Microsoft KB Archive/332167

= IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password =

Article ID: 332167

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Server 1.01
 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q332167



Important This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the &quot;Configuration Backup/Restore&quot; Help topic in Microsoft Management Console (MMC).

IN THIS TASK

 * SUMMARY
 * Configure Sub-Authentication on an IIS 6.0 New Installation in Worker Process Isolation Mode
 * Configure Sub-Authentication on IIS 6.0 in IIS 5.0 Isolation Mode
 * Configure Sub-Authentication on an IIS 6.0 Upgrade in Worker Process Isolation Mode
 * REFERENCES



SUMMARY
This step-by-step article describes how to configure sub-authentication in Internet Information Services (IIS) 6.0.

By default, in earlier versions of IIS, the option to allow IIS to control the password for the Anonymous account is selected when you enable Anonymous authentication for a Web site. When this check box is selected, the Anonymous account can function without the Web site administrator typing the correct password in the IIS Management Console. This functionality is provided through the sub-authentication component, Iissuba.dll.

By default, IIS 6.0 does not enable sub-authentication because using the component involves some security risk. You can use sub-authentication to manage passwords for anonymous accounts in IIS 6.0 by meeting the following requirements:  For applications that you grant Anonymous access, the worker process must run as LocalSystem.

Note This is required because sub-authentication permits the process that is running under IIS to authenticate without providing a password. By default, all actions of the worker process are completed in the context of this worker process identity account. However, when a client request is processed, the thread that processes the request uses a token that is associated with the client (in this case, the Anonymous or IUSR account) for the duration of the request. This is known as impersonation.

For more information about the relationship of application pool identity to the impersonated user, see the product documentation. To view the documentation, visit the following Microsoft Web site:

Configuring Application Pool Identity

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx

LocalSystem is a highly privileged account. When you enable sub-authentication, administering a Web server by using anonymous users may be much easier, but you must consider the potential security risk before you do this. The sub-authentication component, Iissuba.dll, must be registered. The AnonymousPasswordSync metabase property must be enabled (that is, set to TRUE).

Note For more information about sub-authentication in IIS 6.0, visit the following Microsoft Web site:

Anonymous Authentication

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f594e137-e2da-4b22-ab58-f8edba938802.mspx

Note that the documentation incorrectly refers to the AnonymousPasswordSync metabase property as the AnonymousPasswordSynch metabase property.

To configure sub-authentication in IIS 6.0, select the method appropriate for your IIS installation from the three methods that are described in this article.

back to the top

Configure Sub-Authentication on a New Installation of IIS 6.0
Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.

To configure sub-authentication on an installation of IIS 6.0 that has not been upgraded from a previous version and that is running in worker process isolation mode:  Register Iissuba.dll. To do this, type the following at a command prompt, where systemroot is the system root directory (on a default installation, this is C:\Windows):

rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA

 Run all worker processes that use Anonymous authentication under the identity of LocalSystem.

Note IIS 6.0 permits you to group applications in application pools. Identities are configured for the application pool that your application is assigned to. If your applications use Anonymous authentication and are assigned to more than one application pool, you must repeat the following steps for each of these application pools. Information about application pools is included in the product documentation. To view the documentation, visit the following Microsoft Web site:

Internet Information Services

http://www.microsoft.com/WindowsServer2003/iis/default.mspx

To configure an application pool to run under the LocalSystem identity:  In the IIS Manager (ISM), expand local computer, expand Application Pools, right-click the application pool that you want to configure, and then click Properties.</li> Click the Identity tab.</li> Click Predefined, and in the list box next to it, click Local System.</li> Click OK.</li></ol> </li> Set the AnonymousPasswordSync metabase property to TRUE: <ol style="list-style-type: lower-alpha;"> At the command prompt, change to the IIS AdminScripts folder. By default, this folder is located at C:\Inetpub\AdminScripts.</li> Type the following command, and then press ENTER:

adsutil.vbs set W3svc/AnonymousPasswordSync true

</li></ol> </li></ol>

back to the top

Configure Sub-Authentication on IIS 6.0 in IIS 5.0 Isolation Mode
To configure sub-authentication on a new installation of or upgrade to IIS 6.0 when IIS is running in IIS 5.0 isolation mode: <ol> Register Iissuba.dll. To do this, type the following at a command prompt, where systemroot is the system root directory (on a default installation, this is C:\Windows):

rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA

</li> Set the AnonymousPasswordSync metabase property to TRUE: <ol style="list-style-type: lower-alpha;"> At the command prompt, change to the IIS AdminScripts folder. By default, this folder is located at C:\Inetpub\AdminScripts.</li> Type the following command, and then press ENTER:

adsutil.vbs set W3svc/AnonymousPasswordSync true

</li></ol> </li></ol>

back to the top

Configure Sub-Authentication on an IIS 6.0 Upgrade in Worker Process Isolation Mode
To configure sub-authentication on an upgrade to IIS 6.0 that is running in worker process isolation mode: <ol> Register Iissuba.dll. To do this, type the following at a command prompt, where systemroot is the system root directory (on a default installation, this is C:\Winnt):

rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA

</li> Run all worker processes that use Anonymous authentication under the identity of LocalSystem.

Note IIS 6.0 permits you to group applications in application pools. Identities are configured for the application pool that your application is assigned to. If your applications use Anonymous authentication and are assigned to more than one application pool, you must repeat the following steps for each of these application pools. Information about application pools is included in the product documentation. To view the documentation, visit the following Microsoft Web site:

Internet Information Services

http://www.microsoft.com/WindowsServer2003/iis/default.mspx

To configure an application pool to run under the LocalSystem identity: <ol style="list-style-type: lower-alpha;"> In the IIS Manager (ISM), expand local computer, expand Application Pools, right-click the application pool that you want to configure, and then click Properties.</li> Click the Identity tab.</li> Click Predefined, and in the list box next to it, click Local System.</li> <li>Click OK.</li></ol> </li> <li>Set the AnonymousPasswordSync metabase property to TRUE: <ol style="list-style-type: lower-alpha;"> <li>At the command prompt, change to the IIS AdminScripts folder. By default, this folder is located at C:\Inetpub\AdminScripts.</li> <li>Type the following command, and then press ENTER:

adsutil.vbs set W3svc/AnonymousPasswordSync true

</li></ol> </li></ol>

back to the top

<div class="references_section">