How to fix "Failed to Impersonate the anonymous user for ASP application" on IIS 6.0

I have a web server (IIS) that hosts a number of different web applications (mainly ASP code) that are accessed by users on my intranet.

In IIS, the "Directory Security" properties for the virtual directories have "Allow anonymous ..." and "Integrated Windows authentication ..." ticked. If I untick "Integrated Windows auth .." no one can access the apps.

Users in my domain are able to access these web applications without a problem, but users on other domains (they have access to our intranet environment) are requested to authenticate themselves when trying to access these apps (they get a pop up box requesting them to enter in their Windows credentials).

I've checked the IIS settings and rights on the folder where the code is located and it all seems fine (app pool is running under NETWORK SERVICE and the IUSR_servername & EVERYONE & NETWORK SERVICE are added to the folder).

I've checked the default permissions configured for IIS according to the Microsoft site and these seems to be correct.

I ran IIS Authentication & Access Diagnostics tools and found errors related to AnonymousPasswordSync as well as there being errors in the event log for "Failed to Impersonate the anonymous user for ASP application".

From what I've read on the internet about this symptom is that it seems to be a problem with the password for the IUSR_servername (used for anonymous authentication) as it could be out of sync with Metabase or IIS or something.

I'm not too keen on playing around with the Metabase.xml file or resetting the password for IUSR_servername.

I'm really stumped on how to proceed to get this resolved.

Please can someone help me out as I'm so frustrated with this - been trying to get it working since Jan 2009 & still no where!!
experts555555Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

windowsboyCommented:
I would suggest ensuring that you ensure that the 'connect as' user for anonymous authentication has permissions to access the path of your website. If one has not already been set up, it is usually better to set one up rather than rely on the permissions for the IUSR account.
0
experts555555Author Commented:
Thanks - where can I check whether this has been done or not? In IIS my Directory Security settings & folder permissions look like this (see attached file)
untitled.JPG
0
windowsboyCommented:
From the look of your configuration, it looks as if you are still relying on the IUSR account for anonymous access. This account seems to have read privileges to the directory, but I would set up a user with full control as the user account for anonymous access to ensure no permission problems.
0
experts555555Author Commented:
I managed to get this working eventually.

The entries in the event log said "Failed to impersonate the anonymous user for asp application". I found confirmation of the problem here, that the password for IUSR account in IIS Metabase and the one in the account in "Local users and groups" was out of sync:

http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

The IUSR_servername account was locked out & kept being locked out as the password in IIS Metabase and the one for the IUSR account in "Local users and groups" was not in sync. The external users had issues connecting & authenticating because they were not from a trusted Windows domain whilst the internal users (who were on the same Windows domain as the web server) were authenticated already (Integrated Windows authentication kicked in after the Anonymous Access failed)

I installed IIS Resource Kit Tools from Microsoft & then used IIS Metabase Explorer to see what the password for IUSR_servername in IIS Metabase is (http://blog.rafelo.com/2009/01/retrieve-iusr-anonymous-password-using.html?widgetType=BlogArchive&widgetId=BlogArchive1&action=toggle&dir=close&toggle=YEARLY-1230789600000&toggleopen=MONTHLY-1230789600000)

I then reset the password for IUSR_servername in "Local users and groups" to be the same as the one that is displayed in the IIS Metabase Explorer.

I restarted IIS, gave it a bit of time to replicate & refresh (15 minutes), tried again and the internal & external users were able to access the sites on the web server.

Other resources include

http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2006-04/msg00028.html

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_22535500.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.