Problem: a specific Global Security Group can not load ASP pages (but can load HTML pages).
Goal: allow access to the secure website files and directories according to Global Group membership. This
is a medical industry customer, so HIPAA compliance is mandatory (i.e.
file access and restrictions must be thoroughly configured and maintained).
Environment:
Windows 2003 Server, Std. Ed., single server with Active
Directory. IIS is serving a secure website to employees and
customers (amongst other non-related functions). IIS has been
configured with a commerical Server Certificate to encrypt
communication betweeb the server and clients on the internet. Anonymous access has been
disabled, so users are required to log in to the website with their
username/password. (This was a 2000 Server, upgraded to 2003). I created a disk partition just for website files.
Detail: The employees are members of the Global Group
'Domain Users'. No problems for the employees to access the
website. The customers are members of the Global Group 'Web Site
Users' (and removed from Domain Users group). There is a virtual
directory mapped at the root level of the website named 'CustomerStuff'
that maps to the 'CustomerFiles' directory (located at another
drive/directory location).
In the CustomerFiles directory, I
created a simple test.html page which the customer can browse to
successfully. I copied the test.html to test.asp (leaving the
HTML markup as-is, no ASP scripting added), and browsing for the
customer is denied: "HTTP Error 401.3 - Unauthorized: Access is
denied due to an ACL set on the requested resource."
By
adding the 'Web Site Users' group to 'Domain Users' group, then
browsing ASP pages succeeds. This solution is not acceptable, as
the customers would then have unauthorized access to sensitive patient
information.
Attempts to resolve:
- The permissions for test.html and test.asp are identical (being in
the same directory, access to the directory is not an issue). I am
fairly certain this is NOT a file permissions issue. I believe
this to be some type of process level or possibly registry access permissions issue.
- Using SysInternal's "Process Monitor" app, I have repeatedly
monitored browsing of test.html and test.asp both successful and
unseccessful access. Absolutely nothing presents itself as access
denied in the Process Monitor log, and I can not detect where the process
becomes different for the 401.3 error.
- I have turned on failure auditing for:
- System drive (including entire WINNT structure).
- entire partition<> for ClientFiles,
- entire partiton for website files
- HKLM in the registry
- all Audit Policies available in GPO
No FAILURE entries are to be found in the Security log.
<>
I have attempted every trick I know of (and could find on the internet)
to determine what is causing the 401.3 access denied error. I
have also tried numerous tweaks to file structure and User Rights
permissions in an effort to find what is needed to allow the ASP page
to load (but I am very hesitant to be too aggressive opening
permissions, as this site needs to stay secure).
Thanks in advance for any ideas, as I now have over 10 hours troubleshooting this issue.
--Jay Ohman