The default document is displayed in the Web browser of a user who is denied access to the default document file after you configure client certificate mappings on a computer that is running Internet Information Services 6.0

Consider the following scenario:

• On a computer that is running Microsoft Internet Information Services (IIS) 6.0, you add a default document to a virtual directory.
• You do not enable client certificate mapping for this virtual directory.
• You enable client certificate mapping on this default document.
• You configure permissions on the default document file to deny access to one or more user accounts.

In this scenario, when a user who is denied access to the default document file visits the virtual directory, the default document is displayed in that user's Web browser. You do not expect the default document to be displayed in the user's Web browser. Instead, you expect the user to receive the following error message:

This problem occurs if the following conditions are true:

• The default document has authentication settings that are different from the authentication settings of the parent node.
  
  Note This includes client certificate mapping settings.
• The user who visits the virtual directory does not specify the full URL of the default document file in the Address bar of the Web browser.

For example, you have the following URL of your default document: If a user who is denied access to the Default.asp file specifies the following URL, the Default.asp document is displayed:If the same user specifies the following URL, the user receives the error message that is mentioned in the "Symptoms" section:This problem occurs because the certificate mappings in IIS 6.0 do not correctly apply the metabase settings to the default document when the user does not specify the default document in the URL. If the user obtains the default document without explicitly specifying it in the URL, the server receives the client certificate. However, the client certificate mapping does not occur. In this scenario, the user is served the default document file when the user visits the Web site. However, the AUTH_USER server variable is not set.

To work around this problem, configure your Web site to redirect users to the default document file.

Note This workaround decreases the performance of your Web server.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For additional information, visit the following Microsoft Web sites: