[This is preliminary documentation and subject to change]

Anonymous Authentication

Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. When a user attempts to connect to your public Web or FTP site, your Web server assigns the connection to the Windows user account IUSR_computername, where computername is the name of the server on which IIS is running. By default, the IUSR_computername account is included in the Windows user group Guests. This group has security restrictions, imposed by NTFS permissions, that designate the level of access and the type of content available to public users.

If you have multiple sites on your server or if you have areas of your site that require different access privileges, you can create multiple anonymous accounts, one for each Web or FTP site, directory, or file. By giving these accounts different access permissions or by assigning these accounts to different Windows user groups, you can grant users anonymous access to different areas of your public Web and FTP content.

The following process explains how IIS uses the IUSR_computername account as follows:

The IUSR_computername account is added to the Guests group on the IIS computer during setup.
When a request is received, IIS impersonates the IUSR_computername account before executing any code or accessing any files. IIS is able to impersonate the IUSR_computername account because the user name and password for this account are known by IIS.
Before returning a page to the client, IIS checks NTFS file and directory permissions to see whether the IUSR_computername account is allowed access to the file.
If access is allowed, authentication completes and the resources are available to the user.
If access is not allowed, IIS attempts to use another authentication method. If none is selected, IIS returns an "HTTP 403 Access Denied" error message to the browser.

Important If you enable Anonymous authentication, IIS always attempts to authenticate the user with Anonymous authentication first, even if you enable additional authentication methods.

You can change the account that is used for Anonymous authentication from the IIS snap-in, either at the Web server service level or for individual virtual directories and files. The anonymous account must have the user right to log on locally. If the account does not have the Log On Locally permission, IIS will not be able to service any anonymous requests. The IIS installation specifically grants the Log On Locally permission to the IUSR_computername account. The IUSR_computername accounts on domain controllers are not given to guest accounts by default. To allow anonymous logons, you must change IUSR_computername accounts to Log On Locally.

note Note You can programmatically change the requirement for Log On Locally rights by using the Active Directory Service Interfaces (ADSI). For information, see LogonMethod.

You can also change the security privileges for the IUSR_computername account in Windows by using the Group Policy Manager snap-in of the Microsoft Management Console (MMC). However, if the anonymous user account does not have permission to access a specific file or resource, your Web server will refuse to establish an anonymous connection for that resource. For more information, see Setting Web Server Permissions.

Important When you change the IUSR_computername account, the changes affect every anonymous HTTP request that a Web server services. Use caution if you modify this account.

Configuring Anonymous Authentication

By default, the Windows user group Guests includes the IUSR_computername account. You can create multiple anonymous accounts; one for each Web or FTP site, directory, or file. By giving these account different access permissions or by assigning these accounts to different Windows user groups, you can grant users anonymous access to different areas of your public Web and FTP content.

The anonymous account must allow the user to log on locally. If the account does not have the Log On Locally permission, IIS cannot service anonymous requests. The IUSR_computername accounts on domain controllers are not assigned this right by default and must be changed to Log On Locally to allow anonymous requests.

You can also change the security privileges for the IUSR_computername account in Windows. However, if the anonymous user account does not have permission to access a specific resource, your Web server refuses to establish an anonymous connection for that resource. For more information, see Setting Web Server Permissions.

To enable anonymous authentication

In the IIS snap-in, select a site, directory, or file, and open its property sheets.
Select the Directory Security or File Security property sheet. Either the Directory Security or File Security property sheet is present, depending upon what level you are changing the security settings.
In the Anonymous Access and authentication Control section, click Edit. The Authentication Methods dialog box appears.
Select the Anonymous access check box.

To change the account used for anonymous authentication

In the IIS snap-in, select a site, directory, or file, and open its property sheets.
Select the Directory Security or File Security property sheet. Either the Directory Security or File Security property sheet is present, depending upon what level you are changing the security settings.
In the Anonymous Access and authentication Control section, click Edit. The Authentication Methods dialog box appears.
Select the Anonymous access check box and click Edit. The Anonymous User Account dialog box appears.
Type or Browse to the valid Windows user account you want to use for anonymous access.
Clear the Allow IIS to control password check box to enter the account's password.

Important When you change the IUSR_computername account, the changes affect every anonymous request that is serviced by a Web server. Use caution if you modify this account.