Anonymous Authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Anonymous authentication gives users access to the public areas of your Web or File Transfer Protocol (FTP) site without prompting the users for a user name or password. When a user attempts to connect to your public Web or FTP site, your Web server assigns the connection to the Windows user account that is specified for anonymous connections. By default, this account is named IUSR_ComputerName, where ComputerName is the name of the computer on which IIS is running, and it is included in the Windows user group, Guests. This group has security restrictions, which are imposed by NTFS file system permissions, that designate the level of access and the type of content that is available to public users.

Important

Do not confuse the anonymous user context that Windows Server2003 provides with the anonymous user account that IIS provides. The IIS anonymous user account is configurable; the default is IUSR_ComputerName. The operating system also provides a notion of anonymous access across the network.

When you use Anonymous authentication, the IUSR_ComputerName account is added to the Guests group on the computer running IIS during setup. When IIS receives a request, it impersonates the IUSR_ComputerName account before executing any code. IIS can impersonate the IUSR_ComputerName account because it recognizes the user name and password for this account. Before returning a page to the client, IIS checks NTFS and directory permissions to see whether the IUSR_ComputerName account is allowed access to the file. If access is allowed, the access process, which is also called authorization, completes, and the resources are made available to the user. If access is not allowed, IIS returns a 401.3 error message to the client.

You can change the account that is used for Anonymous authentication in IIS Manager, either at the Web server service level or for individual virtual directories and files. However, be aware that when you change the IUSR_ComputerName account, the changes affect every anonymous HTTP request that a Web server services, so use caution if you modify this account.

If you enable Anonymous authentication, IIS always attempts to authenticate the user with Anonymous authentication first, even if you enable additional authentication methods. If the anonymous user account does not have permission to access a specific file or resource, your Web server will not establish an anonymous connection for that resource.

In IISĀ 6.0, NETWORK_CLEARTEXT is the default logon type for Anonymous authentication. As a result, Anonymous authentication no longer requires the Allow log on locallyuser right. For more information about the NETWORK_CLEARTEXT logon type, see Basic Authentication.