anonymousAuthenticaion has a username, which defaults to local user IUSR, and a password.
If I understand the docs correctly, the password can by arbitrary. The user should authenticate using the password, and then the site runs with the permissions of the user specified in username.
This doesn’t make any sense, and I must be misunderstanding something.
If the username belong to a network user, the site couldn’t use it’s network credentials without a token, for which it would need a password.
If the user is local, and different than IUSR, then again the IIS user should be able to do privilege escalation and run with it’s credentials.
What am I missing ? And specifically, can anonymousAuth be used to authenticate with Windows accounts (I know it’s an odd usecase, because I can just use WindowsAuthentication)?
Source: Windows Questions