Error message when you try to view a Web site that is hosted on Internet Information Server 6.0 by using anonymous access: "401.1 Unauthorized: Logon failed"

When you try to view a Web site that is hosted on Microsoft Internet Information Server (IIS) 6.0 by using anonymous access, you may receive an error message that is similar to the following:

This problem may occur if one or more of the following conditions are true:

• The user account does not have the required user rights to access the Web server.
• The user account is disabled, locked out, or expired.
• The wrong user name or password is specified in the IIS Metabase.
• Subauthentication is not working correctly. This condition may occur if the Web site was upgraded from IIS 5.0 to IIS 6.0.

To resolve this problem, make sure that the following conditions are true:

• The IUSR account has the Access this computer from the network user right.
• The IUSR account is not listed in the Deny access to this computer from the network user right.
• The IUSR account does not have time-based restrictions for accessing the Web server.
• The IUSR account has not expired or has not been locked out.
• The IUSR account password is correct in the metabase and in the Local User database. (If the account is a domain account, make sure that the password is correct in the Active Directory directory service.)
• The AnonymousPasswordSync metabase property is set to false.

MORE INFORMATION

Error examples

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

The following are examples of errors that may be logged in the Security event log. In these examples, username is the user account that is used for anonymous access.

Error 1This error may occur if the user account that is used for anonymous access is denied access to the Web Server from the network. To verify that this user account is not denied access to the Web server from the network, follow these steps:

1. Click Start, click Run, type Secpol.msc, and then click OK.
   
   Note If the Web server is also a domain controller, use the Dcpol.msc command to open the Default Domain Controller Security Settings console.
2. Under Security Settings, expand Local Policies, and then click User Rights Assignment.
3. In the right pane, double-click Deny access to this computer from the network.
4. If the user account that is used for anonymous access is denied access to the Web server from the network, click the user account that is used for anonymous access, click Remove, and then click OK.

Note This error may occur if the following conditions are true:

• The Guests group is assigned the Deny access to this computer from the network user right.
• The account that is used for anonymous access is a member of the Guests group. (This account is typically the IUSR_computername account.)

Error 2This error may occur if the user account that is used for anonymous access is denied access to the Web Server during a specific time period. To verify that this user account is not denied access during a specific time period, follow these steps:

1. Click Start, click Run, type Dsa.msc, and then click OK.
2. Expand the domain that you want, and then click Users.
3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
4. On the Account tab, click Logon Hours.
5. Configure the logon hours that you want, and then click OK.

Error 3This error may occur if the user account has expired. To resolve this issue, follow these steps:

1. Click Start, click Run, type Dsa.msc, and then click OK.
2. Expand the domain you want, and then click Users.
3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
4. On the Account tab under Account Expires, click Never, and then click OK. Or, click End of, click a new account expiration date, and then click OK.

Error 4This error can occur if the password for the user account that is used for anonymous access in IIS is not synchronized with one of the following passwords:

• The password for the user account in Active Directory
• The password for the user account in Local Users and Groups

To synchronize the IIS password with the password that is used in Active Directory or in Local Users and Groups, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Use the cd command to connect to the folder where the Adsutil.vbs file is located. By default, the Adsutil.vbs file is located in the following folder:
   drive:\Inetpub\Adminscripts
   Note drive is the folder where Windows is installed.
3. At the command prompt, type Cscript adsutil.vbs get w3svc/anonymoususerpass, and then press ENTER. Note the password that is generated.
   
   Note You may have to set the Issecure property in the Adsutil.vbs file to False before you generate a password. To do this, follow these steps:
   1. In Notepad, open the Adsutil.vbs file.
   2. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next.
   3. Change "IsSecureProperty = True" to "IsSecureProperty = False".
   4. Save the changes, and then close Notepad.
4. Click Start, click Run, type Dsa.msc, and then click OK.
   
   Note If the Web server is a stand-alone server, type Lusrmgr.msc.
5. Expand the domain that you want, and then click Users. If the Web server is a stand-alone server, click Users.
6. Right-click the user account that you want, and then click Reset Password or Set Password.
7. Type the password that you obtained in step 3 two times, and then click OK.

Note Subauthentication is the feature that enables IIS to control the password for the anonymous user. By default, after you upgrade from IIS 5.0 to IIS 6.0, IIS subauthentication is enabled. By default, subauthentication is not enabled on a clean installation of IIS 6.0.

Subauthentication enables IIS to authenticate the anonymous user without actually verifying the anonymous user password. Because anonymous access is provided to the content without authentication, the password is not required. Subauthentication enables IIS to use anonymous accounts without actually keeping valid user credentials in the metabase. When this setting is enabled, anonymous authentication works in IIS 5.0 compatibility mode. However, when the server is switched to IIS 6.0 Worker Process Isolation Mode, subauthentication is disabled because it requires a privileged process identity such as the Local System account. In this scenario, IIS 6.0 tries to log on by using the anonymous user credentials that are stored in the metabase. This behavior may cause a "401" error for the anonymous request if the user credentials that are stored in the metabase are not synchronized

It may appear that switching into IIS 6.O Worker Process Isolation Mode breaks anonymous authentication. This condition may occur when subauthentication is configured in IIS. To verify whether subauthentication is enabled in IIS, open the Metabase.xml file in Notepad, and then search for the AnonymousPasswordSync property. If the AnonymousPasswordSync property is in the Metabase.xml file, delete the property, or set the value to False.

Error 5This error may occur if the domain user account that is used for anonymous access in IIS cannot log on to the IIS Web server. To verify that the user account that is used for anonymous access in IIS can log on to the IIS Web server, follow these steps:

1. Click Start, click Run, type Dsa.msc, and then click OK.
2. Expand the domain that you want, and then click Users.
3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
4. On the Account tab, click Log On To.
5. In the Logon Workstations window, click All Computers, and then click OK.

If the user account that is used for anonymous access is not a domain user account, follow these steps:

1. Click Start, click Run, type Regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
3. In the right pane, verify that the value for the crashonauditfail entry is 0 or 1. If the value for the crashonauditfail entry is 2, follow these steps:
   1. In the right pane, click crashonauditfail.
   2. On the Edit menu, click Modify.
4. In the Value data box, type 0, and then click OK.
5. Exit Registry Editor, and then restart the computer.

For more information about default permissions and user rights in IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about issues that may occur when you configure the AnonymousPasswordSync property in the IIS metabase, visit the following Microsoft Web site:For more information about how to configure subauthentication in IIS 6.0, visit the following Microsoft Web site:For information about how to use the Internet Information Services Authentication and Access Control Diagnostics (AuthDiag) Version 1.0 to troubleshoot authentication and authorization issues, visit the following Microsoft Web site: For more information about issues that may occur when the Security event log is full, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about how to open the Domain Security Policy console or the Domain Controller Security Policy console at the command prompt, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about issues that may occur when you modify the "Access This Computer from the Network" user right, click the following article number to view the article in the Microsoft Knowledge Base: