DOCUMENT:Q218756 02-MAY-2001 [iis] TITLE :Logon Privileges Required for Anonymous Access PRODUCT :Internet Information Server PROD/VER::4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server 4.0 ------------------------------------------------------------------------------- SUMMARY ======= Prior to IIS version 4.0, the administrator had to make sure the anonymous user account passwords were the same in both the IIS Administration tool and the Windows User Manager. Failure to do so lead to logon failures. To solve this dilemma and make administration easier, Password Synchronization was introduced in IIS 4.0. Password synchronization uses a slightly different logon method (explained in a moment) that has some side effects. By default, this option is enabled. Not Enabling Password Synchronization When this option is not enabled, IIS calls the LogonUser() API in Windows to log the account on. It passes in the user name and password configured by the administrator. If this matches the user name and password in Windows User Manager, the account is successfully logged on, the security token is cached by IIS, and the account is impersonated. This scenario logs the user account on interactively (logged on locally). Enabling Password Synchronization Authentication is performed differently when Password Synchronization is enabled because IIS has to inform Windows that the password is correct. A subauthenticator can perform this task. Windows allows subauthenticators (implemented as subauthentication DLLs) to be used in conjunction with the normal Windows authentication system. This scenario logs the user account on as a network logon. IIS supplies a subauthentication DLL called IISsuba.dll. The function of this DLL in terms of anonymous authentication is to verify that the password is correct and then inform Windows that the password is valid and hence log the user on. The Side Effect of Enabling Password Synchronization Subauthentication DLLs require a network logon, which can have side effects compared to a batch or interactive logon. The most notable is, in some cases, the inability to access resources such as files or Microsoft Access databases on a remote computer. If you see this problem, turn the Password Synch option off; this will force IIS to use normal authentication and log the account on locally (an interactive logon). MORE INFORMATION ================ For more information about Windows subauthentication, see the Microsoft Platform SDK and Microsoft Visual Studio 6.0 online product documentation. Visual Studio 6.0 ships with a subauthentication sample called SubAuth. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q216828 Password Synchronization/Allow IIS to Control Password May Cause Problems Additional query words: ====================================================================== Keywords : Technology : kbiisSearch kbiis400 Version : :4.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.