Re: IIS Subauthentication Required
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 May 2007 20:00:13 +1000
In order for IIS to use the IUSR_<machinename> account, it needs to be able to "logon" that user account, and to do that it needs the current password for that IUSR account.
Now, in a normal IIS installation, IIS install creates the IUSR account (in the Windows SAM), sets the password, and then stores a copy of the password (encrypted) in the IIS metabase.
However, if the Windows password for the IUSR account changes, then IIS won't know what the new password is and won't be able to logon the IUSR account.
Solutions to this problem:
a) if the IUSR password has changed (and you know what the new password is), then reset the IUSR password in IIS Manager, so that IIS knows what the password is again.
b) enable SubAuthentication (which allows IIS to transparently get the password). However SubAuthentication is a security risk you need to consider, as it means running IIS using an account with elevated credentials.
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"David V" <DavidV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0027FC1F-B246-4877-A84B-30F243BC0F8F@xxxxxxxxxxxxxxxx
I have 4 Web servers that should all be set up the same; once they are all
working we plan to load-balance them. Due to limitations in our in-house
application, the Web services are running in IIS 5.0 isolation mode. The Web
site on all four servers is configured to use the local IUSR account for
Anonymous access. As far as I can tell, the configuration on all 4 is
identical, and the home page works on all four.
However, within one of the subfolders, configured as an application, there
is a login.html that only works on 3 of the servers, not on the 4th. This
login page accesses a COM+ application on another server (the app was
exported to a proxy .msi file, which was then instaled on the Web server),
the anoymous access account for this folder is set to a domain account. As I
said, it works on 3 of the 4 Web servers.
On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access
is denied due to invalid credentials). The Security Log shows that the
failure was due to an unknown username or a bad password. Also, the results
of running the IIS Diags on this serverdisplays the following errors:
- AnymousPasswordSync: IIS subauthentication requires that the
AnonymousUserName metabase property be configured with an account from the
- AnonymousUserPass: logon failed
- AnonymousPasswordSync: The current configuration requires IIS
subauthentication. However, the IIS subauthentication component, iissuba.dll,
is not currently configured.
- AnonymousPasswordSync: The current configuration uses IIS
subauthentication for anonymous authentication. This requires that the worker
process be configured to run as the Local System identity, which is not
recommended for security reasons.
- Server's response: HTTP/1.1 401 Unauthorized
As far as I can tell, subauthentication is not set on the other servers.
Why is sub-authentication required on this server and not on the other 3?
How can I fix this?
Any help is greatly appreciated.
- Re: IIS Subauthentication Required
- From: David V
- Re: IIS Subauthentication Required
- Prev by Date: Difference in performance between Windows Server 2003 SP1 and SP2 when IIS site set to "Enable Anonymous Access"
- Next by Date: Re: IIS 6.0 Windows Authentication 401 Every Request
- Previous by thread: Difference in performance between Windows Server 2003 SP1 and SP2 when IIS site set to "Enable Anonymous Access"
- Next by thread: Re: IIS Subauthentication Required