Sub-Authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

In earlier versions of IIS, sub-authentication was enabled by default. The sub-authentication component, Iissuba.dll, enables IIS to manage passwords on anonymous accounts. Because using this component involves a security risk, sub-authentication is not enabled by default when you install Windows Server 2003 with IIS 6.0. However, you can use sub-authentication to manage passwords for anonymous accounts by meeting the following requirements:

  • For applications you grant anonymous access, the worker process runs as LocalSystem.

  • The sub-authentication component, Iissuba.dll, is registered.

  • The AnonymousPasswordSync Metabase Property is enabled (set to true).

The actions taken to meet the above requirements are different for clean installs of IIS 6.0 and upgrades to IIS 6.0 from installations of IIS with sub-authentication configured.

Configuring Sub-Authentication on a New Installation of IIS 6.0

By default, on a new installation, IIS 6.0 runs in worker process isolation mode, and sub-authentication is disabled (AnonymousPasswordSync is set to false).

If after a new installation of IIS 6.0, you switch to IIS 5.0 isolation mode, then by default, the worker process assigned to in-process applications will run as LocalSystem.

Configuring Sub-Authentication on an Upgrade to IIS 6.0

When you upgrade a server to IIS 6.0 from an earlier version of IIS that uses sub-authentication to manage passwords on anonymous accounts, sub-authentication is enabled by default (AnonymousPasswordSync is set to true). However, sub-authentication will not work because two configuration tasks have not been accomplished: Iissuba.dll is not registered and the worker processes using Anonymous authentication are not running as LocalSystem. Your event log should have entries on this.