We recently setup a new local installation of Sitecore XM, with SPE, SXA, the whole deal. One of our developers was trying to export some content via the Out-Download command, which wasn’t working.

For the sake of testing, we dumbed this query down to the absolute basic:

"Hello World!" | Out-Download -Name hello-world.txt

In theory, that should download a text file with the contents “Hello World!” in it. Well….it didn’t. Something must be a foot. Checking our network traffic, we could see we were getting a 401 when trying to access the handle (which downloads the file).

By default, all services are disabled. This is a good thing. Enable what you need! Luckily, for local development, Alan created a lovely “Shields Down” config which gives access to all the things. Great for testing. Bad for production, though. The contents are pretty straight-forward:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <powershell>
      <services>
        <remoting>
          <patch:attribute name="enabled">true</patch:attribute>
          <authorization>
            <add Permission="Allow" IdentityType="User" Identity="sitecore\admin" />
          </authorization>
        </remoting>
        <restfulv2>
          <patch:attribute name="enabled">true</patch:attribute>
        </restfulv2>
      </services>
      <userAccountControl>
        <gates>
          <gate name="ISE">
              <patch:delete/>
          </gate>
          <gate name="Console">
              <patch:delete/>
          </gate>
          <gate name="ItemSave">
              <patch:delete/>
          </gate>
          <gate name="ISE" token="Permissive"/>
          <gate name="Console" token="Permissive"/>
          <gate name="ItemSave" token="Permissive"/>
        </gates>
        <tokens>
          <token name="Permissive" expiration="00:00:00" elevationAction="Allow"/>
        </tokens>
      </userAccountControl>
    </powershell>
  </sitecore>
</configuration>

Unfortunately…that did not help us out. We were still getting a 401. It dawned on me (entirely too late to feel good about it) to check the SPE log files. And looking there..the culprit was pretty straight forward.

INFO A request to the handleDownload service was made from IP 172.21.160.1
WARN The specified user extranet\Anonymous is not authorized for the handleDownload service.

That’s my womp womp. We needed to give the Anon User the ability to download from the handleDownload service. The final Shields Config for us looked like this:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
	<sitecore>
		<powershell>
			<services>
				<remoting>
					<attribute name="enabled">
						true
					</attribute>
					<authorization>
						<add Permission="Allow" IdentityType="User" Identity="sitecore\admin" />
					</authorization>
				</remoting>
				<restfulv2>
					<attribute name="enabled">
						true
					</attribute>
				</restfulv2>
				<handleDownload>
					<authorization>
						<add Permission="Allow" IdentityType="User" Identity="extranet\Anonymous" />
					</authorization>
				</handleDownload>
			</services>
			<userAccountControl>
				<gates>
					<gate name="ISE">
						<delete />
					</gate>
					<gate name="Console">
						<delete />
					</gate>
					<gate name="ItemSave">
						<delete />
					</gate>
					<gate name="ISE" token="Permissive" />
					<gate name="Console" token="Permissive" />
					<gate name="ItemSave" token="Permissive" />
				</gates>
				<tokens>
					<token name="Permissive" expiration="00:00:00" elevationAction="Allow" />
				</tokens>
			</userAccountControl>
		</powershell>
	</sitecore>
</configuration>

Take a peek at lines 18-22. This gives the Anon user access to the Download handler. Once we made this change, we’re good to go! Out-Download behaved as expected!