David
Fri Jan 21 03:22:29 CST 2005
Actually, the behavior is by-design for your protection.
The feature "Allow IIS to control password" of the anonymous user requires
LocalSystem privileges to work.
Prior to IIS6, IIS ran as LocalSystem, so this feature just works.
Unfortunately, running as LocalSystem as a web-accessible platform also
increases security risk in attacks, so IIS6 runs as unprivileged Network
Service by default. This means that the "Allow IIS to control password"
feature does not work by default and is actually not enabled. Now, if your
upgraded server never had the anonymous username/password in sync in IIS
metabase (with the feature, IIS just gets the user token without the
password, so you easily get out of sync), once you upgrade, anonymous
authentication instantly stops working.
Unfortunately, there is nothing we can do about this -- upgrades are very
hard because WS03 security changes break a lot of features for security
reasons, and there are prior IIS configuration that we simply cannot
reconcile -- believe me, it is complicated to do correctly and automatically
given the complete lack of system control/state that we have. In general, I
recommend clean installing WS03 and then migrating the websites over. You
get the secure default values of WS03 clean install (on upgrade, we cannot
consistently lock things down because it may break your applications), and
then you can make any necessary modifications to migrate your applications.
For example, in the case where your anonymous credentials are out of sync,
what can IIS upgrade do? It is not guaranteed that it can find out the
user's current password (may be one-way hashed and not stored). It cannot
force you to synchronize the credentials before allowing you to upgrade.
Please tell me how you think it should be made easier.
In your situation, I suggest manually synchronizing any/all Anonymous user
credentials inside IIS configuration with the SAM/AD that the server belongs
to.
If you still have problems, please post the web log entries
(%windir%\system32\logfiles\w3svc#\*.log) that represent the failure
request(s) as well as IIS configuration corresponding to those URL(s).
Especially include the HTTP status, sub status, and Win32 error codes.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Bob" <Bob@discussions.microsoft.com> wrote in message
news:16ED015B-7869-4170-B7ED-A24A6D08EA81@microsoft.com...
We upgraded our NT Server to Win 2003 server running iis 6.0. The upgrade
seemed flawless, and then we installed the windows updates from the
microsoft
site. We were running iis 4.0 and now since we run to 6.0 the anonymous
login doesnt work for anyone visiting our site. We have checked to make
sure
the password and anonymous login is correct. The iusr_machinename account
does have access to the directory and the account in configured correctly.
This is really pretty sad. It seems from what we can tell that iis 6.0
running in worker process mode isnt syncing the anonymous password with the
user account.
Any help or suggestions would be greatly appreciated........
bob
Man this should be easier to upgrade!!!!!