Microsoft KB Archive/218756

= Logon Privileges Required for Anonymous Access =

Article ID: 218756

Article Last Modified on 6/22/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q218756



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
Prior to IIS version 4.0, the administrator had to make sure the anonymous user account passwords were the same in both the IIS Administration tool and the Windows User Manager. Failure to do so lead to logon failures. To solve this dilemma and make administration easier, Password Synchronization was introduced in IIS 4.0.

Password synchronization uses a slightly different logon method (explained in a moment) that has some side effects. By default, this option is enabled.

Not Enabling Password Synchronization

When this option is not enabled, IIS calls the LogonUser API in Windows to log the account on. It passes in the user name and password configured by the administrator. If this matches the user name and password in Windows User Manager, the account is successfully logged on, the security token is cached by IIS, and the account is impersonated. This scenario logs the user account on interactively (logged on locally).

Enabling Password Synchronization

Authentication is performed differently when Password Synchronization is enabled because IIS has to inform Windows that the password is correct. A subauthenticator can perform this task. Windows allows subauthenticators (implemented as subauthentication DLLs) to be used in conjunction with the normal Windows authentication system. This scenario logs the user account on as a network logon.

IIS supplies a subauthentication DLL called IISsuba.dll. The function of this DLL in terms of anonymous authentication is to verify that the password is correct and then inform Windows that the password is valid and hence log the user on.

The Side Effect of Enabling Password Synchronization

Subauthentication DLLs require a network logon, which can have side effects compared to a batch or interactive logon. The most notable is, in some cases, the inability to access resources such as files or Microsoft Access databases on a remote computer. If you see this problem, turn the Password Synch option off; this will force IIS to use normal authentication and log the account on locally (an interactive logon).



MORE INFORMATION
For more information about Windows subauthentication, see the Microsoft Platform SDK and Microsoft Visual Studio 6.0 online product documentation. Visual Studio 6.0 ships with a subauthentication sample called SubAuth.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

216828 Password Synchronization/Allow IIS to Control Password May Cause Problems

Keywords: kbhowto KB218756

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.