A guide to Alternate Access Mappings Basics in SharePoint 2013


Alternate Access Mapping Basics in SharePoint 2013

(This post is in its entirety valid for SharePoint 2010 as well)

Explains how you should look at Alternate Access Mappings – left to right.
Alternate Access Mappings is something that most SharePoint engineers or administrators struggles with. More often than not, you get it right in the end but we are not really sure why it works or if it really works the way we want it to.
This, is my attempt to make it easy to understand.


Note: This is part 1 in a series, the next part will show how to configure DNS and a simple scenario adding a new NetBIOS name as URL to a Web Application.
Note: For the complete guide, with DNS steps and 4 different scenarios including https, download the free Whitepaper from TechNet: The final guide to Alternate Access Mappings

In order to make AAMs simpler to understand, look at it a bit differently, start with this simple table:

Left area            Internal URL’s
Right area          Public URL’s with a zone
Middle area        Zones, is what connects Internal URL’s to Public URL’s, many to one.

Internal URL redirects or transforms to a Public URL, from left, to right. The URL on the left, is what you enter in the address field in your browser, the Public URL on the right is what you will see once there, this goes for visible and invisible links as well.
Internal URL format: Protocol + URL (+non default port)

Public URL is the address of the Web Application for one of the five zones available. The ‘Default’ must be filled out and has some special properties/uses, the other four are optional. You can only have five Public URL’s per Web Application.
This is the URL that the browser will be redirected to in the end.
Public URL format: Protocol + URL (+non default port)

Zone is a label representing a Public URL, the zone is used to ‘connect’ an Internal URL to a Public URL. The zone names has no relation what so ever with the four Internet Explorer security zones (Internet, Local Intranet, Trusted sites and Restricted sites) and could just as easily been named 1,2,3,4 and 5. A zone can also represent an authentication provider.
Zones: Default, Intranet, Internet, Custom, Extranet



Note: Based on the Zone selected for every Internal URL, they will be connected to a Public URL.

From left – to right…
The zones might as well be represented by numbers:


Note: Try to always use the most used URL as   the default Public URL. This is what will be used by other services, like   crawl and in certain other links.

Translated to SharePoint GUI, this same setup would look like this:



Note: Filtered on this Web Applications   Alternate Access Mapping Collection only.
Same Alternate Access Mappings as in the Example table above.

You will see that if you click on any of the ‘Internal URLs’ that you can select zone, and with the zone, the Public URL it will be connected to:

In addition to the actual Alternate Access Mapping in SharePoint Central Administration, you also have to add a Binding in IIS, contrary to what many believe, except for the initial hostheader when you create the web application, SharePoint does not do that for you, so you have to do it manually.
The example above would show up in IIS Bindings like this:


As you can see, in IIS 8.0 and Windows Server 2012, the https binding does show up as a hostname, in IIS 7.5 and Windows Server 2008 R2, the hostname is determined by the name configured in certificate used when adding that binding and hidden in this view.

That’s it! When you have configured your AAM’s and Bindings correctly, given that you have name resolution and IP addresses in order and connectivity from the client to the server(s) and all other aspects in order, you can now start to use the URL’s you want.




Twitter | Technet Profile | LinkedIn


26 thoughts on “A guide to Alternate Access Mappings Basics in SharePoint 2013

      1. dear sir , i installed sharepoint 2013 foundation, everything is working fine , but i have public ip , when i tried to open website from any other place , its asking for username and password , after giving that , its getting ünable to connect”, some one said mapping , i dont know how to map , please guide me step by step , much awaiting for your reply

      2. Hi Anil.
        Just wrote a long detailed answer and it got lost…
        I’ll try again.
        Ok, in order to get any Web application access and authentication to work, you need a few things. You need a DNS entry or use the iP address.
        http://www.mysharepoint.com/ alt. http:
        The URL you use to access the web application from the Internet has to also have an Alternate Access Mapping and a IIS binding.
        The AAM entry has to be a Public URL and can easiest be added to the current Web Apllication ‘collection’ in Alternate Access Mapping as the Internet zone Public URL.
        Also, add the same URL or the IP as a binding in IIS.
        How you do that is described pretty good in step 4 and 5 in my Kerberos guide: http://wp.me/p1EuNv-lq
        If you also have the URL(or the domain part *.mysharepoint.com) added to your IE ‘Local Intranet’ zone, then you will also be logged on automatically with the current Windows credentials.

        I really hope that helps you? Please let me know how it goes.

        Best regards
        // Thomas

  1. Very good article. I especially like the mentioning of the Site Bindings part since there always seems to be confusion about this.

