Subscribe to Windows IT Pro
April 30, 2002 12:00 AM

IIS Informant: Clarifying Inaccurate Information About Anonymous Authentication

Brett Hill
Windows IT Pro
InstantDoc ID #24845
Rating: (0)

Under the topic of Anonymous Authentication, the IIS Help file states, "The anonymous account must have the user right to log on locally. If the account doesn't have the Log On Locally permission, IIS will not be able to service any anonymous requests." However, when I tested the anonymous logon, it seemed to be a network logon, not a local logon. Does the IUSR account require the Log On Locally right, as the documentation states?

In this case, the documentation is wrong. Strangely, it has been wrong for a long time. The IUSR account doesn't require the Log On Locally right. You can prove this point by enabling the Success for Audit Account Logon Events option, then checking the Security log in Event Viewer. As Figure 2 shows, you'll see the IUSR account logon event. Notice that the Logon Type field has a value of 3. This value corresponds to a network logon. A local logon (also called an interactive logon) is Logon Type 2. (For a description of the Logon Types, see the Microsoft article "Distinguishing Windows NT Audit Event Records," http://support.microsoft.com/default.aspx?scid=kb;en-us;q140714.)

The IUSR account has long been associated with the Log On Locally user right, so when I first discovered this error, I couldn't believe it. However, in Windows 2000, you can deny rights as well as assign them, so I conducted an experiment to deny the Log On Locally right to the anonymous account. This denial had no effect whatsoever on anonymous access to the test Web site.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Anonymous User
    8 years ago
    Dec 02, 2004

    The information in the original post is not complete, and therefore not entirely accurate. If the server is configured to allow anonymous access, but does *not* allow IIS to manually synchronize passwords, anonymous login attempts will, in fact, be recorded as *local* login attempts. Conversely, if IIS does perform automatic password synchronization ("Allow IIS to control password" is checked on the Anonymous User Account dialog from the WWW Service Master/Directory Security dialog), then the authentication will be performed by a special IIS subauthentication DLL (IISSubA.dll). Authentication handled by subauthentication DLL's are reported as *network* logins, and thus do *not* require Log On Locally privs, but *do* require "Access This Computer from the Network" privs.

    The facts explaining this situation can be reviewed in detail at http://support.microsoft.com/kb/218756/EN-US/

    -David Whitney
    unchecked@cox.net

  • Norm Laymon
    8 years ago
    May 07, 2004

    Does the above logic also apply if you have all methods of authentication turned off except for anonymoous access, and you are testing the web site locally.

  • Ivan
    9 years ago
    Sep 29, 2003

    I disagree with the information presented in this article. ASsuming we aere using anonymous logon, the log on type is determined by the check box in the section where we define the anonymous user/pwd.

    If the check box "Allow IIS to Check Password" is checked, it creates a network logon, if it is not checked, then a local logon shows up in the eventlogs.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.