Monday, July 9, 2007

Authenticating Anonymous requests

By default, when a browser requests a Web page, IIS will first try to fill the request without authenticating the user. In order to do this, IIS impersonates a special Windows NT account, named IUSR_machinename (where machinename is the name of the IIS host computer). When you install IIS, the installation program creates this account automatically. If, by impersonating the IUSR_machinename account, IIS can access the requested resource, then it serves the page to the anonymous user; otherwise, the user gets a 401 error.
A common problem with anonymous access occurs when the password for the IUSR_machinename account and the password entered in the Internet Service Manager get out of sync. When IIS tries to impersonate the IUSR_machinename account, it submits the password that was entered in the anonymous logon field to a Windows NT server. If that password is incorrect, IIS is prevented from using the IUSR_machinename account. Once anonymous access fails, IIS will attempt to authenticate everyone. Because authentication can happen silently, the site can fail, but the reason for failure isn't always apparent. The type of authentication you're using makes a huge difference if your pages are accessing other resources, such as databases or server-side components (DLLs).

No comments: