How does IIS resolve Guest Account

[kav123]

How does IIS resolve the user who logs into the server. I mean if there is an anonymous user enabled then IIS normally maps to the guest account.
However, if i change that anonymous user account to someone else, the user is not able to access the website i.e. he is not able to create a Server Side component, in this case Permission checker component.
This is for a normal user. If an administrator accesses the website, just to run a test page, is he also resolved into the guest account.
I hope i have not confused you. I want to know who logs into access the webserver and if it's not a guest account, then the user should be resolved into a normal guest account as that of any user, so that he has the same permissions, which is necessary to run the test page.

 

[ChrisHirst]

actually the anonymous user maps to the IUSR_machinename account by default.

So any user who logs on must have at least the same level of access as that account.



Chris.

Indifference will be the downfall of mankind, but who cares?
Woo Hoo! the cobblers kids get new shoes.

http://www.cram-system.com

Nightclub counting systems

So long, and thanks for all the fish.

 

[kav123]

What happens if i enable both Anonymous access and Integrated Windows Authentication.
So, as i understand your reply, if an administrator tried to access the website, i.e. by typing local host, then he would be resolved to a guest account??

 

[JFBouchard]

Hi, the Anonymous account (IUSR_machinename) as ChrisHirst said is created by the IIS Setup. The password for this account is randomly generated by the IIS setup.

when both Anonymous and windows integrated are enable the following scenario takes place:

The browser will always try an anonymous access first. If the access is permitted (both authentication method and ACL permissions) the access is granted as anonymous. If access is denied for any reason (authentication or acl) the server returns a 401 error (login failed or access denied) and a

http://WWW-Authenticate

request is sent to the client: at this point, the client passes the windows integrated credentials of the currently logged on user (the windows user/password).

you can see the IUSR_Machinename password by using the adsutil.vbs adminscript:

cscript adsutil.vbs ENUM W3SVC/1/root



Hope this helps. Please let know if this resolve your issue

Jeff

 

[kav123]

Thanks, that did help, so the Anonymous access is the preferred method, unless set otherwise in ACL or authentication. One more question, in integrated authentication the user credentials are checked by the IIS, how does it do that, i mean do we have to enter the login details of all the authorised users, or i'd assume the easier way would be to have a common authorised login which the IIS would recognise in such a scenario.

 

[JFBouchard]

Hi, the IIS server checks the ACL on the folder and files (netlogon service). The easier way is to use groups recognizes within your domain/AD.

Hope this helps. Please let know if this resolve your issue

Jeff

 

[kav123]

That helped, thanks.