From a recent case, we were facing the following scenario:
SPS 2010 Server with SP1 and August 11 CU, OS: Server 2008 R2, all engl. and of course 64-bit .
1). Create a new site and a document library with the “publishing site template”
2). Upload a new Word 2010 document to the library.
3). Assign a user which has no permissions to the farm or content and grant it ‘Contribute’ rights to the document only (means: break permission inheritance on the Site, document library and the document).
4). Notice how the user gains ‘limited access‘ on the parent document library and web site.
5). Attempt to open the document as the restricted user via the direct URL (i.e.: http://myserver/sites/Shared Documents/testdoc1.docx)
6). Notice how multiple authentication prompts are opened, yet the document can be opened after clicking ‘Cancel’ (the web application in my case is setup as Windows classic authentication, and Kerberos is enabled in the authentication provider).
7). Notice how the document cannot be edited unless the user has ‘View Application Pages‘ on the root web site.
The error message ‘A problem occurred while connecting to the server. If the problem continues, contact your administrator‘ is displayed when clicking the ‘Edit Document’ button in the yellow Word bar.
Now, when reading the TechNet article here: http://technet.microsoft.com/en-us/library/cc288074.aspx In this documentation, it is mentioned that the ‘Limited Access’ permission level contains the ‘View Application Pages‘ permission.
When we use the same repro steps as above but using instead the “Team Site template”, everything is working as expected and we even can get into the document library by getting the intended view for only documents we’re permitted to (security trimming applies).
On a first view, it seemed to be an inconsistent behavior in dependency of the used site template.
Limited Access has “View application pages” even for subsites which are based on publishing site
Limited Access does not have “View application pages” even for sub sites which are based on team site
So what’s the reason/cause of this? – well, after some research we found that this is not an inconsistent behavior between the two site templates in question but rather intended an therefore a “by design” behavior.
The reason is:
For publishing sites, the Lockdown mode is getting enabled if we activate the feature and removes the ‘View Application Pages‘ permission.
Analysis of the issue
For publishing sites, the Lockdown mode is enabled by default. This means that the ViewFormPagesLockDown field is responsible for this behavior reported above as it removes/adds the permissions if we activate/deactivate the feature.
Use lockdown mode (Source: http://technet.microsoft.com/en-us/library/cc263468(office.12).aspx#section6)
Lockdown mode is a feature that you can use to secure published sites. When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced. The following table details the default permissions of the limited access permission level and the reduced permissions when lockdown mode is turned on.
|Permission||Limited access — default||Limited access — lockdown mode|
|List permissions: View Application Pages||●|
|Site permissions: Browse User Information||●||●|
|Site permissions: Use Remote Interfaces||●|
|Site permissions: Use Client Integration Features||●||●|
|Site permissions: Open||●||●|
Lockdown mode is applied to sites under the following circumstances:
- The Stsadm.exe command-line tool is used to turn lockdown mode on.
- The Publishing Portal site template is applied to the site collection. By default, lockdown mode is turned on when this template is applied.
Consider using lockdown mode on published sites if greater security on these sites is a requirement. Additionally, if you applied the Publishing Portal site template, determine if lockdown mode is the desired configuration for these sites. If not, use the Stsadm.exe command-line tool to turn off lockdown mode.
The following table lists the Stsadm commands related to using lockdown mode.
|Turn on lockdown mode for a site collection||stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDownfeature.xml|
|Turn off lockdown mode for a site collection||stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDownfeature.xml|
You can get the behavior you want by turning off lockdown mode with stsadm.
If you prefer some powershell commands, we can see some example PowerShell scripts for this here: http://blogs.msdn.com/b/russmax/archive/2010/01/22/lockdown-mode-in-sharepoint-2010.aspx
i.e.: get-spfeature -site http://sitecollectionURL // If ViewFormPagesLockDown is listed, it’s enabled.
To toggle lockdown mode to off:
$lockdown = get-spfeature viewformpageslockdown disable-spfeature $lockdown -url http://sitecollectionURL