INFO: IIS Security Settings for CDO Web-Based Messaging

ID: Q186137

The information in this article applies to:

Collaboration Data Objects (CDO), versions 1.2, 1.21

SUMMARY

The relative location of Microsoft Internet Information Server (IIS) and Microsoft Exchange Server on your network, if you want to identify your sender, are going to determine what IIS security settings you can use. This article gives a brief description of what security settings are required.

MORE INFORMATION

To access security settings in IIS 4.0, open the Microsoft Management Console (MMC), right-click Web and then select Properties. Select the "Directory Security" tab and choose the Edit button next to "Anonymous Access and Authentication Control." There are three options available: "Allow Anonymous," "Basic Authentication" and "Windows NT Challenge/Response."

When a browser accesses a page via the Web, IIS determines what authentication to use in the following order:

1. If you select "Allow Anonymous" then all users assume the anonymous

   identity. The anonymous identity is determined by clicking the Edit
   button next to "Allow Anonymous", modifying the Username, and providing
   the password for that account. By default, the anonymous account is
   "IUSR_ComputerName".

2. If you do not select "Allow Anonymous" or there is a problem with the

   settings for the anonymous account, then IIS determines if "Windows NT
   Challenge Response" (NTLM) is checked. If NTLM is selected, then IIS
   attempts to use NTLM to authenticate the user. If the authentication is
   successful, the user assumes the security context of the account they
   are logged into on the Windows NT domain. If NTLM authentication fails,
   then IIS determines if "Basic Authentication" is allowed.

3. If you select "Basic Authentication" then IIS challenges the browser,

   which in turns presents a logon box to the user. The user must then
   supply their "DOMAIN\UserID" and their password, which it sends to IIS
   via clear text.

If IIS and Exchange Server are on the same computer, then you can use any of the above authentication methods. Whether or not you use "Allow Anonymous" or "Windows NT Challenge Response" depends on if you want your application to identify the sender.

If you want to identify who the sender is, then use "Windows NT Challenge/Response."
If you do not want to identify the sender, or you want the mail to be sent from a common mailbox, then use "Allow Anonymous."

If IIS and Exchange Server are on different computers, then you must use either "Allow Anonymous" or "Basic Authentication". Which you choose depends on whether you want to identify the sender or not.

If you want to identify the sender, you must use "Basic Authentication", which prompts the user for their "DOMAIN\UserID" and password. Both transmit as clear text over the network. In this case you must prompt the user for their password because IIS needs the password to authenticate the user to Exchange Server.
If you do not want to identify the sender, or you want the mail to be sent from a common mailbox, then use "Allow Anonymous". In this case, you must enter the anonymous user's password in the appropriate MMC dialog box described below.

In either case, if you want to use the "Allow Anonymous" option, then you must do the following:

1. Create a Windows NT Domain account and an Exchange mailbox for the

   anonymous user.

2. Enter the anonymous user's Windows NT password into the MMC anonymous

   user section. Clear the "Enable Automatic Password Synchronization"
   option.

3. Grant the anonymous user the right to "Log on Locally" to the IIS

   computer. You grant rights in the Windows NT User Manager.

Additional query words:

Keywords          : kbole kbCDO kbCDO120 kbMsg 
Version           : WINDOWS:1.2, 1.21
Platform          : WINDOWS
Issue type        : kbinfo

Last Reviewed: December 14, 1998