Managing SharePoint 2013 with PowerShell: Working with Alternate Access Mappings
SharePoint provides a lot of options for handling your ability to present your SharePoint resources to your users. Making connections from the internal network or from across the Internet, you can make fine-tuned adjustments to the way that people can connect to your SharePoint sites. These fine-tuned adjustments that allow people to connect to your sites in multiple ways are made available through Alternate Access Mappings (AAM). This article shows you how to manage Alternate Access Mappings in SharePoint 2013 using PowerShell.
(Editor’s note: Be sure to check out our previous articles, “Managing SharePoint 2013 with PowerShell: Creating a Search Application” and “Managing SharePoint 2013 with PowerShell: Working with Timer Jobs.”)
Alternate Access Mappings (AAM): Introduction
Each web application in SharePoint can be presented with up to five public URLs. For instance, you might have allowed both “intranet.local” and “portal.fakedomain.com” to make connections to your SharePoint 2013 portal. The public URLs are URLs that SharePoint displays through links. Each of the public URLs must be assigned one of the five available zones. You have to have a public URL assigned to the zone titled “Default” but the others are just friendly labels that can be used in whatever fashion it makes sense to you and your organization. The other zones are “Internet,” “Intranet,” “Extranet,” and “Custom.” Tip: You can remember public URLs as the addresses that are displayed by SharePoint to the users.
Each public URL has at least one internal URL that corresponds to it. The internal URLs are the addresses that SharePoint 2013 accepts and are bound to the SharePoint web application in IIS. Note that only the default zone that you create when you create the web application is added to the IIS bindings for the site in IIS. Any other alternate access mappings you create have to be created in the bindings list for the site.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
By default, when you create a public URL it also creates an internal URL in the same zone. This is great because it bridges the connection that you assume will be there. With both an internal and public URL for “hr.intranet.local” in the same zone, a user can type in hr.intranet.local to get to their SharePoint 2013 site, and SharePoint will recognize it as an internal URL. Then, since it’s recognized as an internal URL, SharePoint displays the public URL registered to the same zone back to the user in the address bar and in the links displayed on the SharePoint sites.
And since you can have multiple internal URLs pointed to the same public URL, you can work some magic with changing the results that people type in. This can be very helpful for teaching your users that they don’t have to type in the FQDN for the SharePoint site or for enforcing HTTPS on a SharePoint web application.
Managing Alternate Access Mappings in SharePoint 2013 with PowerShell
You can use PowerShell to manage all aspects of your Alternate Access Mappings in SharePoint 2013. You can use the following cmdlets to control your internal and public URLs: Get-SPAlternateURL, New-SPAlternateURL, Set-SPAlternateURL, and Remove-SPAlternateURL.
List Alternate Access Mappings with PowerShell
Using the Get-SPAlternateURL cmdlet, you can find the existing AAM settings for a web application.
You can also limit the results by zone, web application, or a mapped external resource through the use of the zone, webapplication, and resource parameters. The zone parameter can be used by itself or with either the webapplication or resource parameter, but the webapplication and resource parameters cannot be used together.
Get-SPAlternateURL –WebApplication “http://portal.intranet.local” –Zone “Default”
Creating a New Alternate Access Mapping with PowerShell
Alternate Access Mappings can be created with the New-SPAlternateURL cmdlet.
Like the Get-SPAlternateURL, you can use this command on either web applications or external resources, but not both at the same time. Whether you’re creating your new alternate access mapping for a web application or for an external resource, you have to supply the value for the mandatory URL parameter.
You can also specify the zone for the new AAM with the Zone parameter.
New-SPAlternateURL –WebApplication “http://portal.intranet.local” –URL “https://portal.domain” –Zone “Internet”
If you want to create an internal URL, then you can specify that with the “Internal” switch parameter. If this switch isn’t used, a public URL is created.
New-SPAlternateURL –WebApplication “http://portal.intranet.local” –URL “http://portal.domain” –Zone Internet –Internal
Change an Alternate Access Mapping with PowerShell
One of the main things you might want to change on an AAM is which zone it’s registered in. You can only change the zone of an internal URL. If you want to change a public zone URL, you would just change the URL or remove the mapping.
Changing a zone on an internal URL makes sense because the internal URLs are the mappings that make the translations happen between what a user types into their browser, and what the URL looks like when it resolves. So changing that translation is something that makes sense. Just changing the zone of a public URL doesn’t really change anything for us, since the zones are only labels and don’t have any real impact (you can have Internet traffic coming into the Intranet zone and vice-versa).
Change the Zone of an Internal URL
Get-SPAlternateURL “http://staff” | Set-SPAlternateURL –Zone “Custom”
Change the URL of a public URL
Get-SPAlternateURL “http://mysite.local” | Set-SPAlternateURL “https://mysite.local”
Remove an AlternateAccessMapping with PowerShell
If you realize that you’ve made a mistake with one of your alternate access mapping entries, you can remove it from SharePoint. You can’t remove the entries with Remove-SPAlternateURL.
Get-SPWebApplication “http://intranet.local” | Get-SPAlternateURL –Zone “Internet” | Remove-SPAlternateURL
If you’re scripting this, it can be helpful to make use of the -Confirm parameter to prompt before deletion to make sure that you’re aware of what you’re doing. Likewise, if you’re testing your code and want to make sure your script works but not actually remove the AAM at this time, you can use the -Whatif parameter to run through the process without actually deleting the AAM entry.
Administering SharePoint 2013 means, more and more, learning and embracing PowerShell. Even when working with something like Alternate Access Mappings, which can be done from Central Administration, you can often get more accomplished quicker by bypassing Central Administration and just performing command line administration through PowerShell.