Monday, October 24, 2011

Configuring SharePoint 2010 Foundation for Internet-facing publishing


I am starting a set of posts regarding the ability of SharePoint 2010 foundation to be used to build Internet-facing web sites. In this one we are just going to perform configuration and creation operations so as we can obtain a SharePoint Foundation site collection that can be used to publish content on the Internet and therefore, available for anonymous users.

Business benefits - The "why" part of the post

In SharePoint 2007 the Internet-facing publishing was rather based on the use of the publishing part of SharePoint, its CMS.

However, the team sites that were a part of the collaboration area of SharePoint 2007 are now with the new wiki pages of SharePoint 2010 a way to help people to publish formal content. The team sites are now described in the SharePoint 2010 documentation as a solution to encourage one-to-many communication and also a solution to offer a structured exchange of information.

Therefore the team sites of SharePoint Foundation are now mature enough to be used as a base to build Internet-facing web sites and are a new and more cost effective opportunity offered by SharePoint 2010 to publish content on the Internet. The free SharePoint Foundation team sites can be now seen as a severe competitor to the licensed SharePoint CMS!

For further information, see the Microsoft documentation:

Comparison of Enterprise Wikis with Team Sites

Plan Internet presence sites (SharePoint 2010 Foundation)

And this Ted Pattison's video:

Sites as Collections of Pages
(See how Sites in SharePoint 2010 just become a collection of pages. Unlike before pages now play a key role in the structure of a site... )

I have just found elements of comparison when considering SharePoint Server 2010 Publishing Sites vs. SharePoint Foundation 2010 Sites:

SharePoint Server 2010 Publishing Sites vs. SharePoint Foundation 2010 Sites

After requirements gathering is complete, first decide whether to base the website on Microsoft SharePoint Foundation 2010, or on a server running Microsoft SharePoint Server 2010 with the Publishing Features enabled. Publishing sites are built on SharePoint Foundation, and there are many advantages to building engaging Internet-facing websites with publishing sites. Some of the benefits of creating a brand with SharePoint Server publishing sites and SharePoint Foundation sites include the following:

Enables content authors to create webpages with a more robust rich-text editing experience than SharePoint Foundation sites offer.

Includes master pages that target publishing sites and that use specific code assemblies that take advantage of publishing Features.

Easier control of web navigation from the web UI, and more options are available to the designer.

Uses the Web UI to easily change a master page and to apply master pages to all subsites below the current site.

Uses page layouts to create templates at the page level. Uses text layouts to accomplish a form of simple page layout. Text layouts are not configurable.

Use the $SPUrl token to target HTML assets with URLs that are relative to either the site collection ($SPUrl;~sitecollection/) or site root ($SPUrl:~site/)

source: Real World Branding with SharePoint 2010 Publishing Sites


I will avoid using development operations in this first post in order it can be useful to system administrators. Of course it is also targetted for developers so as they can configure their development machine, but they won't have to launch Visual Studio here.

1 - Extending an existing SharePoint Foundation Web Application

Assume you have created a SharePoint Foundation web application using NTLM authentication (that is the default mode).
Go to the SharePoint 2010 Central Administration of your SharePoint Farm, click the "Manage web applications" link then on the displayed list of the available web application select the one you want to open to anonymous users.

The buttons of the SharePoint 2010 ribbon are now  usable, so click on Extend.
The Extend pop-up appears.

Type the name of the new web application
Type 80 for port
Define a host header
Select Allow Anonymous because we are planning anonymous access
For the zone, choose Internet, because we plan to extend the existing web application for an Internet access.

So as you will obtain the following screen shots



Then,  click the "OK" button to create the web application.
Nothing has changed in the web application list, but if you navigate to the Alternate Access Mappings page of the central administration (in the System Settings section), then click on the "Edit Public Zone URLs" link and select the extended web application you will notice taht the zone was properly created.



You can also check in IIS7 that the IIS web site for the Internet zone is now available

2 - Testing the anonymous acces

As we have defined previously a custom host header for our Internet site we have to modify the host file of our development machine in order to be able to acces the site as an anonymous user.
So open the hosts file of your machine located at :


and add the following entry:

Now open a browser and browse to this url. You access your SharePoint team site as an anonymous user and simulate an Internet acces.

if you cannot access to the site with an anonymous access, browse to the page, you will be prompted for authentication, use the site coll administrator to authenticate in NTLM mode, switch anonymous access to Entire site, click OK (in the screen shot, url is wrong, sorry).


If you select Lists and libraries, anonymous users will be able to view items only for those lists and libraries that have enabled permissions for anonymous users.

However how interesting this option is, it will force administrator to break inheritance for each lists for those they want to grant access for anonymous users. You will also notice that for those lists, the SharePoint Forms pages are also accessible to anonymous users. For example, if you grant access to anonymous users for the site pages library of a Foundation team site, anonymous users might be able to get to

Typically you don't want this, so how do you prevent anonymous users from accessing these pages?   
In SharePoint Server, where the publishing features are available we would activate the lockdown feature especially provided by Microsoft for avoiding this problem.  

By the way, It is amazing to think to activate within SharePoint Foundation the lockdown feature which was formerly reserved to the SharePoint CMS .
Yes and no.
Now the team sites must be seen as a collection of pages. They get closer to the SharePoint CMS a lot.
On this subject you should watch the Ted Pattison's video (See how Sites in SharePoint 2010 just become a collection of pages. Unlike before pages now play a key role in the structure of a site.).

Updated 2011 october 26th

3 - An alternative to the lockdown Feature

Unfortunately, this feature is not available for SharePoint foundation. So I made an adaptation for WSS 3.0 and SharePoint Foudation 2010 that you can download as a SharePoint solution (.wsp) on Codeplex:

Custom lockdown feature for wss 3.0 and SharePoint 2010 Foundation

If you want to use it, download the .wsp and deploy it. It will be globally deployed anyway because the feature handler .dll will be placed in the GAC.
Then you should not need to install the feature because it will be automatically installed at deployment time, but if the automatic  installation had failled, you could install it by excuting this within a command prompt:

stsadm -o installfeature -name viewformpageslockdowncustom

then activate the feature for your site collection with this other instruction:

stsadm -o activatefeature -name viewformpageslockdowncustom -url

But, beacause we already have anonymous access enabled, we need to go disable it, then enable it again. Go to the _layouts/setanon.aspx page, switch anonymous access off, click OK, then go back and set it to entire site, then click OK.

Anonymous users should now get an authentication prompt when they try to navigate to a forms page. For example,



4 - Setting custom error page for error 401 (forbidden) within Sharepoint 2010

(The following section is dedicated to Sharepoint 2010 since you will not find the following xml tags in the web.config of wss 3.0.)

Now we are going to do an amazing thing. We are going to change the web.config file of the web application corresponding to the Internet access so as anonymous user won't be prompted anymore for authentication if they try to acces to an unauthorized url but be redirected on a custom 401 error page within the site.

So first go to your site with at least contributor permissions by using NTLM access and create a custom 401 error page in the site pages library of your site. Assume we call it unauthorized so as its url will be Type a meessage of access denied and save the page.

Then, open the web.config file of the Internet zone web application and locate the handlers end tag within the system.webSever and paste the following httpErrors sequence.

        <httpErrors errorMode="Custom" existingResponse="Auto">
            <remove statusCode="401" />
            <error statusCode="401" prefixLanguageFilePath="" path="/sitepages/unauthorized.aspx" responseMode="ExecuteURL" />

 After restarting your application pool by reloading a page of your site with anonymous acces, you will notice an amazing thing: each time an anonymous user will try to access to a non authorized ressource, instead of being prompted for an NTLM authentification, he will be redirected to the custom 401 error page of your site and he will still have your site navigation links available and be able to keep browsing.

And the most amazing is you will have the same result while clicking the sign in link.
So of course don't do that if you plan to use an Internet access for contributing on your site or for administrating it...

And don't forget that this will have an impact on the whole web application since we have modified the web.config, so it won't be possible to obtain a different behaviour for another site collection within this web application.

 The next screen shot show my 401 unauthorized custom error page after having clicked the Sign in link.

It is all that we can do for now by just performing configuration operations.
Of course, don't forget to modify the navigation within the SharePoint 2010 UI to hide all the links that could lead to an access denied for anonymous users. In short, you should let only the links pointing on a subsite, a Site Page or a specific document.

In the next post, we are going to use Visual Studio to start customizing our site...

5 - Aknowledgements

Thanks to :

Nick whose article helped me for custom errors, I have just noticed that he also lives and works in Montreal...

Tyler Butler of the ECM team blog who was by his publications of a big help in the realization of my projects for the internet and who made me discover the existence of the lockdown feature...

Ted Pattison for his video which opens many new horizons regarding the use of SharePoint 2010. I will publish more about it someday...



1 comment:

bunty said...

HI thx for the blog i followed all the steps and i am able to access the site on my local machine but non of the users are able to access the site on internet..

we need any DNS registration or any software to make it an internet site and i have windows 7..