  2. Great article. Though I am having trouble authenticating on my second default url. Any idea?

    1. Hi Jason.
      Second default meaning the second internal URL to the default zone?

      Are you on the server? If so, check my latest post on the loopbackcheck.
      Are the URL added as trusted or local intranet in your browser? (IE)

      // Thomas

  3. Hi Thomas
    Perfect job. Well done.
    I lost so much time to install our SharePoint 2013 and finally a reinstall from scratch including the SharePoint wizzard and your final guide made me able to achieve a fully equipped SSL secured internal and external sp website.
    Thank you very much!

  4. Hi Thomas,

    Great article.
    Just a question, is it possible under Internal URL, have two address url the same, but each one belonging to a different zone and going to different Public URL, eg

    http://portal.com Default http://portal.com
    http://portal.com Extranet https://portal-ext.com

    So that when staff within the organisation enters http://portal.com they will go to http://portal.com. But for external partners, they still enter the same url http://portal.com, but they will be redirect to https://portal-ext.com.


    1. Hi.
      No, that’s the Quick answer to that one.
      If you try, what you will see is this: ‘The IncomingUrl is already present in the collection.’

      Imagine if you could, how will anyone or anything, know when to send the user to default and when to send it to Extranet? The users have entered the same url…
      What you could do, is use UAG(not sold anymore) or any other Product, to route extranet users coming in on the same adress outside the copnetwork, to one and internal users to one.
      You could then separate with exopended web app or just a different zone and public URL.

      Sorry, but its not that easy.
      Keep in mind this, the next link a user will click on, will take them to the public URL. Would that work in your suggestion? No, click two would not even reach the same web app.

      Hope that helps
      // Thomas

    2. Or in simpler terms, Think of giving two people the same phonenumber…not good right?
      (except if one had the number internally only, and one externally, then got connected to a different number Before reaching the internal…make any sense?

      // Thomas

  5. Thanks Thomas for the great post, I have one question..

    I have two websites in my SP farm with different URL domains, the following public URLs for example:

    The internal employees edit the website through: http://edit.toys.com

    I am having 1 WebApplication with 2 Host-Named SiteCollections,

    My question, is the following AAM correct?
    Internal -> Zone -> Public URL for Zone
    For Toys SiteCollection:
    -http://toys.com -> Default -> http://toys.com
    -https://edit.toys.com -> Internet -> http://edit.toys.com
    For Parks:
    -http://parks.com -> Default -> http://parks.com
    -https://edit.parks.com -> Internet -> https://edit.parks.com

    Thanks in advance 🙂

    1. Hi Shobani.
      Not the best when it comes to HNSC’s…but as far as I remembered, you can’t use HNSC with AAM.
      Found this quote:
      ‘HNSC have a single (unique) URL. So they do not support alternate access mappings and are always considered to be in the Default zone.’
      From http://www.sharepointpitstop.com/2012/11/sharepoint-host-named-site-collections.html

      But then I also found this:
      Locate the section on:
      Host Name Site Collections with Multiple URL’s and Zones

      This tells us it is possible and also how to do it 🙂

      I think you have it right.
      I hope that helps
      // Thomas

      1. Thanks Thomas, I did and it works!

        You inspired me to write about my current experience.. Big thanks!!

        Sent from my Windows Phone ________________________________

  6. Hi Thomas,

    Can you please answer me if we are upgrading from SP 2007 to SP 2010. And we want that Users must be able to access all documents during the upgrade process.

    I found the answer that we can do this with alternate access mapping URL redirection. I am not sure that this answer is correct or not. If yes please provide the reason that how can we do so.

    Thanks and Regards

    1. Hi Sumit.
      Using a side by side upgrade, you can let the users have access to all content until the very last few steps, its really only from when you backup the content databases that you have to stop access. From that point, you can use DNS to redirect the URL, and you must configure AAM, not shure if this is what you are asking about though…
      Remember that letting users have access can mean two things, that they update/write documents or only read. Read can be offered almost 100% during an upgrade while write you cannot.
      Hope this helps some? Get back if you have more questions.
      // Thomas

  7. I did all the steps mentioned above.. I’m getting page cannot be displayed message. When i open the alternate Intranet url. Please guide me.

    1. Hi.
      Hard to say without any info, are you trying the url from the SP server?
      Can you ping the url?
      Can you access the url on a different url? At all?
      Is the url added as a binding in IIS on ALL webservers? With the correct protocol(http/https)
      If on the same server, try from client.
      Please report back

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s