After figuring out Part I, I felt pretty good and maybe a tad overconfident. I told my customer we were now ready to release the information to the world.
A few days later a small test group was doing some testing and the results put me back into place.
Once again, Public users could get to security trimmed data! How?????
I went immediately in our external site and check security, everything looked good.
I then went to check the Anonymous setting I told you about in Part I.
When I got out there, the "Settings" was missing. Gone. Not there. I checked on several lists, libraries, and even subsites. It was gone. How?
Let me explain our environment. We have the inside, which all users are NTLM authenticated. We have the external site, to which data is content deployed, and this is Anonymous and FBA. We have a group which manages architecture – Central Administration. Then there is a group for development and site creation / delivery. That is me. I do not have access to Central Administration.
I went to our Architecture group and we looked at the setting for FBA Externally. It looked good. Below is a sample of the screen we looked at.
Enable anonymous access was checked.
Then we looked at the Windows side of the equation:
The Enable anonymous access was NOT checked. Someone had unchecked it thinking logically. This was the NTLM side and we don't need anonymous access. But this was the external box.
We did a quick test, enabling the checkbox under Windows. The Anonymous settings was back!
Moral of the story: On an external box with FBA configured, enable the checkbox for anonymous under the windows screen. It does matter.