Re: IIS 6 fails anonymous connection
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Fri, 14 May 2004 19:31:31 -0700
Ok. It sounded like you configured sub-authentication, which on prior IIS
versions was that little check box underneath the anonymous password box
that was usually checked.
The reason that you have to have Integrated authentication enabled along
with Anonymous is tangential to the problem. Anonymous access is broken on
your server right now. Integrated authentication allows remote user to
authenticate and access this system -- bypassing the broken anonymous
access. So, we need to fix anonymous access.
Well, my clean IIS6 install had no problems with anonymous (I'm looking at
it right now), so there is some sort of configuration problem specific to
your server. In particular, since the server is part of a domain, could
there be logon policy or group-policy that is somehow restricting local user
or logon privileges for this identity? Use secpol.msc to look at this
BTW, Anonymous authentication does not mean "everyone can access any
resource". It means "everyone is automatically mapped to this one
configurable user account on IIS, which is then used to access any
resource". Thus, the login credentials for this user must be correct
between what's stored in IIS and the NT SAM/AD or else you will get 401.1.
The resources must also be ACL'd for this user account or else you will get
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "JonathanL" <email@example.com> wrote in message news:7EC40426-3EF9-42D9-8147-3B655CBABA76@microsoft.com... David, maybe I had it wrong or stated it wrong. I made NO changes to the IUSR account which is local btw, not a domain account (just like with IIS5). When I looked at the security properties in the IIS Manager for anonymous authentication, it shows the IUSR account being used with the password being masked. I assumed that when IIS was installed, that it created the IUSR account and set a random password for the account and set that same account and password to be used for anonymous authentication. That is what I meant by "system controlling the password", that I never touched it but thought that Windows created the password when it created the IUSR account (as in previous IIS versions) and set that into the anonymous authentication. So do I have that correct? And if so, then why do I have to have Integrated authentication enabled along with Anonymous authentication in order to access the website from anywhere (internal or external)?