3

I have configured a website on IIS 6. When I access the website from inside the company network it works fine.

When I try to access the website from outside the network, the browser asks for Windows credentials.

The application pool is configured to run as Network Service. The website is configured with: "Enable anonymous access".

I have specified a user account with a password.

When I run the Microsoft Authentication and Access controls diagnostic I get the following messages:

"The current configuration requires IIS subauthentication. However, the IIS subauthentication component, iissuba.dll, is not currently configured."

"The current configuration uses IIS subauthentication for anonymous authentication. This requires that the worker process be configured to run as the Local System identity, which is not recommended for security reasons."

The thing is I do not want to use subauthentication as I know the password of the user account I am using.

The user account is MACHINENAME\IUSR_MACHINENAME.

What must I do to allow people from outside the network from accessing the website without getting asked for credentials?

Gilles
  • 171

2 Answers2

2

You need to make sure that the home folder has read permissions for both the network service and the anonymous account you have enabled. It's usually recommended to run both the web site and application pool under 1 user identity.

The Elite
  • 124
  • I just added both users to the home folder. Which I hadn't done. But I am still getting the same problem. – Gilles Feb 19 '10 at 18:12
  • Does it work when you try running the app pool under the system identity? – The Elite Feb 19 '10 at 18:42
  • No it doesn't. When asked for credentials, if I enter valid credentials the site displays.

    I checked the authentication mode in the web.config, I tried user other accounts than the IUSR_, but still I'm always getting the same behavior. I'm beginning to think it's not using the account I specify for anonymous access.

     – Gilles Feb 19 '10 at 19:09
2

You can see which account is making the IIS calls in the Event Viewer Security logs on the web server. If it's using Integrated Authentication you should see a unique user account in the security logs. If it's using the Anonymous user to access the site, you'll the the IUSR account in the logs.

I would recommend visiting the site internally (where it's working) and check out the Security logs. If you see your domain/user account making the request then you know there is an issue with the Anonymous user account. If Anonymous access is enabled with other methods of authentication (Integrated for example), Anonymous access is always tried first.

A few other things I would consider.

-Do you have multiple authentication modes defined on the site or virtual directory? This is under the Directory Security tab on the IIS site/virtual directory.

-Is integrated authentication enabled in the web.config? ()

-Is the IUSR account a member of the IIS_WPG local computer group?

-What groups is the IUSR account a member of? As mentioned, the IUSR account will need access to your file system.

-Double check that your website is indeed running under the application pool you think it is.

-Double check that your application pool is indeed running under the Network Service account.

-Retype your IUSR account details.

Hope this helps, Dave

Dave
  • 109
  • I checked all of the above and added my IUSR to IIS_WPG. When I access my logs and access the site from the network I see 1 login by IUSR, 1 by Network Service and then a third by IUSR.

    When I try to access from outside the network, I don't see anything in the logs.

     – Gilles Feb 22 '10 at 18:59
  • Do you have your networking setup correctly for external access? If your web server is behind a firewall the appropriate ports will need to be opened/forwarded.

    The reason I mention that is the fact that nothing is being logged in the Security Log when you access the site externally. You should see the IUSR (anonymous) account being logged. This may mean traffic is not even getting to the web server but it's curious that you're being prompted for credentials.

    Can you confirm in your IIS logs that external traffic is being logged? Also, do you have authentication set in the web.config?

     – Dave Feb 23 '10 at 20:38
  • I checked the IIS logs and internal traffic was showing but not external. So I asked the admin in charge of the firewall and there was a rule stating only authenticated users could access the site. He changed the rule and now everything works perfectly. – Gilles Feb 23 '10 at 21:57
  • Excellent, thanks for the update.

    I would undo any changes you made while troubleshooting, specifically removing the IUSR account from the IIS_WPG group. The IIS_WPG group is used to run the worker process, which you have set as Network Service.

    Dave

     – Dave Feb 24 '10 at 00:34