Access denied by ACL on resource
- A request that uses NTLM authentication is made to the server. IIS tries to call the LoadLibraryW function. This call is unsuccessful because the NTLM credentials cannot be delegated.
NoteLoadLibraryW is the Unicode version of LoadLibrary. LoadLibrary maps the specified executable module into the address space of the calling process.
- The server receives another request that uses Basic authentication (for example, the request is received from a client that is using Microsoft Windows 98 or Netscape). In this case, because the token can be delegated, the LoadLibraryW call succeeds and returns a handle that is valid on the IIS server.
- The AccessCheck function is called on the handle to verify that the user has sufficient credentials to make the request. If the user has access, the request will succeed.
NoteAccessCheck determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.
- A new request that uses NTLM authentication is received. A LoadLibraryW call is not required because a handle to the extension was loaded on the IIS server when the prior Basic authentication request succeeded. ( In the case of content on a UNC share, the content may be cached on the server from the successful Basic request.) AccessCheck is called on the handle. This can be done without delegation because all of the objects and tokens are now local. If AccessCheck succeeds, IIS allows the request.
ImportantAccessCheck is called on each request. If AccessCheck fails, IIS returns an HTTP 401 (unauthorized) error message. Because of this, no user is granted access without sufficient credentials. All three requests can be made by the same user, by different users, or any combination of the two. The important factor is whether IIS already has a handle or cached content for the request.
For more information about how to install SSL under IIS 5.0, click the following article number to view the article in the Microsoft Knowledge Base:
AccessCheck, visit the following MSDN Web site: For more information about IIS authentication and why NTLM delegation fails, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 332142 - Last Review: Feb 15, 2017 - Revision: 2