Help and Support
 

powered byLive Search

The default document is displayed in the Web browser of a user who is denied access to the default document file after you configure client certificate mappings on a computer that is running Internet Information Services 6.0

View products that this article applies to.
Article ID:311699
Last Review:December 3, 2007
Revision:2.2
This article was previously published under Q311699

SYMPTOMS

Consider the following scenario:
On a computer that is running Microsoft Internet Information Services (IIS) 6.0, you add a default document to a virtual directory.
You do not enable client certificate mapping for this virtual directory.
You enable client certificate mapping on this default document.
You configure permissions on the default document file to deny access to one or more user accounts.
In this scenario, when a user who is denied access to the default document file visits the virtual directory, the default document is displayed in that user's Web browser. You do not expect the default document to be displayed in the user's Web browser. Instead, you expect the user to receive the following error message:
You are not authorized to view this page

HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application.
Internet Information Services.

Back to the top

CAUSE

This problem occurs if the following conditions are true:
The default document has authentication settings that are different from the authentication settings of the parent node.

Note This includes client certificate mapping settings.
The user who visits the virtual directory does not specify the full URL of the default document file in the Address bar of the Web browser.
For example, you have the following URL of your default document:
https://myserver.contoso.com/virtualdirectory1/default.asp
If a user who is denied access to the Default.asp file specifies the following URL, the Default.asp document is displayed:
https://myserver.contoso.com/virtualdirectory1
If the same user specifies the following URL, the user receives the error message that is mentioned in the "Symptoms" section:
https://myserver.contoso.com/virtualdirectory1/default.asp
This problem occurs because the certificate mappings in IIS 6.0 do not correctly apply the metabase settings to the default document when the user does not specify the default document in the URL. If the user obtains the default document without explicitly specifying it in the URL, the server receives the client certificate. However, the client certificate mapping does not occur. In this scenario, the user is served the default document file when the user visits the Web site. However, the AUTH_USER server variable is not set.

Back to the top

WORKAROUND

To work around this problem, configure your Web site to redirect users to the default document file.

Note This workaround decreases the performance of your Web server.

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top

REFERENCES

For additional information, visit the following Microsoft Web sites:
Client certificate mapping
http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_SEC_45.mspx (http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_SEC_45.mspx)
Configuring server certificates for SSL
http://technet2.microsoft.com/WindowsServer/f/?en/Library/25d55423-291d-4451-8341-e59ebb5d515f1033.mspx (http://technet2.microsoft.com/WindowsServer/f/?en/Library/25d55423-291d-4451-8341-e59ebb5d515f1033.mspx)
How to: Set up client certificates
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT17.asp (http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT17.asp)
How to: Set up SSL on a Web server
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp (http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp)

Back to the top

APPLIES TO
Microsoft Internet Information Services 6.0

Back to the top

Keywords: 
kbtshoot kbbug kbnofix kbwebfolder kbenable kbprb kbconfig kbauthentication kbclient kbbrowse kbcertservices kbsecurityservices KB311699

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.