Install Subauthentication

Applies To: Windows Server 2003, Windows Server 2003 with SP1

To use Digest authentication in Internet Information Services (IIS) 6.0 when the domain controller is running Microsoft® Windows® 2000, you must enable subauthentication, which is not installed by default on IIS 6.0. There are three requirements for enabling subauthentication:

  • Install the subauthentication component, Iissuba.dll.

  • Set the UseDigestSSP metabase property to False.

  • Set the identity of the application pool to Local System. For more information about setting application pool identity, see Ensuring Application Availability.

Consider the following guidelines for enabling subauthentication:

  • The requirement to use subauthentication applies to Digest authentication only. Using Advanced Digest authentication does not require subauthentication.

  • When you no longer want to use subauthentication, unregister the sub-authentication component and set the identity of the application pool to Local System.

Requirements

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Iis.msc.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type runas /user:administrative_accountnamemmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

To install and register the subauthentication component

  1. In the Run dialog box, type cmd, and click OK.

  2. At the command prompt type:

    rundll32 systemroot\system32\iissuba.dll, RegisterIISSUBA.
    
  3. Press ENTER.

  4. For any application pools that use Digest authentication, set the application pool identity to Local System.

    For more information about Digest authentication, see Configure Web Server Authentication.

    For more information on configuring application pool identity, see Configure Application Pool Identity.

To unregister the subauthentication component

  1. In the Run dialog box, type cmd, and click OK.

  2. At the command prompt, type:

    rundll32 systemroot\system32\iissuba.dll,UnregisterIISSUBA.
    
  3. Press ENTER.