Wednesday, January 26, 2011

Anonymous access in IIS is prompting for credentials

I'm trying to set up anonymous access for my LAN on IIS on Windows XP.

The problem is that when I navigate to the site via a web browser, it asks for the username and password.

Here are the settings in IIS > Website Properties > Directory Security:

[X] Anonymous access  
Username: IUSR_computername 
Password: ********** 
[X] Allow IIS to control password  

[ ] Basic authentication  
[X] Integrated Windows authentication

Note: the computer's name was changed, so IUSR_computername is actually an old name for the computer. However, it's the same name of the account I see in Computer Management > System Tools > Local Users and Groups.


I tried changing the password in Computer Management for IUSR_computername, then in IIS unchecking "Allow IIS to control password" and entering in the same exact password, but that didn't help.

Update: I'm trying to set up a virtual directory which is hosted in My Documents folder. From what I understand, this isn't working because the IUSR account doesn't have access to the folder. I confirmed it by trying to use a folder under C:\ and it worked fine.

So I guess my question is how can I keep my folder in the My Documents folder, but also not give too much permissions to the IUSR account? For example, I don't want to add the user to the Users group in Windows, since that would probably give the user too many privileges (e.g. even on other sites). Also, I don't want to use my own username/pw (instead of IUSR), since that would give this anonymous site a user with too many privileges (my account is an administrator on this machine).

Ideally I would want to use a low level user (e.g. IUSR), but selectively give it access to only this one folder in My Documents. Is that possible?

  • In order for the user account used by IIS for anonymous access to actually access a folder, it needs NTFS-level permissions on that folder; so, if you want to publish some folder in IIS anonymously, you'll need to give that account at least read permissions on that specific folder.

    From Massimo
  • You must make sure that the IUSR account has permissions to view that folder:

    • Either place the file in a folder where the user has permissions (e.g. C:\ instead of My Documents)
    • Or, give reading privileges to that account via the Security tab in Windows. (Windows XP users not on a domain will need to enable this tab).
    From Senseful

0 comments:

Post a Comment