Change the Security Settings for Internet Information Services
Applies To: Windows Server 2008
Use this procedure to change the security settings for Internet Information Services (IIS).
You can use this procedure to change the security settings for Internet Information Services (IIS). Change the security settings for IIS to set the appropriate user context for any ASP.NET or ASP web applications that need to access Message Queuing queues.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To change the security settings for IIS
Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
Under Connections, click the MSMQ virtual directory.
Where?
- *YourInternet Information ServicesComputer/*Web Sites/Default Web Site/MSMQ
Double-click the Authentication feature available in the IIS section of the workspace for the MSMQ virtual directory to display the authentication settings for the MSMQ virtual directory.
Note
IIS Authentication features are installed as role services when the Web Server Role (IIS) role is enabled on a Windows Server 2008 R2 family computer or as separate features of World Wide Web Services when enabling World Wide Web Services on Windows 7. If a particular authentication feature (such as Basic Authentication or Windows Authentication) is not available on a Windows Server 2008 R2 family computer then it must be added with the Add Role Services wizard in Server Manager. Click Start, point to Programs, point to Administrative Tools, and then click Server Manager to display Server Manager. Click Manage Roles in the console tree of Server Manager and then click Add role services under the Web Server (IIS) role to add the appropriate Security role services. If a particular authentication feature is not available on Windows 7, then it must be added with Turn Windows features on or off. Click Start, point to Settings, point to Control Panel, and then click Programs and Features. Click Turn Windows features on or off to display the Windows Features dialog box. Click to expand Internet Information Services, click to expand World Wide Web Service, click to expand Security, click to enable the appropriate IIS authentication features and then click OK.
Right-click Anonymous Authentication and click Edit to display the Edit Anonymous Authentication Credentials dialog box.
To use a domain user account instead of the IIS local user for Anonymous Access, do the following:
Click to select the Specific user option if it is not already selected.
Click the Set button next to the Specific user edit box.
In the Set Credentials dialog box, type the name of a domain user with the required permissions for the Message Queuing operation.
Type the user password into the Password and Confirm password edit boxes and then click OK.
To disable anonymous access and trust the Internet Information Services computer for delegation, do the following:
Complete steps 3 through 5 above to display the authentication settings for the MSMQ virtual directory.
Right-click Anonymous Authentication and click Disable.
Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
On the View menu, click Users, Groups, and Computers as containers, and then click Advanced Features.
In the console tree, right-click the name of your Internet Information Services computer.
Where?
Active Directory Users and Computers\ YourDomain\ Computers\ YourInternet Information ServicesComputer
Click Properties.
On the Delegation tab of the Properties dialog box, select the Trust computer for delegation to any service (Kerberos only) check box or select the Trust computer for delegation to specified services only checkbox, set the appropriate options, and then click OK
In the Information Services (IIS) Manager, under Connections, right-click the Default Web Site (or the web site that contains the /MSMQ virtual directory if it is not in the default web site).
Where?
YourInternet Information ServicesComputer/Web Sites/Default Web Site
Restart Internet Information Services by selecting Restart.
Additional considerations
By default, IIS impersonates a special Internet Information Services local user account. This account is local to the IIS computer (unless it is a domain controller). It cannot be authenticated by other computers in the network, and is treated as an anonymous user. ASP.NET applications, ASP applications and scripts run under IIS and, by default, impersonate the IIS local user for any Message Queuing operations, including queries to Active Directory Domain Services. Since anonymous users do not belong to the Everyone group in Windows 7 or Windows Server 2008 R2 family operating systems, these queries fail. ASP.NET applications, ASP applications and scripts cannot locate, create, and delete queues by default. In addition anonymous users cannot open a queue for remote read, and you cannot read messages from queues not belonging to the IIS computer using ASP.NET or ASP applications by default.
For the changes to take effect, you must stop and start the World Wide Web Publishing service.
Trusting the computer for delegation allows multiple hops to communicate with a domain controller, assuming that the user account is trusted for delegation.