Write By hplj 2006.3.16 如需转载请注明出处和作者。
这两天在公司的win2000 域控制器上安装了一个IIS5,客户端无法通过匿名访问,必须要输入用户名和密码才可以访问,网站的匿名访问已经
启用。但是这个网站如果放在一台单独的服务器上客户端就可以匿名访问,由此断定应该是win2000如果作为域控制器的问题,有可能对IIS的
策略产生了变化。
在微软网站上找到了如下内容:
IIS 身份验证
许多分布式应用程序的重要部分是标识某个人(称为主体或客户端)并控制客户端对资源的访问能力。身份验证是验证客户端身份的行为。一
般情况下,客户端必须提供某些证据,一般称为凭据,来证明其身份。通常,凭据包括用户名和密码对。Internet 信息服务 (IIS) 和
ASP.NET 都提供几种身份验证方案。
IIS 提供多种身份验证方案:
1.匿名(默认情况下启用)
2.基本
3.摘要式
3.集成 Windows 身份验证(默认情况下启用)
5.客户证书映射
无论选择哪个方法,在验证客户端身份后,IIS 都会将安全标记传递给 ASP.NET。如果将 ASP.NET 配置为使用 Windows 身份验证并启用模拟
,ASP.NET 将模拟此安全标记代表的用户。
匿名
匿名身份验证可使用户访问 Web 站点的公共区域,不提示用户输入用户名和密码。尽管作为身份验证方案列出,但因为不要求客户端提供任何
凭据,所以它并不进行任何技术性的客户端身份验证。相反,IIS 使用特定用户帐户 (IUSR_machinename) 将存储好的凭据提供给 Windows。
默认情况下,IIS 控制此帐户的密码。IIS 是否控制该密码会影响匿名用户的权限。当 IIS 控制该密码时,子身份验证 DLL (iissuba.dll)
使用网络登录验证用户身份。此 DLL 的功能是验证 IIS 提供的密码并通知 Windows 该密码有效,于是验证该客户端。然而,它并不真的向
Windows 提供密码。当 IIS 不控制密码时,IIS 调用 Windows 中的 LogonUser() API 并提供帐户名、密码和域名,以使用本地登录进行登录
。登录后,IIS 缓存安全标记并模拟该帐户。本地登录可使匿名用户访问网络资源,而网络登录不可以。
当启用匿名身份验证时,IIS 不使用其他任何身份验证方案,除非 NTFS 权限拒绝访问资源。
优点
提供最佳性能,这是因为匿名身份验证不需要任何系统开销。
不需要管理个人用户帐户。
如果 IIS 不控制密码,可以访问网络资源。
缺点
不能逐个对客户端进行身份验证。
如果 IIS 不控制密码,帐户必须有本地登录能力。
以上这段话对IIS的匿名访问做了说明,但是对解决目前的问题帮助不大,在其英文网站发现这么一段话,
Anonymous Authentication
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user
name or password. When a user attempts to connect to your public Web or FTP site, your Web server assigns the user to the
Windows user account called IUSR_computername, where computername is the name of the server on which IIS is running.
By default, the IUSR_computername account is included in the Windows user group Guests. This group has security restrictions,
imposed by NTFS permissions, that designate the level of access and the type of content available to public users.
If you have multiple sites on your server, or if you have areas of your site that require different access privileges, you
can create multiple anonymous accounts, one for each Web or FTP site, directory, or file. By giving these accounts differing
access permissions, or by assigning these accounts to different Windows user groups, you can grant users anonymous access to
different areas of your public Web and FTP content.
IIS uses the IUSR_computername account in the following way:
The IUSR_computername account is added to the Guests group on the computer.
When a request is received, IIS will impersonate the IUSR_computername account before executing any code or accessing any
files. IIS is able to impersonate the IUSR_computername account because the user name and password for this account are known
by IIS.
Before returning a page to the client, IIS checks NTFS file and directory permissions to see if the IUSR_computername account
is allowed access to the file.
If access is allowed, authentication completes and the resources are available to the user.
If access is not allowed, IIS will attempt to use another authentication method. If none is selected, IIS returns an "HTTP
403 Access Denied" error message to the browser.
Note
If Anonymous authentication is enabled, IIS will always try to authenticate using it first, even if other methods are
enabled.
In some cases the browser will prompt the user for a user name and password.
You can change the account that is used for Anonymous authentication in the Internet Information Services snap-in, either at
the Web server service level, or for individual virtual directories and files. The anonymous account must have the user right
to log on locally. If the account does not have the Log On Locally permission, IIS will not be able to service any anonymous
requests. The IIS installation specifically grants the Log On Locally permission to the IUSR_computername account. The
IUSR_computername accounts on domain controllers are not given to guest accounts by default and must be changed to Log On
Locally to allow anonymous logons.
Note You can change the requirement for Log On Locally rights by using the Active Directory Service Interfaces (ADSI). For
information, see the LogonMethod reference in the Active Server Pages Guide.
You can also change the security privileges for the IUSR_computername account in Windows by using the Group Policy Manager
snap-in of the MMC. However, if the anonymous user account does not have permission to access a specific file or resource,
your Web server will refuse to establish an anonymous connection for that resource. For more information, see Setting Web
Server Permissions.
Important If you change the IUSR_computername account, the changes will affect every anonymous HTTP request that is
serviced by a Web server. Use caution if you modify this account.
最重要的是这句话“The IUSR_computername accounts on domain controllers are not given to guest accounts by default and must be
changed to Log On Locally to allow anonymous logons.”
问题总结:IIS使用的匿名账户必须具有在本服务器上本地登陆的权限。在单机服务器上IIS匿名账户具有login local on的权利,它属于guest
组,这个组具有login local on的权利,而在域控制器上IIS匿名账户也属于guest组,但是这个guest组没有login local on 的权利,解决方
式是在域控制器上将guest赋予login local on 的权利,或新建一个账户,将这个账户赋予login local on 的权利(在控制面版-管理工具-本
地安全设置-本地安全策略-用户权利指派-在本地登陆),然后在IIS的目录安全属性的匿名访问的账户中指定使用这个新建的账户,输入密码
即可。
