Author: Halfvares Mats, Teknikhuset AB.

Published: 2012-04-10

Applies to:
  • Content Studio ver. 5

Type: Information

More information

When Content Studio writes the files to disk or sets security on a document system object it replaces all entries containing the BROWSE permission for the alias ANONYMOUS LOGON with the trustee account used to impersonate anonymous users. In Windows 2003 and earlier this account is by default a local account named according to the IUSR_MACHINENAME pattern where MACHINENAME is the netbios name of the local server. In Windows Vista and Server 2008 the default account is a Wellknown principal, IUSR and starting with Windows 7 / Server 2008 R2 the default account is a dynamic account, IIS APPPOOL\<ApppoolName> which represents the application pool runtime account. During the file writing process Content Studio discovers the anonymous account dynamically. One obvious method would be to ask the IIS metabase for this information but normally the Content Studio runtime account has not administrative privileges and cannot access the metabase. For this reason Content Studio must have another method to obtain this information and will use the following methods:
  1. First Content Studio looks in the site setting system.Anonymous_Account to see if a valid name of an account can be found and if found this account is used. A site running on Server 2008 R2 / Windows 7 and is using the AppPool identity should write the name of this account into this setting
  2. If this fails Content Studio tries to obtain a valid account name from the registry in the IIS_AnonymousAccountName string value in the HKEY_LOCAL_MACHINE\SOFTWARE\teknikhuset\Content Studio\5.0 key.
  3. If this value is invalid or empty Content Studio cannot continue with operation and returns an error message. However on IIS 7 or higher (Vista / Server 2008) Content Studio will use the default anonymous user account (IUSR) but cannot verify that this account really is the account used on the specific site. For this reason it is highly recommended to use the built in IUSR account on these operating systems. For Windows 7 / Server 2008 R2 the IIS APPPOOL\<ApppoolName> account might be in use and, when true, should be written into the site setting.

If Content Studio finds a valid account in step 1 or 2 it will not verify that this account really is the account used by the IIS - Content Studio simply trusts the information supplied by the system administrator.

In Content Studio pre version 5.4 Content Studio first looked at the registry setting and then the site setting. This had the disadvantage that if the registry setting was given every site inherited it whether or not it was valid. The introduction of the IIS APPPOOL\<ApppoolName> account made this needed.