Anonymous accounts (IUSR_computername) attempting subauthentication logon receive 401 error

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

The subauthentication component, Iissuba.dll, is not enabled by default in IIS 6.0. In earlier versions, Iissuba.dll allowed IIS to manage passwords on anonymous accounts, which created a potential security risk. In IIS 6.0, you can use subauthentication to manage passwords for anonymous accounts by meeting the following requirements:

  • For applications which you assign anonymous access, the worker process runs as LocalSystem.

  • The subauthentication component, Iissuba.dll, is registered.

  • The AnonymousPasswordSync Metabase Property is enabled (set to true).

The actions taken to meet the above requirements differ between clean installs of IIS 6.0 and upgrades to IIS 6.0 from installations of IIS with subauthentication configured.

For information about the procedures to configure sub-authentication, see Anonymous Authentication in IIS 6.0.