Password Synchronization/Allow IIS to Control Password May Cause Problems

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:


When you use Anonymous authentication in IIS, you have the option to either use "Enable Automatic Password Synchronization" (IIS 4.0) or to "Allow IIS to Control Password" (IIS 5.0). This can make administering a Web server using anonymous users much easier, but it does have a distinctive drawback, which this article discusses.

When you allow IIS to control the password, what seems to take place, and what actually takes place are two different things. It would seem that the password is checked, and if the password in IIS differs from Windows NT, the password should be "fixed." The way it actually works changes the way authentication is performed.

Authentication is performed differently when this option is enabled because IIS informs Windows that the password is correct. A subauthenticator performs this task. Windows allows a subauthenticator (implemented as subauthentication DLLs) to be used in conjunction with the normal Windows authentication system.

A subauthentication DLL allows the authentication and validation criteria stored in the Windows user account database to be replaced. For instance, a particular server might supply a subauthentication DLL that validates a user's password through a different algorithm, uses a different granularity of logon hours, or specifies workstation restrictions in a different format. All of this can be accomplished using subauthentication DLLs without sacrificing the use of the Windows user account database and losing its administration tools.

IIS supplies a subauthentication DLL called Iissuba.dll. The function of this DLL, in terms of anonymous authentication, is to verify that the password is correct, and then inform Windows that the password is valid and hence log on the user.

The problem with using a subauthenticator is that the user is no longer logged on to the server interactively (logged on locally). The user is logged on using a network logon.

Network logons have a few notable problems when dealing with IIS. For example, accessing a remote resource on another server (even a Windows 2000 server that is trusted for delegation) may be impossible. If you find you are having problems of this manner, turn off the "Enable Automatic Password Synchronization" option or "Allow IIS to Control Password" option in the Internet Service Manager. Be sure that you reset the password in User Manager to ensure that it is correct for this user account.

More Information

If you would like more information about the information in this article, the Visual Studio 6.0 documentation comes with an example of a subauthenticator called "SUBAUTH."

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

218756 Logon Privileges Required for Anonymous Access
229694 How to Use the IIS Security 'What If' Tool