Microsoft KB Archive/173742

= FIX: Global.asa is not executed if restricting Web access =

Article ID: 173742

Article Last Modified on 6/30/2006

-

APPLIES TO


 * Microsoft Active Server Pages 4.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q173742



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx





SYMPTOMS
Session variables initialized in Global.asa's Session_onStart are empty when access to the Web requires authentication, even though the user has sufficient permissions to access the Web site. There are many possible error messages associated with this behavior; however, here's the most common:

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Driver Manager] Data source name not found and no

default driver specified

/ / .asp, line xx

NOTE: This problem applies only to Microsoft Internet Information Server 4.0 on Windows NT with NTFS. This does not apply to virtual roots hosted on an FAT partition



CAUSE
Active Server Pages (ASP) requires Anonymous access to Global.asa regardless of the authentication process.



RESOLUTION
To fix this behavior, change the NTFS permissions on the Global.asa file to give the Anonymous Logon account -- as defined in the "Internet Service Manager" -- Read (RX) permissions. For instructions on setting file permissions, see Windows NT Help.



STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article.

This problem was corrected in Windows 2000.



Steps to reproduce the behavior
 Create a new project in Visual InterDev. If you are not using Visual InterDev, create a new virtual root in the "Internet Service Manager."  Create a new .asp file and copy the following code into the file. Save the file. If you are not using Visual InterDev, copy the file to your virtual root folder.

<%@ LANGUAGE="VBSCRIPT" %>

    <TITLE>Document Title</TITLE> </HEAD> <BODY>

<%x=Session("session_var") if x <>"" then response.write "Global.asa was executed. Session_var="&x else response.write "Global.asa was NOT executed. Session_var="&x end if%>

</BODY> </HTML> </li>  Copy the following code into your "Global.asa" file. Save the file. If you are not using Visual InterDev, create a new file named "Global.asa." Copy and paste the following code into the file, and copy the file to the virtual root folder. Save the file.

<SCRIPT LANGUAGE="VBScript" RUNAT="Server">

Sub Session_OnStart

Session("session_var")="Hello"

End Sub </SCRIPT>

</li> Restrict permissions on the Web. To do this, first explore out to your virtual root folder. Next, right-click the folder and click Properties from the Shortcut menu. Next, click the Security tab and click Permissions. From the Directory Permissions dialog box, remove Everyone (if present) and the Internet Guest Account from the Name list. Next, make sure the Replace Permissions on Existing Files check box is selected. Finally, click OK.</li> Preview the file -- in a browser -- created in step 2. Result: The Web page does not display the value of the session variable initialized in Global.asa.</li></ol>

<div class="references_section">