Re: IIS 6 fails anonymous connection

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 05/15/04


Date: Fri, 14 May 2004 19:31:31 -0700

Ok. It sounded like you configured sub-authentication, which on prior IIS
versions was that little check box underneath the anonymous password box
that was usually checked.

The reason that you have to have Integrated authentication enabled along
with Anonymous is tangential to the problem. Anonymous access is broken on
your server right now. Integrated authentication allows remote user to
authenticate and access this system -- bypassing the broken anonymous
access. So, we need to fix anonymous access.

Well, my clean IIS6 install had no problems with anonymous (I'm looking at
it right now), so there is some sort of configuration problem specific to
your server. In particular, since the server is part of a domain, could
there be logon policy or group-policy that is somehow restricting local user
or logon privileges for this identity? Use secpol.msc to look at this
info.

BTW, Anonymous authentication does not mean "everyone can access any
resource". It means "everyone is automatically mapped to this one
configurable user account on IIS, which is then used to access any
resource". Thus, the login credentials for this user must be correct
between what's stored in IIS and the NT SAM/AD or else you will get 401.1.
The resources must also be ACL'd for this user account or else you will get
401.3.

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"JonathanL" <anonymous@discussions.microsoft.com> wrote in message
news:7EC40426-3EF9-42D9-8147-3B655CBABA76@microsoft.com...
David, maybe I had it wrong or stated it wrong. I made NO changes to the
IUSR account which is local btw, not a domain account (just like with IIS5).
When I looked at the security properties in the IIS Manager for anonymous
authentication, it shows the IUSR account being used with the password being
masked. I assumed that when IIS was installed, that it created the IUSR
account and set a random password for the account and set that same account
and password to be used for anonymous authentication.
That is what I meant by "system controlling the password", that I never
touched it but thought that Windows created the password when it created the
IUSR account (as in previous IIS versions) and set that into the anonymous
authentication.
So do I have that correct? And if so, then why do I have to have Integrated
authentication enabled along with Anonymous authentication in order to
access the website from anywhere (internal or external)?