Anonymous access is default on in SharePoint 2013, even if you select No?
First, remember, this is all just a reflection made by me and most likely, there is some obvious reason as to why this is, that simply just eludes me at this point. I know that SharePoint does not in itself allow Anonymous access, that has to be configured, but IIS allows it which seems to me like a bad idea.
I noticed this disturbing thing this morning when I created a Quick Web Application in a SharePoint 2013 test farm of mine running on Windows Server 2012. Thing was, I created a web application from the Central Administration GUI and selected all the quickest options, Default Everything but to use an existing Application Pool. This means that we select Windows Authentication, NTLM only and NO Anonymous access.
Let me explain…
On a SharePoint 2013 farm running on Windows Server 2012:
I created a normal Web Application using only the Central Administration GUI. I used port 2013 just to show where it is, then default on all security settings.
I seelcted to use an existing Application pool to save time and Resources, but that is not relevant. Ok to create:
Next I checked what was actually done in IIS, from the preview I remebered having some questions on how this was performed…
In IIS 8.0 on Windows Server 2012 it looks like this:
Notice how 4 providers are enabled by SharePoint as default.
These are all enabled by default, Windows Authentication has only NTLM configured like we selected in CA. We also get a warning from having Forms Based authentication(redirect) and Windows Based(Challenge) enabled at the same time. IIS does not like this but I have managed to find out that this is ok, given certain circumstanses you need it to be this way.
If we do the same thing on a SHarePoint 2010 farm running on Windows Server 2008R2 and IIS 7.5:
We select to use NTLM and to not allow Anonymous, same as in 2013.
The settings in IIS:
And the list of providers look like this:
Like you can see, SharePoint 2010 only enables ASP.NET Impersonation and Windows Authentication.
If we put the two up side by side, it looks like this:
The question is, does this affect security in any way?
Is it still as secure?
Why not simply disable Anonymous Authentication?
If anyone has any good suggestions or explanations, please submit them as a comment and I will update this post to reflect the facts.
A really good link that explains the inner workings of claims based authentication in SharePoint, valid for 2010 and 2013 alike.
(Thnaks nojanaj for the tip)
Multiple Authentication Methods in SharePoint 2010
3 thoughts on “Anonymous Authentication always on in SharePoint 2013”
Maybe this post can answer some of your questions.
Excellent! It did! Claims disables IIS’s authentication(Anonymous on) and uses SharePoints own auth. Cool!
Thanks a lot.
If I find the time, I’ll update the post.
Regards // Thomas