The <anonymousAuthentication> element controls how Internet Information Services (IIS) 7.0 processes requests from anonymous users. You can modify the <anonymousAuthentication> element to disable Anonymous authentication, or you can configure Internet Information Services (IIS) to use a custom user account to process anonymous requests.
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR account, which is new in IIS 7.0 and replaces the IIS 6.0 IUSR_computername account, is used to allow anonymous access. An application is a grouping of files that delivers content or provides services over protocols, such as HTTP. When you create an application in IIS, the application's path becomes part of the site's URL.
By default, IIS 7.0 uses Anonymous authentication. You must disable Anonymous authentication for any Web site, Web application, or Web service for which you want to enable other authentication methods such as Basic or Windows authentication.
| |
IIS 7.0 |
IIS 6.0 |
| Notes |
The <anonymousAuthentication> element is new in IIS 7.0. |
The <anonymousAuthentication> element replaces the IIS 6.0 AuthFlags, AnonymousUserName, and AnonymousUserPassword metabase properties.
|
The <anonymousAuthentication> element is included in the default installation of IIS 7.0.
How to disable anonymous authentication
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In the Connections pane, expand the server name, expand Sites, and go to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.
- Scroll to the Security section in the Home pane, and then double-click Authentication.
- In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.
How to change anonymous authentication credentials from the IUSR account
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In the Connections pane, expand the server name, expand Sites, and navigate to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.
- Scroll to the Security section in the Home pane, and then double-click Authentication.
- In the Authentication pane, select Anonymous Authentication, and then click Edit... in the Actions pane.
- In the Edit Anonymous Authentication Credentials dialog box, do one of the following:
Note: If you use this procedure, only grant the new account minimal privileges on the IIS server computer.
The <anomymousAuthentication> element is configurable at the site and application level in the Web.config file.
Attributes
| Attribute |
Description |
enabled |
Optional Boolean attribute.
Specifies whether Anonymous authentication is enabled.
The default value is true. |
logonMethod |
Optional enum attribute.
The logonMethod attribute can be one of the following possible values. The default is ClearText.
| Value |
Description |
Batch |
This logon type is intended for batch servers, where processes may be executing on behalf of a user without that user's direct intervention.
The numeric value is 1. |
ClearText |
This logon type preserves the name and password in the authentication package, which allows the server to make connections to other network servers while impersonating the client.
The numeric value is 3. |
Interactive |
This logon type is intended for users who will be using the computer interactively.
The numeric value is 0. |
Network |
This logon type is intended for high performance servers to authenticate plaintext passwords. Credentials are not cached for this logon type.
The numeric value is 2. |
|
password |
Optional String attribute.
Specifies the password for Anonymous authentication.
Note: To avoid storing unencrypted password strings in configuration files, always use AppCmd.exe or IIS Manager to enter passwords. If you use these management tools, the password strings will be encrypted automatically before they are written to the XML configuration files. This provides better password security than storing unencrypted passwords. |
username |
Optional String attribute.
Specifies the username for Anonymous authentication. If you leave this value blank (that is, username=""), Anonymous authentication uses the application pool identity to authenticate anonymous users.
The default value is IUSR. |
Child Elements
None.
Configuration Sample
The following configuration example configures anonymous authentication for an IIS 7.0 Web site or Web application to use a local account on the Web server. (IIS 7.0 automatically uses AES encryption to encrypt the password.)
<security> <authentication>
<anonymousAuthentication
userName="User1"
password="[enc:AesProvider:Encrypted-Password-Data:enc]" />
</authentication>
</security>
The following examples enable anonymous authentication and change the default username and password used for anonymous authentication to an account named IUSR and a password of P@ssw0rd.
AppCmd.exe
appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:"True" /commit:apphost
appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/anonymousAuthentication /userName:"IUSR" /commit:apphost
appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/anonymousAuthentication /password:"P@ssw0rd" /commit:apphost
Note: You must be sure to set the commit parameter to APPHOST when using AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
C#
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample {
private static void Main() {
using (ServerManager serverManager = new ServerManager()) {
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection anonymousAuthenticationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Contoso");
anonymousAuthenticationSection["enabled"] = true;
anonymousAuthenticationSection["userName"] = @"IUSR";
anonymousAuthenticationSection["password"] = @"P@ssw0rd";
serverManager.CommitChanges();
}
}
}
VB.NET
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration
Dim anonymousAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Contoso")
anonymousAuthenticationSection("enabled") = True
anonymousAuthenticationSection("userName") = "IUSR"
anonymousAuthenticationSection("password") = "P@ssw0rd"
serverManager.CommitChanges()
End Sub
End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var anonymousAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/anonymousAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso");
anonymousAuthenticationSection.Properties.Item("enabled").Value = true;
anonymousAuthenticationSection.Properties.Item("userName").Value = "IUSR";
anonymousAuthenticationSection.Properties.Item("password").Value = "P@ssw0rd";
adminManager.CommitChanges();
VBScript
Set adminManager = CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set anonymousAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/anonymousAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso")
anonymousAuthenticationSection.Properties.Item("enabled").Value = True
anonymousAuthenticationSection.Properties.Item("userName").Value = "IUSR"
anonymousAuthenticationSection.Properties.Item("password").Value = "P@ssw0rd"
adminManager.CommitChanges()