IIS Insider - June 2005

By Bernard Cheah, IIS-Resources.com, and Chris Adams, Supportability Beta Lead, Microsoft Corporation

IIS Insider

"URL" Not an Option for 401 Custom Errors


Q. Im using IIS 5 under Windows 2000 Server (with Service Pack 4), through Remote Desktop Connection (as admin). Im able to customize error 404 with a URL, for instance, and it works fine. But, for all 401 errors, URL is not listed as an option (only File or Default). Is there a way to customize the 401.x error pages? Im hosting static pages.

A. Very good question! Before we discuss this by-design behavior (meaning the behavior of 401 custom errors, which support "Default" and "File" modes only), let's look at the status codes. Error 404 indicates that the requested page was not found, while 401 errors indicate errors based on security. 401 errors highlight access denied due to a number of causes, including authentication and authorization failures. The table below shows the 401.X sub-status code and relevant description:

Status code Description


Login failed


Login failed due to server configuration


Unauthorized due to ACL on resource


Authorization failed by filter


Authorization failed by ISAPI/CGI application


Access denied by URL authorization policy on the web server (IIS6 only)

NOTE: In IIS 6, these specific error codes are known as sub-status codes and are captured in an IIS log file. However, for IIS 5 and below, these specific error codes are displayed in the browser and are not captured in an IIS log file. For complete IIS Status codes, refer to the following Knowledge Base article: 318380

Now back to the question: Why does IIS provide "Default," "File," and "URL" modes for 404 custom error messages, but only "Default" and "File" for 401 errors? In a "Default" setting, the standard HTTP 1.1 error message is sent. For example, 401.3 sends the error message: "Unauthorized due to ACL on resource." The "File" option allows you to send a predefined static HTML file included in the IIS installation. The predefined HTML file for IIS custom error messages is located at %windir%/Help/iisHelp/common, in IIS 5.0.

Still, what about the "URL" option? This option is not available for 401, 407 and 502 errors. In the event of a 401.X error, IIS has no user context to fulfill the request and replies with a static error message rather than another dynamic content -- because that would generate another 401.X error. For example, when browsing a web site anonymously, the default request identity user account is the IUSR_COMPUTERNAME account. Assuming this anonymous account experiences a 401.1 "Login failed" error message on an ASP page, IIS has no other user context to further process and is unsuccessfully able to retrieve a custom error message (for example: redirecting the request to another URL-based access, such as
http://www.yourserver.com/customerror.asp). Instead, IIS returns a static HTML error message specified in the "File" option. The "URL" feature is intentionally removed from the 401.X custom error message configuration.

Number of Web Sites IIS 6.0 Supports


Q. How many Web sites can IIS 6.0 support?

A. 2,111 Web sites. Actually, that number is my car license plate number, not the number of Web sites. There are too many variables in this question to answer so easily. The answer can be similar from the question: "How many application pools can IIS 6 support?" or "How many users can my IIS 6 computer handle?" Unfortunately, there's no straight formula to produce the answer. Similar to IIS 5, I have seen a server running 1,500 sites in production, while I have only 2 in my quad CPU box. Before IIS 6 was released, the Microsoft IT organization ran stress tests on IIS 6 with 20,000 sites, with hundred of application pools. Therefore, the answer is "it depends" on your hardware configuration (CPU, memory, hard drives, network, etc.), and your application (complexity, bandwidth, etc.). Once you know these items about your specific server, you can roughly estimate how many sites it can support. For example, if you have a T1 (1.5mbps) line, and an average page size speed of 5Kbs, you can handle roughly 27 pages downloaded per second. Once you have made your rough estimates, you must test your assumptions and see where to make adjustments to get optimum performance. This case study:http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/caa232a0-80d2-48da-9699-9b06bf79440d.mspx, covers the capacity planning process for an ASP.NET application, and can give you tips on tuning and scaling.

You should also to read the Optimizing IIS 6.0 Performance guide to help optimize your IIS 6 computer if you are using non-ASP.NET content, such as other ISAPI extensions or CGI's.

Your capacity limitation is the server hardware. For each application pool created, IIS will allocate a certain amount of resources for the application pool. For example, hosting 200 static Web sites in one application pool will typically consume fewer resources that running 50 ASP.NET applications in 30 different application pools. There is no hard-coded limit in IIS -- the trick here is capacity management. You can read the Microsoft Operations Framework (MOF) best practices advice on Capacity Management at:

IUSR_MachineName Account Does Not Authenticate


Q. I have upgraded my server from Windows 2000 server and IIS 5.0 to Windows Server 2003 and IIS 6.0. I am now getting failures to authenticate the IUSR_MachineName account for some of my Web sites. I am unsure why this failure is occurring, nor how to fix it.

