The default document is displayed in the Web browser of a user who is denied access to the default document file after you configure client certificate mappings on a computer that is running Internet Information Services 6.0 (311699)


The information in this article applies to:

  • Microsoft Internet Information Services version 6.0
This article was previously published under Q311699

SYMPTOMS

Consider the following scenario:
  • On a computer that is running Microsoft Internet Information Services (IIS) 6.0, you add a default document to a virtual directory.
  • You do not enable client certificate mapping for this virtual directory.
  • You enable client certificate mapping on this default document.
  • You configure permissions on the default document file to deny access to one or more user accounts.
In this scenario, when a user who is denied access to the default document file visits the virtual directory, the default document is displayed in that user's Web browser. You do not expect the default document to be displayed in the user's Web browser. Instead, you expect the user to receive the following error message:
You are not authorized to view this page

HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application.
Internet Information Services.

CAUSE

This problem occurs if the following conditions are true:
  • The default document has authentication settings that are different from the authentication settings of the parent node.

    Note This includes client certificate mapping settings.
  • The user who visits the virtual directory does not specify the full URL of the default document file in the Address bar of the Web browser.
For example, you have the following URL of your default document:

https://myserver.contoso.com/virtualdirectory1/default.asp

If a user who is denied access to the Default.asp file specifies the following URL, the Default.asp document is displayed:

https://myserver.contoso.com/virtualdirectory1

If the same user specifies the following URL, the user receives the error message that is mentioned in the "Symptoms" section:

https://myserver.contoso.com/virtualdirectory1/default.asp

This problem occurs because the certificate mappings in IIS 6.0 do not correctly apply the metabase settings to the default document when the user does not specify the default document in the URL. If the user obtains the default document without explicitly specifying it in the URL, the server receives the client certificate. However, the client certificate mapping does not occur. In this scenario, the user is served the default document file when the user visits the Web site. However, the AUTH_USER server variable is not set.

WORKAROUND

To work around this problem, configure your Web site to redirect users to the default document file.

Note This workaround decreases the performance of your Web server.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For additional information, visit the following Microsoft Web sites:

Client certificate mapping
http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_SEC_45.mspx

Configuring server certificates for SSL
http://technet2.microsoft.com/WindowsServer/f/?en/Library/25d55423-291d-4451-8341-e59ebb5d515f1033.mspx

How to: Set up client certificates
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT17.asp

How to: Set up SSL on a Web server
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp

Modification Type:MajorLast Reviewed:6/19/2006
Keywords:kbnofix kbBug kbtshoot kbWebFolder kbenable kbConfig kbAuthentication kbSecurityServices kbClient kbCertServices kbBrowse kbprb KB311699 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.