When you allow IIS to control the password, what seems to take place, and what actually takes place are two different things. It would seem that the password is checked, and if the password in IIS differs from Windows NT, the password should be "fixed." The way it actually works changes the way authentication is performed.
Authentication is performed differently when this option is enabled because IIS informs Windows that the password is correct. A subauthenticator performs this task. Windows allows a subauthenticator (implemented as subauthentication DLLs) to be used in conjunction with the normal Windows authentication system.
A subauthentication DLL allows the authentication and validation criteria stored in the Windows user account database to be replaced. For instance, a particular server might supply a subauthentication DLL that validates a user's password through a different algorithm, uses a different granularity of logon hours, or specifies workstation restrictions in a different format. All of this can be accomplished using subauthentication DLLs without sacrificing the use of the Windows user account database and losing its administration tools.
IIS supplies a subauthentication DLL called Iissuba.dll. The function of this DLL, in terms of anonymous authentication, is to verify that the password is correct, and then inform Windows that the password is valid and hence log on the user.
The problem with using a subauthenticator is that the user is no longer logged on to the server interactively (logged on locally). The user is logged on using a network logon.
Network logons have a few notable problems when dealing with IIS. For example, accessing a remote resource on another server (even a Windows 2000 server that is trusted for delegation) may be impossible. If you find you are having problems of this manner, turn off the "Enable Automatic Password Synchronization" option or "Allow IIS to Control Password" option in the Internet Service Manager. Be sure that you reset the password in User Manager to ensure that it is correct for this user account.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
ID d'article : 216828 - Dernière mise à jour : 22 juin 2014 - Révision : 1