A. This is another great question and one that might surprise you once you hear the cause. It was a feature that was introduced in legacy versions of IIS and more commonly called IIS Sub-Authentication. With the introduction of IIS 6.0 and the new, highly secured default setup, Microsoft made the decision to break this functionality upon completion of an upgrade in order to improve security. This was done because the fix is trivial, while the security "risk" is greater.

Let's first understand IIS sub-authentication. IIS sub-authentication is implemented in the component iissuba.dll that is located in %windir%\system32. This component is designed to assist administrators in pre-Active Directory environments to avoid anonymous user accounts getting locked out or disabled because of invalid attempts to logon (i.e. Denial of Service attacks). The theory behind the sub-authenticator is sound; though, the implementation is a bit more of a security concern than many administrators or Microsoft might feel comfortable with. Hence, it was disabled on Windows Server 2003 systems.

For the component to work properly, it must be loaded in a process that is running with an identity with an elevated user right. This right, called Trusted Computing Base (TCB) privilege, is reserved to the Local System account. This privilege allows IIS to successfully impersonate a login for a user without a password. You can accomplish this because the process is running as Local System who has this elevated privilege.

However, test it for yourself; here is how you can reproduce the behavior in IIS 6.0:
(NOTE: Try this on a Testing environment first)

  1. Register the IIS Sub-authentication component using the following command:

    %windir%\system32\inetsrv\rundll32 iissuba.dll, RegisterIISSUBA

    NOTE: This is case-sensitive

  2. In IIS 6.0, ensure that you are running in IIS's default Worker Process Isolation Mode. To do this, issue the following command from the command-line:

    cscript adsutil.vbs set w3svc/IIs5IsolationModeEnabled "false"

    NOTE: The default on upgrades is for this property to be True to ensure maximum compatibility at the completion of the upgrade.

  3. Open the IIS Manager located in the Administrative Tools folder.

  4. Locate the DefaultAppPool that is under the Application Pool folder. Right-click and choose Properties. On the Identity tab, choose to run as Local System.

    If your browser does not support inline frames, click here to view on a separate page.

    See full-size image.

  5. The last configuration step is to enable the Anonymous Password Sync feature in IIS. To do this, enter the following command at the command prompt:

    cscript adsutil.vbs set w3svc/anonymouspasswordsync true

    If your browser does not support inline frames, click here to view on a separate page.

    See full-size image.

    NOTE: This can also be done on the Service tab in the IIS Manager user interface. This change requires IIS be restarted before taking effect.

To test this, change the password for the IUSR_MachineName account to something different than that listed in the metabase. This emulates the behavior of seeing a login work successfully although the password is invalid. You can do this by doing one of two things:

  • Change the password for the IUSR_MachineName in Local Users on the Windows Server 2003 computer

  • Edit the AnonymousUserPass metabase property and set it to an invalid password.

For this example, we will take the simplest approach and change the password on the Windows Server 2003 computer. Do the following:

  1. Open the Computer Management Snap-In MMC; locate the Local Usersand Groups and highlight the Users folder

  2. Right-click IUSR_MachineName and choose Set Password

  3. Change the password to anything you would like.

    If your browser does not support inline frames, click here to view on a separate page.

    See full-size image.

This will effectively cause any attempt to logon using the anonymous user account to fail as the user's username and password stored in the metabase is incorrect. This is similar to situations where the account might have a password changed by an administrator, a user, or a service.

Now that we understand IIS sub-authentication, we can better understand why you had the problem upon completion of the upgrade. The default metabase setting for IIS 5.x was to set AnonymousPasswordSyncto "true", which enables this feature. On IIS 5.x, the component iissuba.dll was registered and enabled by default and the core web server was running as Local System (Inetinfo). This isn't the case in IIS 6.0, where this component is not registered nor is any worker process running as the elevated privilege Local System. To change this behavior, you will need to enable sub-authentication or correct the password problem with the IUSR_MachineName or your custom anonymous account.

In most circumstances, rectify the situation with the password and NOT enable sub-authentication. The reason sub-authentication still exists is only to support legacy applications, and Microsoft does not recommend you use it unless you have an urgent business requirement.

The IIS product group released a tool that is aimed at assisting you in diagnosing authentication and authorization failures. The tool, Authentication and Access Control Diagnostics 1.0 (AuthDiag), was released as part of the IIS Diagnostics Toolkit (which is downloadable from the Microsoft Download Center). To use AuthDiag, download the IIS Diagnostics Toolkit 1.0 at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en. For more information about the IIS Diagnostics Toolkit, see:

For more details about sub-authentication in IIS 6.0, you can review the documentation on the Windows Server 2003 TechCenter

For More Information

Submit your questions to the IIS Insider. A response is not guaranteed; however, selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months' questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.