Saturday, November 13, 2010

SharePoint 2010 & PowerShell: Anonymous Web Applications

This is the fourth in a series of posts on scripting administrative functions in SharePoint. I assume you have already created a farm. In this post we will add a new anonymous web application. If you are interested in configuring anonymous access using central administration check out:
An anonymous web application will allow users to access your SharePoint site without logging in. Let’s start by creating a new web application. This script is similar to the last web application we created with two changes. First, we pass AllowAnonymous flag to New-SPAuthenticationProvider. Similarly, we add the AllowAnonymousAccess flag to New-SPWebApplication. Note that we have only enabled anonymous access at this point. By default, new content will still require authentication unless you explicitly grant permissions to anonymous users.
$WebAppURL = ""
$HostHeader = ""
$WebAppName = "Anonymous Web Application"
$ContentDatabase = "Content_Anonymous_Default"
$AppPoolName = "Anonymous Content"
$AppPoolUserName = "DOMAIN\USER_NAME"

Write-Host "Creating the anonymous web application"
$AppPoolCred = Get-Credential $AppPoolUserName
$AppPoolAccount = New-SPManagedAccount -Credential $AppPoolCred
$AuthProvider = New-SPAuthenticationProvider -AllowAnonymous
$WebApp = New-SPWebApplication -AllowAnonymousAccess -ApplicationPool $AppPoolName -ApplicationPoolAccount $AppPoolAccount  -Name $WebAppName -URL $WebAppURL -HostHeader $HostHeader -Port 80 -AuthenticationProvider $AuthProvider -DatabaseName $ContentDatabase
At this point we have a new web application, but there is no content added yet. Now, let’s add a new site collection and grant permission to anonymous users. This script is nearly identical to the scripts we created in the prior post, with addition of AnonymousState and AnonymousPermMask.
$SiteName = "Anonymous Root Site"
$OwnerEmail = ""
$OwnerAlias = "DOMAIN\USER_NAME"
$SiteURL = ""

Write-Host "Creating a default site collection in the anonymous web application"
New-SPSite -Url $SiteURL -owneralias $OwnerAlias -ownerEmail $OwnerEmail -Template "STS#0"
$Web = Get-SPWeb $SiteURL
$Web.title = $SiteName
$Web.AnonymousState = 2;
$Web.AnonymousPermMask64 = "ViewListItems, ViewVersions, ViewFormPages, Open, ViewPages, UseClientIntegration, AddListItems"
AnonymousState determines if anonymous users have access to the site collection as follows:
  • A "0" disables anonymous access. In other words, anonymous users have no access to a Web site.
  • A "1" allows default anonymous access. This specifies that anonymous users can access lists and libraries if the lists and libraries allow anonymous access.
  • A "2" specifies that anonymous users can access the entire Web site.
AnonymousPermMask allows you to control granular permissions. The values of the mask (taken directly from the source code) are:
  • ViewListItems = View items in lists, documents in document libraries, and view Web discussion
  • AddListItems = items to lists, add documents to document libraries, and add Web discussion
  • EditListItems = Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
  • DeleteListItems = Delete items from a list, documents from a document library, and Web discussion comments in documents.
  • ApproveItems = Approve a minor version of a list item or document.
  • OpenItems = View the source of documents with server-side file handlers.
  • ViewVersions = View past versions of a list item or document.
  • DeleteVersions = Delete past versions of a list item or document.
  • CancelCheckout = Discard or check in a document which is checked out to another user.
  • ManagePersonalViews = Create, change, and delete personal views of lists.
  • ManageLists = Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
  • ViewFormPages = View forms, views, and application pages, and enumerate lists.
  • Open = Allow users to open a Web site, list, or folder to access items inside that container.
  • ViewPages = View pages in a Web site.
  • AddAndCustomizePages = Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor.
  • ApplyThemeAndBorder = Apply a theme or borders to the entire Web site.
  • ApplyStyleSheets = Apply a style sheet (.css file) to the Web site.
  • ViewUsageData = View reports on Web site usage.
  • CreateSSCSite = Create a Web site using Self-Service Site Creation.
  • ManageSubwebs = Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
  • CreateGroups = Create a group of users that can be used anywhere within the site collection.
  • ManagePermissions = Create and change permission levels on the Web site and assign permissions to users and groups.
  • BrowseDirectories = Enumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces.
  • BrowseUserInfo = View information about users of the Web site.
  • AddDelPrivateWebParts = Add or remove personal Web Parts on a Web Part Page.
  • UpdatePersonalWebParts = Update Web Parts to display personalized information.
  • ManageWeb = Grant the ability to perform all administration tasks for the Web site as well as manage content. Activate, deactivate, or edit properties of Web site features through the object model or through the user interface (UI). When granted on the root Web site of a site collection, activate, deactivate or edit properties of site collection scoped Features through the object model. To browse to the Site Collection Features page and activate or deactivate site collection scoped Features through the UI, you must be a site collection administrator.
  • UseClientIntegration = Use features that launch client applications; otherwise, users must work
  • UseRemoteAPIs = Use SOAP, WebDAV, or Microsoft Office SharePoint Designer 2007 interfaces to access the Web site.
  • ManageAlerts = Manage alerts for all users of the Web site.
  • CreateAlerts = Create e-mail alerts.
  • EditMyUserInfo = Allows a user to change his or her user information, such as adding a picture.
  • EnumeratePermissions = Enumerate permissions on the Web site, list, folder, document, or list item.
In the next post we will enable SSL.


  1. Thank's for sharing. Save me lot of hours.

  2. I get the following error. What permissions must I have set for this not to occur? I am in a multi-tenant environment.

    Exception setting "AnonymousState": "Access is denied. (Exception from HRESULT:
    0x80070005 (E_ACCESSDENIED))"
    At C:\Provision.ps1:57 char:9
    + $web. <<<< AnonymousState = 2;
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

  3. This comment has been removed by a blog administrator.

  4. Hey Brian - Thanks for this. Any thoughts on how to solve the "Exception setting 'AnonymousState': Access is denied" error.

  5. Just wanted to post a follow-up. Resolved the access denied error by using another account that was not web application owner. The account used was the owner of the site collection.

  6. This comment has been removed by the author.

  7. Anonymous web application has useful features to access on share point without sign in. Expert web application developer create innovative app which i will definitely consider in my office.

  8. This page is effective for learning. I get many important things from this page. Creative android event app