FIX: "Access Denied" Error When You Access ASP Files (172954)


The information in this article applies to:

  • Microsoft Active Server Pages, when used with:
    • Microsoft Internet Information Server 3.0
    • Microsoft Internet Information Server 4.0
This article was previously published under Q172954

SYMPTOMS

When you try to load secure Active Server Pages (ASP) files on Microsoft Internet Information Server (IIS) servers with more than sixty virtual Roots, you may get the following error even if the user account has been granted explicit rights to the file:
HTTP Error 401 Access Denied
NOTE: This only occurs if the file permissions have been changed to grant the user account rights to the file after it has been accessed at least once.

CAUSE

This problem occurs because ASP caches template files after they have been executed; therefore, they will not need to be continually recompiled. The files are cached with a copy of the full Discretionary Access Control List (DACL) as well as the file date attributes.

ASP uses the cached version of the DACL to determine if a user has sufficient privilege to execute the ASP file.

On IIS with more than sixty virtual roots, cached template files are reloaded when the files last modified date changes. Because changes in file permissions do not change a file's last modified attribute, cached versions of files are not reloaded after permission changes. Therefore, the accounts recently given rights to a cached ASP file may get access denied until the file is reloaded by a file size change, etc.

NOTE: ASP uses notification handles on IIS servers with less than sixty virtual roots. Because notification handles trigger on security changes this is not a problem for IIS servers with less than sixty virtual roots.

RESOLUTION

The Asp.dll file was modified to check for cached file reload based on the files DACL as well as the last modified date.

STATUS

Microsoft has confirmed this to be a problem in Microsoft Active Server Pages version 1.0b. A supported fix is now available, but is not fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Product Support Services for more information.

This bug was corrected in Windows 2000.

REFERENCES

For the latest Knowledge Base artices and other support information on Visual InterDev and Active Server Pages, see the following page on the Microsoft Technical Support site:

http://support.microsoft.com/search/default.aspx?qu=vinterdev

Modification Type:MajorLast Reviewed:5/2/2006
Keywords:kbBug kberrmsg kbfix kbiis500fix kbOSWin2000fix kbSecurity kbWebServer KB172954
©2004 Microsoft Corporation. All rights reserved.