Re: IIS Subauthentication Required



In order for IIS to use the IUSR_<machinename> account, it needs to be able to "logon" that user account, and to do that it needs the current password for that IUSR account.

Now, in a normal IIS installation, IIS install creates the IUSR account (in the Windows SAM), sets the password, and then stores a copy of the password (encrypted) in the IIS metabase.

However, if the Windows password for the IUSR account changes, then IIS won't know what the new password is and won't be able to logon the IUSR account.

Solutions to this problem:
a) if the IUSR password has changed (and you know what the new password is), then reset the IUSR password in IIS Manager, so that IIS knows what the password is again.

b) enable SubAuthentication (which allows IIS to transparently get the password). However SubAuthentication is a security risk you need to consider, as it means running IIS using an account with elevated credentials.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"David V" <DavidV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0027FC1F-B246-4877-A84B-30F243BC0F8F@xxxxxxxxxxxxxxxx
I have 4 Web servers that should all be set up the same; once they are all
working we plan to load-balance them. Due to limitations in our in-house
application, the Web services are running in IIS 5.0 isolation mode. The Web
site on all four servers is configured to use the local IUSR account for
Anonymous access. As far as I can tell, the configuration on all 4 is
identical, and the home page works on all four.
However, within one of the subfolders, configured as an application, there
is a login.html that only works on 3 of the servers, not on the 4th. This
login page accesses a COM+ application on another server (the app was
exported to a proxy .msi file, which was then instaled on the Web server),
the anoymous access account for this folder is set to a domain account. As I
said, it works on 3 of the 4 Web servers.

On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access
is denied due to invalid credentials). The Security Log shows that the
failure was due to an unknown username or a bad password. Also, the results
of running the IIS Diags on this serverdisplays the following errors:
- AnymousPasswordSync: IIS subauthentication requires that the
AnonymousUserName metabase property be configured with an account from the
local computer.
- AnonymousUserPass: logon failed
- AnonymousPasswordSync: The current configuration requires IIS
subauthentication. However, the IIS subauthentication component, iissuba.dll,
is not currently configured.
- AnonymousPasswordSync: The current configuration uses IIS
subauthentication for anonymous authentication. This requires that the worker
process be configured to run as the Local System identity, which is not
recommended for security reasons.
- Server's response: HTTP/1.1 401 Unauthorized

As far as I can tell, subauthentication is not set on the other servers.
Why is sub-authentication required on this server and not on the other 3?
How can I fix this?

Any help is greatly appreciated.

.



Relevant Pages

  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... The Application Servers are load balanced clustered, ... HostHeader names in IIS, it has a CNAME in DNS referencing ... Only account A has access to database DB-A ...
    (microsoft.public.inetserver.iis.security)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS Subauthentication Required
    ... authentication using the local IUSR account. ... Now, in a normal IIS installation, IIS install creates the IUSR account (in ... is a login.html that only works on 3 of the servers, ... AnonymousPasswordSync: ...
    (microsoft.public.inetserver.iis.security)
  • Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000
    ... Use Basic Authentication to send the password to IIS. ... Use a special account to access the computers ... Find out which account IIS is using on your production servers, ...
    (microsoft.public.win32.programmer.wmi)
  • Re: IIS 6 fails anonymous connection
    ... It sounded like you configured sub-authentication, which on prior IIS ... The reason that you have to have Integrated authentication enabled along ... so there is some sort of configuration problem specific to ... The resources must also be ACL'd for this user account or else you will get ...
    (microsoft.public.inetserver.iis.security)