PRB: Cannot Access Network Resource If Client Certificate Mapped

ID: Q191566

The information in this article applies to:

Microsoft Internet Information Server version 4.0

SYMPTOMS

Active Server Pages (ASP) Access to network resources fails if the application is running an SSL session utilizing a client certificate that is mapped to an NT account.

Examples of errors include the following:

Using the Scripting.FileSystemObject to access a file stored on a network share. The resulting error message would be as follows:

Server object error 'ASP 0177:800a0046'
Server.CreateObject Failed

Accessing an Access database on a network server. The resulting error message would be as follows:

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access 97 Driver] The Microsoft Jet
Database engine cannot open the file '******'. It is already opened
exclusively by another user, or you need permission to view its data.

For more information on accessing network resources from IIS, please see the following article in the Microsoft Knowledge Base:

Q158229 : INFO: Security Ramifications for IIS Applications

CAUSE

The error is a result of the Client Certificate Mapping process performing a NETWORK logon when impersonating the mapped userid. A NETWORK logon disallows access to resources outside of those that exist on the local machine.

RESOLUTION

To work around this issue, move data locally, or do not map your client certificate to a Windows NT account. Other options would be Anonymous, or Basic authentication.

STATUS

Microsoft is researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

Keywords : kbGrpASP
Version : WINNT:4.0
Platform : winnt
Issue type : kbprb