Password Synchronization/Allow IIS to Control Password May Cause Problems
ID: Q216828
|
The information in this article applies to:
-
Microsoft Internet Information Server 4.0
-
Microsoft Internet Information Services version 5.0
SUMMARY
When you use Anonymous authentication in IIS, you have the option to either use "Password Synchronization" or to "Allow IIS to Control Password" respectively. This can make administering a Web server using anonymous users much easier, but it does have a distinctive drawback, which this article discusses.
When you allow IIS to control the password, what seems to take place, and what actually takes place are two different things. It would seem that the password is checked, and if the password in IIS differs from Windows NT, the password should be "fixed." The way it actually works changes the way authentication is performed.
Authentication is performed differently when this option is enabled because IIS informs Windows that the password is correct. A subauthenticator performs this task. Windows allows a subauthenticator (implemented as subauthentication DLLs) to be used in conjunction with the normal Windows authentication system.
A subauthentication DLL allows the authentication and validation criteria stored in the Windows user account database to be replaced. For instance, a particular server might supply a subauthentication DLL that validates a user's password through a different algorithm, uses a different granularity of logon hours, or specifies workstation restrictions in a different format. All of this can be accomplished using subauthentication DLLs without sacrificing the use of the Windows user account database and losing its administration tools.
IIS supplies a subauthentication DLL called Iissuba.dll. The function of this DLL, in terms of anonymous authentication, is to verify that the password is correct, and then inform Windows that the password is valid and hence log om the user.
The problem with using a subauthenticator is that the user is no longer logged on to the server interactively (logged on locally). The user is logged on using a network logon.
Network logons have a few notable problems when dealing with IIS. For example, accessing a remote resource on another server (even a Windows 2000 server that is trusted for delegation) may be impossible. If you find you are having problems of this manner, turn off the "Password Sychronization" option or "Allow IIS to Control Password" in the Internet Service Manger. Be sure that you reset the password to ensure that it is correct for this user account.
MORE INFORMATION
If you would like more information about the information in this article, the Visual Studio 6.0 documentation comes with an example of a subauthenticator called "SUBAUTH."
Additional query words:
Keywords :
Version : winnt:4.0
Platform : winnt
Issue type : kbhowto