SharePoint: Anonymous users are prompted for credentials on an anonymous site

Applies to: SharePoint Server 2010


Consider the following scenario:

You have configured http://mySharePointSite for anonymous access at the site level (lists and libraries) and you wanted to prevent a specific group from accessing the SharePoint site, so you add the group at the web application level and assign the “Deny All” permission. 

Steps to reproduce:

1. Configure a web application.
2. Activate NTLM + Anonymous on default zone.
3. Create a new site collection.
4. Access the site collection.
5. Access "Site Settings/Site permissions" and activate anonymous access for the entire web site.
6. Access the "Shared Documents" list and break the permission inheritance.
7. Access the "Shared Documents" list, access the library permissions settings, click on Anonymous access and enable "View Items".
8. Access the Central Administration web site.
9. Access the web application and add a user policy to this web application (on all zones or default zone). Configure a "Deny All" access for an Active Directory group.
10. Check the "Anonymous access" on the “Shared Documents" list.

The "View Items" permission is disabled and anonymous users will be prompted for credentials when attempting to browse the “Shared Documents" list.

More Information

This combination will never work.  In order for SharePoint to deny access to a certain user or group, the user must be authenticated.  Since anonymous users are not authenticated, SharePoint attempts to authenticate them in order to determine whether or not they are part of the group that was denied access.

Possible workarounds:

1. Assign the “Deny Write” policy for web application to the group instead of “Deny All”.

2. Extend your web application to a second zone. Use one zone as authenticated and assign the “Deny All” web application policy to only that zone. Use the second zone as the anonymous zone and configure anonymous access for that zone.