Re: IIS 6 fails anonymous connection

From: David Wang [Msft] (
Date: 05/15/04

Date: Fri, 14 May 2004 19:31:31 -0700

Ok. It sounded like you configured sub-authentication, which on prior IIS
versions was that little check box underneath the anonymous password box
that was usually checked.

The reason that you have to have Integrated authentication enabled along
with Anonymous is tangential to the problem. Anonymous access is broken on
your server right now. Integrated authentication allows remote user to
authenticate and access this system -- bypassing the broken anonymous
access. So, we need to fix anonymous access.

Well, my clean IIS6 install had no problems with anonymous (I'm looking at
it right now), so there is some sort of configuration problem specific to
your server. In particular, since the server is part of a domain, could
there be logon policy or group-policy that is somehow restricting local user
or logon privileges for this identity? Use secpol.msc to look at this

BTW, Anonymous authentication does not mean "everyone can access any
resource". It means "everyone is automatically mapped to this one
configurable user account on IIS, which is then used to access any
resource". Thus, the login credentials for this user must be correct
between what's stored in IIS and the NT SAM/AD or else you will get 401.1.
The resources must also be ACL'd for this user account or else you will get

This posting is provided "AS IS" with no warranties, and confers no rights.
"JonathanL" <> wrote in message
David, maybe I had it wrong or stated it wrong. I made NO changes to the
IUSR account which is local btw, not a domain account (just like with IIS5).
When I looked at the security properties in the IIS Manager for anonymous
authentication, it shows the IUSR account being used with the password being
masked. I assumed that when IIS was installed, that it created the IUSR
account and set a random password for the account and set that same account
and password to be used for anonymous authentication.
That is what I meant by "system controlling the password", that I never
touched it but thought that Windows created the password when it created the
IUSR account (as in previous IIS versions) and set that into the anonymous
So do I have that correct? And if so, then why do I have to have Integrated
authentication enabled along with Anonymous authentication in order to
access the website from anywhere (internal or external)?

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
  • Re: IIS 5 Authentication problem- solved
    ... Tom Kaminski IIS MVP ... Can you log in using an administrator account, ... >> Subject: Re: IIS 5 Integrated Windows Authentication ... >> case there is no group, it is just the one server, ...