I have previously written about an issue stopping anonymous users accessing RSS feeds with SharePoint 2013 when ViewFormPagesLockdown is enabled. While I managed to develop a work around for the client I was working with at the time, I completely neglected to write it up so others could benefit. What a rube.

I've put an example solution up on Github, hopefully someone will find that useful. Here's what it does:

As mentioned in the linked post, the problem stems from Microsoft changing the permissions on the RssXslt.RightsRequired property to include ViewFormPages in SP2013:


protected override SPBasePermissions RightsRequired {
    get {
        return SPBasePermissions.ViewFormPages | SPBasePermissions.Open;
    }
}

The basic workaround idea is this:

  1. Deploy a new layouts page that inherits from RssXsltPage and override the RightsRequired property to return an appropriate value (i.e. what SharePoint 2010 returns)
  2. Use IIS rewrite/redirect any calls to /_layouts/15/rssxslt.aspx to my layouts page instead

So I created a blank solution, added a mapped folder to Layouts and added an ASPX page RssXslt.aspx. I inherited from Microsoft.SharePoint.ApplicationPages.RssXsltPage, and overrode RightsRequired to return whatever the OOTB RssXsltPage class returns, except for ViewFormPages:


protected override SPBasePermissions RightsRequired
{
    get {
        return base.RightsRequired & ~SPBasePermissions.ViewFormPages;
    }
}

I could have just returned Open permissions, but on the off chance the base permissions ever change, this will allow those changes to flow through.

Now for the catch… the original RssXslt.aspx isn't just an empty ASPX file driven completely by codebehind—it contains a bunch of XSL and server controls that are required for the base class to function. There's probably a better way to do this, but I simply copied everything except the directives from the OOTB RssXslt.aspx into my RssXslt.aspx.

Deploying this to my test farm and confirmed anonymous users can in fact view my version of the ASPX, and yet still get challenged to authenticated for the OOTB ASPX. Score!

For the final touch—IIS rewrites. It's no good having an accessible stylesheet if the RSS feed is still pointing to the broken one. And unfortunately the feedlist.aspx code-behind isn't feasible to hack around. So IIS rewrites will have to do. I want to rewrite anything containing /_layouts/15/rssxslt.aspx to point to my page. The solution I built is named AnonymousRs, so it will need to rewrite to /_layouts/15/AnonymousRss/rssxslt.aspx:


<rule name="RssXslt For Anonymous Users">
    <match url="^(.*/_layouts/15/)(rssxslt.aspx)" />
    <action type="Redirect" url="{R:1}AnonymousRss/{R:2}" />
</rule>

You can use IIS management console to do this of course. One thing to be aware of: if you're running this on a farm with multiple web front ends, each WFE will need this configuration applied. The solution could be changed to use SPWebConfigModification to let SharePoint handle pushing the changes to all WFEs, but damned if I'm touching that mess of a process for a simple work around :)

Here's the before and after. In this case I've configured IIS to redirect rather than rewrite, just so it's easy to see IIS is actually doing something:

RssXslt.aspx auth challenged
RssXslt.aspx auth challenged
Redirected to fix RssXslt.aspx. All good!
Redirected to fix RssXslt.aspx. All good!