I have configured a website on IIS 6. When I access the website from inside the company network it works fine.
When I try to access the website from outside the network, the browser asks for Windows credentials.
The application pool is configured to run as Network Service.
The website is configured with: "Enable anonymous access".
I have specified a user account with a password.
When I run the Microsoft Authentication and Access controls diagnostic I get the following messages:
"The current configuration requires IIS subauthentication. However, the IIS subauthentication component, iissuba.dll, is not currently configured."
"The current configuration uses IIS subauthentication for anonymous authentication. This requires that the worker process be configured to run as the Local System identity, which is not recommended for security reasons."
The thing is I do not want to use subauthentication as I know the password of the user account I am using.
The user account is MACHINENAME\IUSR_MACHINENAME.
What must I do to allow people from outside the network from accessing the website without getting asked for credentials?
Best Answer
You can see which account is making the IIS calls in the Event Viewer Security logs on the web server. If it's using Integrated Authentication you should see a unique user account in the security logs. If it's using the Anonymous user to access the site, you'll the the IUSR account in the logs.
I would recommend visiting the site internally (where it's working) and check out the Security logs. If you see your domain/user account making the request then you know there is an issue with the Anonymous user account. If Anonymous access is enabled with other methods of authentication (Integrated for example), Anonymous access is always tried first.
A few other things I would consider.
-Do you have multiple authentication modes defined on the site or virtual directory? This is under the Directory Security tab on the IIS site/virtual directory.
-Is integrated authentication enabled in the web.config? ()
-Is the IUSR account a member of the IIS_WPG local computer group?
-What groups is the IUSR account a member of? As mentioned, the IUSR account will need access to your file system.
-Double check that your website is indeed running under the application pool you think it is.
-Double check that your application pool is indeed running under the Network Service account.
-Retype your IUSR account details.
Hope this helps, Dave