User-149623670 posted
We have a SharePoint site which has "Anonymous Authentication" disabled, however our logs show thousands of blank entries for CS-USERNAME. For example, a popular article got 11087 hits yesterday, but LogParser states that 9791 of those hits are blank in the
log. What's going on here? Is it search? What could be accessing SharePoint anonymously if it's not enabled? (Our company doesn't have 10000 employees, so I don't think it's employees clicking on the link).
User-149623670 posted
Further to this: I ran log parser again grouped-by the C-IP (IP Address) and 9258 hits (with blank CS-USERNAME) came from a mystery IP address. I pinged my Infrastructure team and it turns out that it was a proxy server for another one of our businesses. When
I dig deeper, some have valid CS-USERNAME entries, but most are blank and are usually: - Microsoft+Office+Existence+Discovery - Microsoft+Office+Protocol+Discovery - Mozilla/4.0+(compatible;+MS+FrontPage+12.0) - MSFrontPage/12.0 ... and are often 401's. This
article seems to explain the annoying issue - users with Frontpage extensions: http://blogs.msdn.com/b/vsofficedeveloper/archive/2008/03/11/office-existence-discovery-protocol.aspx I guess I'll just filter out blank CS-USERNAME entries in our logs, or perhaps
it should just be 401s?
