IIS authentication includes two steps.
The first step is by IIS itself. That's to say, when a user access the web site, window will create
the token for this user.
IIS 5.0(Windows 2000) will use ASPNET account to create the token for anonymous user;
For IIS 6.0(Windows 2003), it uses IUSR_computername account.
Usually, we set the anonymous account for the IIS, just like we set "****" for DEV environment.
The Second step is by asp.net framework. That's just like we create form ticket in our source code.
The last point that we need to pay attention to is the anonymous accuont(either aspnet/IUSR_computername/the account configed in IIS) should
has the permission to access the web site's root folder.
Here is a good article to understand this issue: http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15378
Understanding anonymous authentication and the IUSR account
Dreamweaver UltraDev is no longer supported, and the Dreamweaver UltraDev support center will no longer be actively updated. The functionality available in Dreamweaver UltraDev is available in Dreamweaver, beginning with Dreamweaver MX. Accordingly, we are moving pertinent content to the Dreamweaver support center. Please refer to the Dreamweaver version of this technote: Understanding anonymous authentication and the IUSR account (TechNote 19068). |
Anonymous access, the most common web site access control method, allows anyone to visit the public areas of a web site while preventing unauthorized users from gaining access to a web server's critical administrative features and private information. Anonymous authentication gives users access to a web site without prompting them for a user name or password. When a user attempts to connect to a public web site, the web server assigns the user to the Windows user account called IUSR_computername, where computername is the name of the server on which IIS is running.
By default, the IUSR_computername account is included in the Windows user group Guests when IIS is installed on the server. This group has security restrictions, imposed by NTFS permissions, that designate the level of access and the type of content available to public internet users. Changes can be made to the account used for Anonymous authentication in the Internet Service Manager at the web server level or for individual virtual directories and files. Security privileges for the IUSR_computername account can be changed with User Manager for Windows NT, and Local Users and Groups in the Computer Management console for Windows 2000.
IIS uses the IUSR_computername account in the following way:
- The IUSR_computername account is added to the Guests group on the computer.
- When a page request is received, IIS will imitate the IUSR_computername account before executing any code or accessing any files. IIS is able to imitate the IUSR_computername account because the user name and password for this account are known by IIS.
- Before returning a page to the browser, IIS checks NTFS file and directory permissions to see if the IUSR_computername account is allowed access to the file.
- If access is allowed, authentication completes and the resources are made available to the user.
- If access is not allowed, IIS will attempt to use another authentication method. If none is selected, IIS returns an "HTTP 403 Access Denied" error message to the browser.
Note: The anonymous account must have the user right to log on locally. If the account does not have the Log On Locally permission, IIS will not be able to service any anonymous requests. The IIS installation specifically grants the Log On Locally permission to the IUSR_computername account. Also, if the anonymous user account does not have permission to access a specific file or resource, the web server will refuse to establish an anonymous connection for that resource.