IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password (332167)
The information in this article applies to:
- Microsoft Internet Information Services
- Microsoft Internet Information Services version 6.0
This article was previously published under Q332167 Important This article contains information about editing the metabase.
Before you edit the metabase, verify that you have a backup copy that you can
restore if a problem occurs. For information about how to do this, see the
"Configuration Backup/Restore" Help topic in Microsoft Management Console
(MMC).
IN THIS TASK SUMMARY This step-by-step article describes how to configure
sub-authentication in Internet Information Services (IIS) 6.0. By
default, in earlier versions of IIS, the option to allow IIS to control the
password for the Anonymous account is selected when you enable Anonymous
authentication for a Web site. When this check box is selected, the Anonymous
account can function without the Web site administrator typing the correct
password in the IIS Management Console. This functionality is provided through
the sub-authentication component, Iissuba.dll. By default, IIS 6.0
does not enable sub-authentication because using the component involves some
security risk. You can use sub-authentication to manage passwords for anonymous
accounts in IIS 6.0 by meeting the following requirements:
- For applications that you grant Anonymous access, the
worker process must run as LocalSystem.
Note This is required because sub-authentication permits the process
that is running under IIS to authenticate without providing a password. By
default, all actions of the worker process are completed in the context of this
worker process identity account. However, when a client request is processed,
the thread that processes the request uses a token that is associated with the
client (in this case, the Anonymous or IUSR account) for the duration of the
request. This is known as impersonation.
For more information about
the relationship of application pool identity to the impersonated user, see the
product documentation. To view the documentation, visit the following Microsoft
Web site:LocalSystem is a highly privileged account. When you enable
sub-authentication, administering a Web server by using anonymous users may be
much easier, but you must consider the potential security risk before you do
this. - The sub-authentication component, Iissuba.dll, must be
registered.
- The AnonymousPasswordSync metabase property must be enabled (that is, set to TRUE).
Note For more information about sub-authentication in IIS 6.0, visit
the following Microsoft Web site: Note that the documentation incorrectly refers to the AnonymousPasswordSync metabase property as the AnonymousPasswordSynch metabase property. To configure sub-authentication in
IIS 6.0, select the method appropriate for your IIS installation from the three
methods that are described in this article. back to the topWarning If you edit the metabase incorrectly, you can cause serious
problems that may require you to reinstall any product that uses the metabase.
Microsoft cannot guarantee that problems that result if you incorrectly edit
the metabase can be solved. Edit the metabase at your own risk. Note Always back up the metabase before you edit it.
To configure sub-authentication on an
installation of IIS 6.0 that has not been upgraded from a previous version and
that is running in worker process isolation mode:
- Register Iissuba.dll. To do this, type the following at a
command prompt, where systemroot is the system root directory (on a default installation, this is
C:\Windows):
rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA - Run all worker processes that use Anonymous authentication
under the identity of LocalSystem.
Note IIS 6.0 permits you to group applications in application pools.
Identities are configured for the application pool that your application is
assigned to. If your applications use Anonymous authentication and are assigned
to more than one application pool, you must repeat the following steps for each
of these application pools. Information about application pools is included in
the product documentation. To view the documentation, visit the following
Microsoft Web site: To configure an application pool to run under the LocalSystem
identity:
- In the IIS Manager (ISM), expand local computer, expand Application Pools, right-click the application pool that you want to configure, and
then click Properties.
- Click the Identity tab.
- Click Predefined, and in the list box next to it, click Local System.
- Click OK.
- Set the AnonymousPasswordSync metabase property to TRUE:
- At the command prompt, change to the IIS AdminScripts
folder. By default, this folder is located at
C:\Inetpub\AdminScripts.
- Type the following command, and then press ENTER:
adsutil.vbs set W3svc/AnonymousPasswordSync true
back to the topTo configure sub-authentication on a new installation of or
upgrade to IIS 6.0 when IIS is running in IIS 5.0 isolation mode:
- Register Iissuba.dll. To do this, type the following at a
command prompt, where systemroot is the system root directory (on a default installation, this is
C:\Windows):
rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA - Set the AnonymousPasswordSync metabase property to TRUE:
- At the command prompt, change to the IIS AdminScripts
folder. By default, this folder is located at
C:\Inetpub\AdminScripts.
- Type the following command, and then press ENTER:
adsutil.vbs set W3svc/AnonymousPasswordSync true
back to the topTo configure sub-authentication on an upgrade to IIS 6.0 that is
running in worker process isolation mode:
- Register Iissuba.dll. To do this, type the following at a
command prompt, where systemroot is the system root directory (on a default installation, this is
C:\Winnt):
rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA - Run all worker processes that use Anonymous authentication
under the identity of LocalSystem.
Note IIS 6.0 permits you to group applications in application pools.
Identities are configured for the application pool that your application is
assigned to. If your applications use Anonymous authentication and are assigned
to more than one application pool, you must repeat the following steps for each
of these application pools. Information about application pools is included in
the product documentation. To view the documentation, visit the following
Microsoft Web site: To configure an application pool to run under the LocalSystem
identity:
- In the IIS Manager (ISM), expand local computer, expand Application Pools, right-click the application pool that you want to configure, and
then click Properties.
- Click the Identity tab.
- Click Predefined, and in the list box next to it, click Local System.
- Click OK.
- Set the AnonymousPasswordSync metabase property to TRUE:
- At the command prompt, change to the IIS AdminScripts
folder. By default, this folder is located at
C:\Inetpub\AdminScripts.
- Type the following command, and then press ENTER:
adsutil.vbs set W3svc/AnonymousPasswordSync true
back to the
topREFERENCES For additional information about sub-authentication, click
the following article number to view the article in the Microsoft Knowledge
Base: 216828
Password Synchronization/Allow IIS to Control Password May Cause
Problems
| Modification Type: | Major | Last Reviewed: | 1/28/2006 |
|---|
| Keywords: | kbHOWTOmaster kbpending kbprb KB332167 kbAudDeveloper |
|---|
|