RESOLUTION

To resolve this problem, make sure that the following conditions are true:

• The IUSR account has the Access this computer from the network user right.
• The IUSR account is not listed in the Deny access to this computer from the network user right.
• The IUSR account does not have time-based restrictions for accessing the Web server.
• The IUSR account has not expired or has not been locked out.
• The IUSR account password is correct in the metabase and in the Local User database. (If the account is a domain account, make sure that the password is correct in the Active Directory directory service.)
• The AnonymousPasswordSync metabase property is set to false.

Error examples

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The following are examples of errors that may be logged in the Security event log. In these examples, username is the user account that is used for anonymous access.

Error 1

This error may occur if the user account that is used for anonymous access is denied access to the Web Server from the network. To verify that this user account is not denied access to the Web server from the network, follow these steps:

1. Click Start, click Run, type Secpol.msc, and then click OK.
   

Note If the Web server is also a domain controller, use the Dcpol.msc command to open the Default Domain Controller Security Settings console.

1. Under Security Settings, expand Local Policies, and then click User Rights Assignment.
2. In the right pane, double-click Deny access to this computer from the network.
3. If the user account that is used for anonymous access is denied access to the Web server from the network, click the user account that is used for anonymous access, click Remove, and then click OK.

Note This error may occur if the following conditions are true:

• The Guests group is assigned the Deny access to this computer from the network user right.
• The account that is used for anonymous access is a member of the Guests group. (This account is typically the IUSR_computername account.)

Error 2

This error may occur if the user account that is used for anonymous access is denied access to the Web Server during a specific time period. To verify that this user account is not denied access during a specific time period, follow these steps:

1. Click Start, click Run, type Dsa.msc, and then click OK.
2. Expand the domain that you want, and then click Users.
3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
4. On the Account tab, click Logon Hours.
5. Configure the logon hours that you want, and then click OK.

Error 3

This error may occur if the user account has expired. To resolve this issue, follow these steps:

1. Click Start, click Run, type Dsa.msc, and then click OK.
2. Expand the domain you want, and then click Users.
3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
4. On the Account tab under Account Expires, click Never, and then click OK. Or, click End of, click a new account expiration date, and then click OK.

Error 4

This error can occur if the password for the user account that is used for anonymous access in IIS is not synchronized with one of the following passwords:

• The password for the user account in Active Directory
• The password for the user account in Local Users and Groups

To synchronize the IIS password with the password that is used in Active Directory or in Local Users and Groups, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Use the cd command to connect to the folder where the Adsutil.vbs file is located. By default, the Adsutil.vbs file is located in the following folder:

   drive:\Inetpub\Adminscripts

   Note drive is the folder where Windows is installed.
3. At the command prompt, type Cscript adsutil.vbs get w3svc/anonymoususerpass, and then press ENTER. Note the password that is generated.
   
   Note You may have to set the Issecure property in the Adsutil.vbs file to False before you generate a password. To do this, follow these steps:
   1. In Notepad, open the Adsutil.vbs file.
   2. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next.
   3. Change "IsSecureProperty = True" to "IsSecureProperty = False".
   4. Save the changes, and then close Notepad.
4. Click Start, click Run, type Dsa.msc, and then click OK.
   
   Note If the Web server is a stand-alone server, type Lusrmgr.msc.
5. Expand the domain that you want, and then click Users. If the Web server is a stand-alone server, click Users.
6. Right-click the user account that you want, and then click Reset Password or Set Password.
7. Type the password that you obtained in step 3 two times, and then click OK.

Note Subauthentication is the feature that enables IIS to control the password for the anonymous user. By default, after you upgrade from IIS 5.0 to IIS 6.0, IIS subauthentication is enabled. By default, subauthentication is not enabled on a clean installation of IIS 6.0.

Subauthentication enables IIS to authenticate the anonymous user without actually verifying the anonymous user password. Because anonymous access is provided to the content without authentication, the password is not required. Subauthentication enables IIS to use anonymous accounts without actually keeping valid user credentials in the metabase. When this setting is enabled, anonymous authentication works in IIS 5.0 compatibility mode. However, when the server is switched to IIS 6.0 Worker Process Isolation Mode, subauthentication is disabled because it requires a privileged process identity such as the Local System account. In this scenario, IIS 6.0 tries to log on by using the anonymous user credentials that are stored in the metabase. This behavior may cause a "401" error for the anonymous request if the user credentials that are stored in the metabase are not synchronized

It may appear that switching into IIS 6.O Worker Process Isolation Mode breaks anonymous authentication. This condition may occur when subauthentication is configured in IIS. To verify whether subauthentication is enabled in IIS, open the Metabase.xml file in Notepad, and then search for the AnonymousPasswordSync property. If the AnonymousPasswordSync property is in the Metabase.xml file, delete the property, or set the value to False.

Error 5

This error may occur if the domain user account that is used for anonymous access in IIS cannot log on to the IIS Web server. To verify that the user account that is used for anonymous access in IIS can log on to the IIS Web server, follow these steps:

1. Click Start, click Run, type Dsa.msc, and then click OK.
2. Expand the domain that you want, and then click Users.
3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
4. On the Account tab, click Log On To.
5. In the Logon Workstations window, click All Computers, and then click OK.

If the user account that is used for anonymous access is not a domain user account, follow these steps:

1. Click Start, click Run, type Regedit, and then click OK.
2. Locate and then click the following registry subkey:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

3. In the right pane, verify that the value for the crashonauditfail entry is 0 or 1. If the value for the crashonauditfail entry is 2, follow these steps:
   1. In the right pane, click crashonauditfail.
   2. On the Edit menu, click Modify.
4. In the Value data box, type 0, and then click OK.
5. Exit Registry Editor, and then restart the computer.