Password Sync and IIS 4.0 return FrontPage error message

With password synchronization in Internet Information Server (IIS) 4.0, Web sites indicate that only registered users have browse access. When you try to apply for everyone to have browse access, you receive the following error message:

When Internet Information Server is installed, it creates the following two entries at the LM/W3SVC node of the MetaBase: The password is randomly generated and entered both in the MetaBase and in User Manager. If the IUSR password is changed, even with password synchronization enabled, the password is not reset at this node. That is because, with password synchronization enabled, the property is ignored by IIS. When FrontPage tries to verify the password, it does not match, and FrontPage returns an error even though the Web server is fully functional. When an administrator changes the MetaBase through the Microsoft Management Console to reset the IUSR as the anonymous account, or the administrator toggles password synchronization on and off, the property is cleared and again, FrontPage "thinks" there is an error in the password.

AnonymousUserPass may not be even be set at some child nodes in the MetaBase (for example, virtual servers at LM/W3SVC/x). FrontPage may also mistake this as a password mismatch, as in the reset scenario above, but it also allows no property to be set. You can manually add the property, but we do not recommend this.

Instead of editing the MetaBase, IIS administrators should use the following steps to work around the problem.

Note This is a permanent change to an IIS configuration until such time that FrontPage stops checking for the password or checks to see whether the AnonymousPasswordSync MetaBase property is set to true. If password synchronization is enabled again after following these steps, the Internet Service Manager will delete the property and the same problem will occur again.

1. Open User Manager and retype a password for the IUSR account.
2. Open the Internet Service Manager in the Microsoft Management Console (MMC).
3. Right-click your Computer Name, and then click Properties.
4. Choose to edit the Master Properties for the WWW Service.
5. Click the Directory Security tab.
6. Click the Edit button for Anonymous Access and Authentication Control.
7. Click Edit for Allow Anonymous Access.
8. Clear the Enable Automatic Password Synchronization check box.
9. Type the IUSR password manually from step 1.
10. Click OK, and retype the password when prompted.
11. Click OK to exit the Authentication dialog box.
12. Click Apply to set the changes.
13. If prompted to override child nodes, choose them all except the Administrative Web site.
14. Click OK two times to return to the MMC.
15. In Control Panel, click Services, and stop the IIS Administrator Service.
16. Click OK to stop all Web services as well.
17. After all service have stopped, in Control Panel, click Services, and restart the WWW, FTP, and all other Web services that are installed.

Microsoft has confirmed this to be a problem in FrontPage 98 for Windows. This issue was resolved in version 3.0.2.1706 of the extensions.

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 on a computer that is running Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: