SSL and Anonymous Authentication

I want to use Anonymous authentication to a website served by IIS 6.0 and
Windows 2003 that is the front end for a database on a separate computer
that requires user logon to access the data. I also want to use SSL to
encrypt the return of the data from the browser to the anonymous user. It
seems that I must turn on sub-authentication to authenticate the anonymous
user on the website in order to continue beyond logging into the database.
Is this true? The problem with sub-authentication seems to be that the
anonymous user has to run under the local system account which could be a
security hole. Is there a way around this?

Re: SSL and Anonymous Authentication

Anonymous authentication works without sub-authentication.

http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS-Secu rity-Templates-and-Anonymous-Authentication.aspx

You just need to make sure that you set the correct password for the
configured anonymous user account so that IIS can login with it using
a normal, unprivileged account. If you do not set the correct password
in IIS configuration, then you will need to run IIS as LocalSystem to
use sub-authentication so that IIS can login the anonymous user
account without knowing the password.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Mar 14, 3:22 pm, "WhoKnows" wrote:
> I want to use Anonymous authentication to a website served by IIS 6.0 and
> Windows 2003 that is the front end for a database on a separate computer
> that requires user logon to access the data. I also want to use SSL to
> encrypt the return of the data from the browser to the anonymous user. It
> seems that I must turn on sub-authentication to authenticate the anonymous
> user on the website in order to continue beyond logging into the database.
> Is this true? The problem with sub-authentication seems to be that the
> anonymous user has to run under the local system account which could be a
> security hole. Is there a way around this?

Re: SSL and Anonymous Authentication

Thanks,

That's good because I did not want to have my users running under local
system. But I do not see how to make sure that the correct password is used
in both Windows 2003 and IIS. In Local Users and Groups, I just see the
Internet Guest Account and no password box to change it and don't know what
it is so that I can then enter that into IIS. I guess the question really is
what is the Internet Guest Account password and can I change it and how?

Thanks

"David Wang" wrote in message
news:1173942878.906225.315480@y80g2000hsf.googlegroups.com.. .
> Anonymous authentication works without sub-authentication.
>
> http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS-Secu rity-Templates-and-Anonymous-Authentication.aspx
>
> You just need to make sure that you set the correct password for the
> configured anonymous user account so that IIS can login with it using
> a normal, unprivileged account. If you do not set the correct password
> in IIS configuration, then you will need to run IIS as LocalSystem to
> use sub-authentication so that IIS can login the anonymous user
> account without knowing the password.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Mar 14, 3:22 pm, "WhoKnows" wrote:
>> I want to use Anonymous authentication to a website served by IIS 6.0 and
>> Windows 2003 that is the front end for a database on a separate computer
>> that requires user logon to access the data. I also want to use SSL to
>> encrypt the return of the data from the browser to the anonymous user. It
>> seems that I must turn on sub-authentication to authenticate the
>> anonymous
>> user on the website in order to continue beyond logging into the
>> database.
>> Is this true? The problem with sub-authentication seems to be that the
>> anonymous user has to run under the local system account which could be a
>> security hole. Is there a way around this?
>

Re: SSL and Anonymous Authentication

The anonymous user's password is randomly generated on every machine.
You will need to manually first set it to a known value within Local
Users and Groups (Right click on user name and select "Set
Password..."), then use a script like the following to synchronize the
value in IIS to match this known value.

http://blogs.msdn.com/david.wang/archive/2005/12/07/HOWTO-Sy nchronize-User-Credentials-in-IIS.aspx


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Mar 15, 8:11 am, "WhoKnows" wrote:
> Thanks,
>
> That's good because I did not want to have my users running under local
> system. But I do not see how to make sure that the correct password is used
> in both Windows 2003 and IIS. In Local Users and Groups, I just see the
> Internet Guest Account and no password box to change it and don't know what
> it is so that I can then enter that into IIS. I guess the question really is
> what is the Internet Guest Account password and can I change it and how?
>
> Thanks
>
> "David Wang" wrote in message
>
> news:1173942878.906225.315480@y80g2000hsf.googlegroups.com.. .
>
>
>
> > Anonymous authentication works without sub-authentication.
>
> >http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS-Sec urity-Temp...
>
> > You just need to make sure that you set the correct password for the
> > configured anonymous user account so that IIS can login with it using
> > a normal, unprivileged account. If you do not set the correct password
> > in IIS configuration, then you will need to run IIS as LocalSystem to
> > use sub-authentication so that IIS can login the anonymous user
> > account without knowing the password.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Mar 14, 3:22 pm, "WhoKnows" wrote:
> >> I want to use Anonymous authentication to a website served by IIS 6.0 and
> >> Windows 2003 that is the front end for a database on a separate computer
> >> that requires user logon to access the data. I also want to use SSL to
> >> encrypt the return of the data from the browser to the anonymous user. It
> >> seems that I must turn on sub-authentication to authenticate the
> >> anonymous
> >> user on the website in order to continue beyond logging into the
> >> database.
> >> Is this true? The problem with sub-authentication seems to be that the
> >> anonymous user has to run under the local system account which could be a
> >> security hole. Is there a way around this?- Hide quoted text -
>
> - Show quoted text -

Re: SSL and Anonymous Authentication

Thanks very much. Great solution.

"David Wang" wrote in message
news:1173976195.300917.15840@n59g2000hsh.googlegroups.com...
> The anonymous user's password is randomly generated on every machine.
> You will need to manually first set it to a known value within Local
> Users and Groups (Right click on user name and select "Set
> Password..."), then use a script like the following to synchronize the
> value in IIS to match this known value.
>
> http://blogs.msdn.com/david.wang/archive/2005/12/07/HOWTO-Sy nchronize-User-Credentials-in-IIS.aspx
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Mar 15, 8:11 am, "WhoKnows" wrote:
>> Thanks,
>>
>> That's good because I did not want to have my users running under local
>> system. But I do not see how to make sure that the correct password is
>> used
>> in both Windows 2003 and IIS. In Local Users and Groups, I just see the
>> Internet Guest Account and no password box to change it and don't know
>> what
>> it is so that I can then enter that into IIS. I guess the question really
>> is
>> what is the Internet Guest Account password and can I change it and how?
>>
>> Thanks
>>
>> "David Wang" wrote in message
>>
>> news:1173942878.906225.315480@y80g2000hsf.googlegroups.com.. .
>>
>>
>>
>> > Anonymous authentication works without sub-authentication.
>>
>> >http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS-Sec urity-Temp...
>>
>> > You just need to make sure that you set the correct password for the
>> > configured anonymous user account so that IIS can login with it using
>> > a normal, unprivileged account. If you do not set the correct password
>> > in IIS configuration, then you will need to run IIS as LocalSystem to
>> > use sub-authentication so that IIS can login the anonymous user
>> > account without knowing the password.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //
>>
>> > On Mar 14, 3:22 pm, "WhoKnows" wrote:
>> >> I want to use Anonymous authentication to a website served by IIS 6.0
>> >> and
>> >> Windows 2003 that is the front end for a database on a separate
>> >> computer
>> >> that requires user logon to access the data. I also want to use SSL to
>> >> encrypt the return of the data from the browser to the anonymous user.
>> >> It
>> >> seems that I must turn on sub-authentication to authenticate the
>> >> anonymous
>> >> user on the website in order to continue beyond logging into the
>> >> database.
>> >> Is this true? The problem with sub-authentication seems to be that the
>> >> anonymous user has to run under the local system account which could
>> >> be a
>> >> security hole. Is there a way around this?- Hide quoted text -
>>
>> - Show quoted text -
>