Setting Up a Null Session for Cross-Domain Logging

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Remotely logging files to a UNC share in a different domain requires configuring the remote share as a null session share. A null session connection is an unauthenticated connection. When IIS attempts to access a remote Microsoft Windows server resource, such as a file share, using a null session, the operation might fail if the file share is not configured as a null session share, or if there are any registry, group, or policy restrictions set on the server hosting the file share.

Procedures

To enable null session access

1. From the Start menu, click Run.

2. In the Open box, type Regedit.exe, and click OK.

3. Navigate to and double-click the following key in the registry:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionShares.

   Note

   NullSessionShares is a REG_MULTI_SZ value.

4. On a new line in the NullSessionShares key, type the name of the share that you want to access with a null session, for example, public.

5. Navigate to and click the following key in the registry:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.

6. From the Edit menu, point to Add, click DWORD Value and then add the following registry value:

   Name: RestrictAnonymous

   Type: REG_DWORD

   Data: 0

7. Quit Registry Editor.

8. Restart the server.

If the remote share does not allow your IIS server to write the log file to the designated share after restarting the server, you might need to adjust the Windows security groups and security policies on the remote machine to enable anonymous access.

Related Information

• For more information about security groups and security policies, see "Security" in Help and Support Center for Windows Server 2003.

• For more information about IIS and centralized-content storage, see Improving Scalability Through UNC-Based Centralized Content Storage.