Resolving IIS Anonymous Access settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Resolving IIS Anonymous Access settings

By default, Internet Information Services (IIS) impersonates a special IIS local user account. Since this account is local to the IIS computer (unless it is a domain controller), it cannot be authenticated by other computers in the network and is treated as an anonymous user.

Active Server Page (ASP) applications and scripts run under IIS, and by default impersonate the IIS local user for any Message Queuing operations, including queries to Active Directory. Since anonymous users no longer belong to the Everyone group in Windows Server 2003 family, these queries fail, and ASP applications and scripts cannot locate, create, and delete queues. In addition, an anonymous user cannot open a queue for remote read, and you cannot read messages from queues that do not belong to the IIS computer using ASP.

You can resolve this issue in either of the following ways:

  • Using a domain user account instead of the IIS local user account for Anonymous Access. The account must have the required permissions for the Message Queuing operation, for example access to Active Directory.

  • Disable Anonymous Access. Trust the IIS computer for delegation to allow multiple hops in communicating with a domain controller. Note that this option will not resolve remote read limitations.

For instruction, see Change the security settings for Internet Information Services.