Monday, January 30, 2012

SharePoint Anonymous Users and Managed Metadata Columns

I was working on a SharePoint 2010 internet facing site, which will have Anonymous Users.

We allowed Anonymous Users access to the site using the steps document on Tech Net and other places on the internet.

While rest of the site worked as expected for anonymous users, the web parts which queries information from a SharePoint List having a column of type managed metadata, failed. It gave the following error:

Value does not fall within the expected range
at Microsoft.SharePoint.SPListCollection.ItemByInternalName(String strInternalName, Boolean bThrowException)  
at Microsoft.SharePoint.SPListCollection.get_Item(Guid uniqueID)  
at Microsoft.SharePoint.Taxonomy.TaxonomyField.GetLookupList(SPSite site)  
at Microsoft.SharePoint.Taxonomy.TaxonomyField.GetGuidOfWssIdFromHiddenList(SPSite site, Int32 id, Guid& termSetId, Guid& termId)  
at Microsoft.SharePoint.Taxonomy.TaxonomyField.GetGuidOfWssId(SPSite site, Guid sspId, Int32 id, String& termId)  
at Microsoft.SharePoint.Taxonomy.TaxonomyFieldValue.get_TermGuid()  
at Microsoft.SharePoint.Taxonomy.TaxonomyFieldValue.ToString()  
at VisualWebPartProject1.VisualWebPart1.VisualWebPart1UserControl.Page_Load(Object sender, EventArgs e)

If we accessed the same page using an Authenticated User and then accessed the same page as an anonymous user, it seemed to work. I suspect Caching is internally at play.

To troubleshoot, you need to know a little bit about how MMS works and the TaxonomyHiddenList, which as the name suggest is an hidden list.

The URL for the list is similar to that of any other list at the top site collection level:


When you browse to the list, and look at the permissions for the list, you will notice that the permissions for the list are broken. The following was the permission for the list.

To resolve the issue, I re-inherited the permissions. And it fixed the issue. As simple as that.

After re-inheriting the permissions, the System Account now has Limited Access instead of Full Control granted earlier.

While there are no side-effects in our case, there is a possibility that if you have a list or library where users have Contribute permissions but not to rest of the site, it may break. In such a case, I would try the following:

1.       ReInherit the Permissions

2.       Break the Permissions again

3.       Add All Authenticated Users(NT AUTHORITY\Authenticated Users) with Read permissions and change the permissions for System Account to Full Control. Basically, the base site permissions, plus the special permissions for All Authenticated Users and System Account.