Configuring Subauthentication on a New Installation of IIS 6.0
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
By default, after installing Windows Server 2003 and IIS 6.0, IIS runs in worker process isolation mode and subauthentication is disabled. Subauthentication is disabled when the AnonymousPasswordSync Metabase Property is set to false.
To enable anonymous password synchronization, ensure that your system meets the following requirements:
The subauthentication component, Iissuba.dll, must be registered.
The application pool of the Web site runs as the LocalSystem user account. However, running as the LocalSystem user account might be a security risk because it allows the worker process full access to the entire system.
The AnonymousPasswordSync metabase property must be enabled (set to true).
Procedures
Important
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any known parameters).
To configure subauthentication and enable anonymous password synchronization
From the Start menu, click Run.
In the Open box, type cmd, and click OK.
At the command prompt, type the following and then press ENTER:
rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA
Set the identity of the application pool to the LocalSystem user account. For step-by-step information about setting the application pool identity, see Configuring Application Pool Identity in IIS 6.0.
Important
Running as the LocalSystem user account might pose a security risk because it allows the worker process full access to the entire system.
At the IisWebService node, set the AnonymousPasswordSync metabase property to true.
When you no longer want to use subauthentication, revoke the subauthentication components registration.
To revoke the subauthentication components registration
From the Start menu, click Run.
In the Open box, type cmd, and click OK.
At the command prompt, type the following and then press ENTER:
rundll32 %systemroot%\system32\iissuba.dll,UnregisterIISSUBA
Related Information
For information about configuring subauthentication on a new installation of IIS 6.0 that has been configured to run in IIS 5.0 isolation mode, see Configuring Subauthentication in IIS 5.0 Isolation Mode.
For information about configuring subauthentication after upgrading your server to IIS 6.0 from an earlier version of IIS that uses subauthentication, see Configuring Subauthentication After Upgrading to IIS 6.0.