom 401 error page within the site.
So first go to your site with at least contributor permissions by using NTLM access and create a custom 401 error page in the site pages library of your site. Assume we call it unauthorized so as its url will be http://www.mycompany.com/sitepages/unauthorized.aspx. Type a meessage of access denied and save the page.
Then, open the web.config file of the Internet zone web application and locate the handlers end tag within the system.webSever and paste the following httpErrors sequence.
</handlers>
<httpErrors errorMode="Custom"
existingResponse="Auto">
<remove statusCode="401"
/>
<error statusCode="401" prefixLanguageFilePath=""
path="/sitepages/unauthorized.aspx" responseMode="ExecuteURL"
/>
</httpErrors>
</system.webServer>
After restarting your application pool by reloading a page of your site with anonymous acces, you will notice an amazing thing: each time an anonymous user will try to access to a non authorized ressource, instead of being prompted for an NTLM authentification, he will be redirected to the custom 401 error page of your site and he will still have your site navigation links available and be able to keep browsing.
And
the most amazing is you will have the same result while clicking the sign in
link.
So of course don't do that if you plan to use an Internet access for
contributing on your site or for administrating it...
And don't forget
that this will have an impact on the whole web application since we have
modified the web.config, so it won't be possible to obtain a different behaviour
for another site collection within this web application.
The next screen shot show my 401 unauthorized custom error page after having clicked the Sign in link.
It
is all that we can do for now by just performing configuration operations.
Of course, don't forget to modify the navigation within the SharePoint 2010
UI to hide all the links that could lead to an access denied for anonymous
users. In short, you should let only the links pointing on a subsite, a Site
Page or a specific document.
In the next post, we are going to use
Visual Studio to start customizing our site...
5 - Aknowledgements
Thanks
to :
Nick
whose article helped me for custom errors, I have just noticed that he also
lives and works in Montreal...
Tyler
Butler of the ECM team blog who was by his publications of a big help in the
realization of my projects for the internet and who made me discover the
existence of the lockdown feature...
Ted Pattison for his video
which opens many new horizons regarding the use of SharePoint 2010. I will
publish more about it someday...
