IIS sub authenticator errors appear in the Windows Event Log when accessing web mail or web administration


If using Windows 2003 server, IIS sub authenticator errors may appear in the event log.

An example of the error follows:

The registry key for IIS subauthenticator is not configured correctly on local machine, the anonymous password sync feature is disabled.


This issue may occur with IIS 6 or later if IIS has been configured with virtual directories with the setting to force password synchronization. For more information on the legacy IIS sub authentication feature of IIS, review Microsoft's Knowledge Base.


There are two known reasons why sub authentication errors could occur in conjunction with MailEnable.

These are outlined below:

1. Using IIS 6 or later and the subauthenitcation has been programatically enabled

MailEnable has configured the sub authenticator feature of IIS 6 because it could not correctly determine the version of IIS installed on the server.

It is possible that the MailEnable installation wizard did not detect IIS6 and has configured the sub authenticator module for the IIS virtual directories it creates. The solution to this is to download and install the current release of MailEnable as it disables the sub authenticator feature of IIS for the virtual directories created by MailEnable.


  1. From the MailEnable BIN directory, run the MEInstaller and select the second option from the list titled "WebMail Installation".
  2. Select the execute button.
  3. MEInstaller will prompt for a password and either slightly modify the default password it provides or make up one.
  4. Close the MEInstaller application.

2. The server error could occur if the server was upgraded from Windows 2000 or a former version of IIS was upgraded to IIS6 or later.

If the server was upgraded from W2K/IIS 5 to IIS 6, there may be errors reported in relation to legacy IIS components that were transitioned in the upgrade.

The solution provided under point 1 will also address this issue, however a generic means of disabling the sub authention module for IIS6 follows:

If the server was upgraded from Windows 2000 or an earlier version of IIS, then disable the IIS sub authentication password sync feature of IIS (as the setting is not needed on IIS 6). 

This can be done from the command line as outlined here:

c:\inetpub\adminscripts>adsutil.vbs set w3svc/AnonymousPasswordSync 0

The adsutil script mentioned above ensures that the sub authentication module is disabled for IIS6.
The script disables the legacy IIS sub authenticator module of IIS (which is no longer enabled by default under IIS 6 or presumably later versions of IIS).


More information on the IIS sub authentication feature can be found in the Microsoft Knowledge Base by searching for "subauthentication". See http://support.microsoft.com

Product:MailEnable (Custom: Custom: Custom: Custom: Custom: Custom: Custom: Custom: Custom:)
Class:PRB: Product Problem or Issue
Revised:Wednesday, May 4, 2016