Microsoft KB Archive/173742
Article ID: 173742
Article Last Modified on 6/30/2006
- Microsoft Active Server Pages 4.0
- Microsoft Internet Information Server 4.0
This article was previously published under Q173742
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
Session variables initialized in Global.asa's Session_onStart are empty when access to the Web requires authentication, even though the user has sufficient permissions to access the Web site. There are many possible error messages associated with this behavior; however, here's the most common:
NOTE: This problem applies only to Microsoft Internet Information Server 4.0 on Windows NT with NTFS. This does not apply to virtual roots hosted on an FAT partition
Active Server Pages (ASP) requires Anonymous access to Global.asa regardless of the authentication process.
To fix this behavior, change the NTFS permissions on the Global.asa file to give the Anonymous Logon account -- as defined in the "Internet Service Manager" -- Read (RX) permissions. For instructions on setting file permissions, see Windows NT Help.
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article.
This problem was corrected in Windows 2000.
Steps to reproduce the behavior
- Create a new project in Visual InterDev. If you are not using Visual InterDev, create a new virtual root in the "Internet Service Manager."
Create a new .asp file and copy the following code into the file. Save the file. If you are not using Visual InterDev, copy the file to your virtual root folder.
<%@ LANGUAGE="VBSCRIPT" %> <HTML> <HEAD> <META NAME="GENERATOR" Content="Microsoft Visual InterDev 1.0"> <META HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1"> <TITLE>Document Title</TITLE> </HEAD> <BODY> <%x=Session("session_var") if x <>"" then response.write "Global.asa was executed.<br> Session_var="&x else response.write "Global.asa was NOT executed.<br> Session_var="&x end if%> </BODY> </HTML>
Copy the following code into your "Global.asa" file. Save the file. If you are not using Visual InterDev, create a new file named "Global.asa." Copy and paste the following code into the file, and copy the file to the virtual root folder. Save the file.
<SCRIPT LANGUAGE="VBScript" RUNAT="Server"> Sub Session_OnStart Session("session_var")="Hello" End Sub </SCRIPT>
- Restrict permissions on the Web. To do this, first explore out to your virtual root folder. Next, right-click the folder and click Properties from the Shortcut menu. Next, click the Security tab and click Permissions. From the Directory Permissions dialog box, remove Everyone (if present) and the Internet Guest Account from the Name list. Next, make sure the Replace Permissions on Existing Files check box is selected. Finally, click OK.
- Preview the file -- in a browser -- created in step 2. Result: The Web page does not display the value of the session variable initialized in Global.asa.
For the latest Knowledge Base articles and other support information on Visual InterDev and Active Server Pages, see the following page on the Microsoft Technical Support site:
Keywords: kbbug kbfix kbaspobj kboswin2000fix kbiis500fix KB173742