Configuring Subauthentication in a Windows 2000 Domain
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
To use Digest authentication in IIS 6.0 when the domain controller is running Windows 2000 Server, you must enable subauthentication, which is not installed by default on IIS 6.0. There are three steps required to enable subauthentication:
Register the subauthentication component, Iissuba.dll.
Set the UseDigestSSP Metabase Property to false. See Advanced Digest Authentication in IIS 6.0 for more information.
Set the identity of the application pool to LocalSystem. See Configuring Application Pool Identity with IIS 6.0 for more information.
Important
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).
Procedures
To register the subauthentication component
From the Start menu, click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following and then press ENTER:
rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA.
For any application pools that use Digest authentication, set the identity as LocalSystem.
When you no longer want to use subauthentication, unregister the subauthentication component.
To unregister the subauthentication component
From the Start menu, click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following and then press ENTER:
rundll32 %systemroot%\system32\iissuba.dll,UnregisterIISSUBA.
Related Information
- For more information about configuring subauthentication in IIS 6.0, see Configuring Subauthentication.