_vti_bin/spsdisco.aspx page accessable even user not have any permissions in site collecion.

adil 1,431 Reputation points
2020-12-08T13:27:31.58+00:00

Hi, I have created a site collection and want to publish to internet before that I tested that _vti_bin urls ( _vti_bin/spsdisco.aspx ') accessible to users even I removed permissions of anonymous access and domain user permissions (i removed from all SharePoint groups).

Here when I remove anonymous access for site collection , domain user unable to access the site (its shows this site is not shared with you message) but in same time when i access _vti_bin/spsdisco.aspx page it asked authentication prompt and I entered my domain users permissions (which currently has no permission ) is accessible.

is this default behavior or is any way to restrict this

46159-removed-annonymous-access-and-no-permission-for-do.png

Microsoft 365 and Office | SharePoint Server | For business
0 comments No comments
{count} votes

Accepted answer
  1. JoyZ 18,111 Reputation points
    2020-12-09T07:40:46.787+00:00

    Hi @adil ,

    Agree with trevor, it's the default behavior and prevent _vti_bin folder access is not supported in SharePoint, as SharePoint needs to make calls to this folder eg ListData.svc web service.

    Reference:

    https://stackoverflow.com/questions/57902272/how-to-prevent-access-to-vti-bin-folder-on-sharepoint-and-we-are-using-content

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. trevorseward 11,711 Reputation points
    2020-12-08T18:13:16.687+00:00

    Access to _vti_bin pages is expected, however the code behinds will prompt for authentication as needed. This is normal. Domain users if using a URL which has anonymous applied to it will need to explicitly authenticate prior to being able to work with areas of the site which require authentication. This is due to the browser seeing that anonymous is available so it never sends credentials to the server.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.