Change the security settings for Internet Information Services

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To change the security settings for Internet Information Services

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, click Add, select Internet Information Services, click Add, click Close, and then click OK.

  4. In the console tree, right-click MSMQ virtual directory.

    Where?

    • Console Root/Internet Information Services/*YourInternet Information ServicesComputer/*Web Sites/Default Web Site/MSMQ

  5. Click Properties, and then click the Directory Security tab.

  6. Under Authentication and access control, click Edit.

  7. To use a domain user account instead of the Internet Information Services local user for Anonymous Access, do the following:

    • In the User Name edit box, type the name of a domain user with the required permissions for the Message Queuing operation.

    • Type the user password, and then click OK.

    • Retype the password in the Confirm Password dialog, and then click OK.

  8. To disable anonymous access and trust the Internet Information Services computer for delegation, do the following:

    • In the Enable Anonymous Access group, clear the Enable anonymous access check box, and click OK.

    • Open Active Directory Users and Computers.

    • On the View menu, click Users, Groups, and Computers as containers, and then click Advanced Features.

    • In the console tree, right-click the name of your Internet Information Services computer.

      Where?

      Active Directory Users and Computers\ YourDomain\ Computers\ YourInternet Information ServicesComputer

    • Click Properties.

    • On the General page, select the Trust computer for delegation check box, and then click OK

  9. In the Internet Information Services snap-in, right-click YourInternet Information ServicesComputer.

    Where?

    Console Root\ Internet Information Services\ YourInternet Information ServicesComputer

  10. Restart Internet Information Services by selecting All Tasks \ Restart Internet Information Services..., and then click OK.

Notes

  • By default, Internet Information Services (IIS) impersonates a special Internet Information Services local user account. This account is local to the IIS computer (unless it is a domain controller). It cannot be authenticated by other computers in the network, and is treated as an anonymous user. Active Server Page (ASP) applications and scripts run under IIS and, by default, impersonate the IIS local user for any Message Queuing operations, including queries to Active Directory. Since anonymous users no longer belong to the Everyone group in Windows Server 2003 family operating systems, these queries fail. ASP applications and scripts cannot locate, create, and delete queues by default. In addition anonymous users cannot open a queue for remote read, and you cannot read messages from queues not belonging to the IIS computer using ASP by default.

  • For the changes to take effect, you must stop and start the World Wide Web Publishing service.

  • Trusting the computer for delegation allows multiple hops to communicate with a domain controller, assuming that the user account is trusted for delegation.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Authentication for Message Queuing
Message Queuing security overview
Working with MMC console files