ASP.NET website shows 503 Service Unavailable after successful publishing - asp.net

Every time I try to publish a website, it runs fine but when the website opens up it gives me a,
"HTTP Error 503. The service is unavailable."
Everywhere I look on the internet talks about it being my application pool but that seems to be running fine. I think it may be my web.config file but I'm not entirely sure.
PLEASE can someone help me.
"PICTURE OF ERROR BELOW"

Make absolute sure the App Pool is running
Goto WinKey+R (Start > Run) type in InetMgr, press enter.
Left side, Connections, expand your computer or the server in question.
Select Application pools.
Start all pools that have their "Status" as Stopped.
Make sure the site is set to the correct pool
Not all sites are assigned to the default application pool, in this case, in the left side expand sites, find your site, expand it. In the right column, click Basic configurations.
Edit the application pool there, go back to the first block and make sure your newly assigned Application Pool is running.
Test it
Select your site again, In the right side, there is a Browse site group, click on Browse *:80 (or something like that, this should do it).
Check permissions on site's folder.
Go to your site folder and give full permission to NETWORK SERVICE.
Make sure Application Pool service is not disabled in windows services.
If everything else fails, go to Services.msc and set the service related to your app pool to Automatic (maybe you or someone disabled it for some reason, who knows).
Reinstall IIS
Go to Control panel > Programs and resources > Install Windows Resources, find everything related to .NET, ASP.NET and install. Check all leftover boxes from IIS and subselects.
If this fails, uninstall it completely then install it again.
Let us know if any of these work.

This is most times caused by Application pool which has been disabled or because the application pool identity is invalid.
Go too IIS > hostname > Application Pools (Observe the Application is stopped)
Right click and go to Advance Settings
On Identity Select an Identity Pool from the drop-down list (possibly change the identity already selected by default)
Restart the Application pool
To set up an Identity Pool to select from follow this link

Related

Why is my file supposedly unable to be read due to insufficient permissions (HTTP Error 500.19), when it has no restrictions on it?

I'm getting this error when I try to run a ASP.NET site (my first time trying to get it to run):
Yet looking at the file implicated (\C:\EnhancedSalesReporting\customerreportingnet\customerreportingnet\web.config), it doesn't seem to have any restrictions / insufficient permissons:
What is really the problem here, or what must I do to get beyond this frustrating block?
asp.net web.config 500.19 internalservererror configfile insufficientpermissions permissions
UPDATE
When I approached it differently by creating a Virtual Directory in IIS, pointing it to the location of these files, and then in VS selecting File > Open Website..., I fared no better, really. The err pages are different, but I'm stuck either way. That roadblock is described here.
UPDATE 2
When I attempt to follow the steps in the accepted answer in the link provided in the comment by Ken White, by trying to add "IIS_IUSRS" to Web.Config's Group or user names in the Security tab, I get "Name Not Found - An object named "IIS_IUSRS" cannot be found..."
Am I going about this the wrong way? I get the same results whether I try to edit Web.Config via Windows Explorer or from the Content View pane in IIS7.5 - is something else meant?
UPDATE 3
Another hint from that post referenced above is, "You should also check for the read-only attribute in the applicationhost.config file"
That's worth a try, but which one? I have 9 applicationhost.config files on my hard drive, and four of them look like likely prospects, those in the following locations:
C:\Program Files (x86)\IIS Express
C:\Program Files\IIS Express
C:\Users\cshannon\MyDocuments\IIS Express
C:\Windows\System32\inetsrv
Which, if any, of these, would it be advantageous to set readonly to false?
UPDATE 4
This is in response to Michael Liu's answer:
Thanks, Michael;
I followed your steps, but still get the same err page. I had expected it to work, and so I was a little surprised (abashed, even) that I ended up with the same old err page.
BTW, I saw no "Details" tab in Task Manager, but there is a "Show processes from all users" in the "Processes" tab.
Maybe this is the problem - there are three w3wp.exe entries in Task Manager:
Image Name User Name
---------- ---------
w3wp.exe *32 DefaultAppPool
w3wp.exe classicEservice
w3wp.exe NETWORK SERVICE
Should there be only one?
UPDATE 5
After restarting IIS7.5, I've got "just" two w3wp.exe entries in Task Manager:
w3wp.exe *32 (DefaultAppPool)
w3wp.exe (NETWORK SERVICE)
So is 2 one too many?
UPATE 6
In answer to Michael's updated steps:
Application Pool == classicEservice
In "Application Pools" the vals for classicEservice are:
Status == Started
.NET Framework Version == v2.0
Managed Pipeline Mode == Classic
Identity == ApplicationPoolIdentity
Applications == 5
Following the steps again, but replacing "DefaultAppPool" with "classicEservice" definitely gets me on the righ track, for I no longer get the 500.19 err page. Now it is "hourglassing" on http://localhost/CustomerReportingNET/pages/custmaint_entry.aspx.
I think maybe the "/pages/custmaint_entry.aspx" should get stripped off of that; I'll see what I need to do to accomplish that...
UPDATE 7
The first time it "hourglassed" until the cows came home, the second (and third) times it showed me this:
UPDATE 8
I tried "Start without Debugging" and stripped off the back end of the URL so that it is just "http://localhost/CustomerReportingNET/" but it still hourglasses (or "blue spinning donuts" I guess) like a whirling dervish that has overdosed on energy drinks.
The error “Cannot read configuration file due to insufficient permissions” means that the IIS worker process w3wp.exe is running under an account that doesn’t have permission to access Web.config. Indeed, your screenshot of Web.config’s file permissions shows a very restrictive set of accounts.
First, determine which account w3wp.exe is running as:
In IIS Manager, find and select your virtual directory in the left tree.
In the Actions pane on the right, click Basic Settings.
Make a note of the configured Application pool, and then click Cancel.
Select Application Pools in the left tree (it should be near the top of the list).
In the list of application pools, find the one you noted in Step 3, and look at the value in the Identity column.
IIS 7.5 and up (Windows 7, Windows Server 2008 R2)
I’m going to assume that the configured application pool is DefaultAppPool and that its identity is ApplicationPoolIdentity, which means a virtual account is created by IIS for the application pool. (Let me know if they're something else.)
You need to allow this virtual account to access your application folder:
In Windows Explorer, open the Properties dialog box for the folder containing Web.config (C:\EnhancedSalesReporting\customerreportingnet\customerreportingnet).
On the Security tab, click the Edit button to open the Permissions dialog box, and then click Add.
In the Select Users dialog box, click the Locations button, select your computer (likely the first item in the list, and IBM-JBAKER from your screenshot), and then click OK.
In the Enter the object names to select text box,
type IIS APPPOOL\DefaultAppPool (without any trailing spaces), and then click OK.
Alternatively, you can grant access to all IIS virtual accounts by typing IIS_IUSRS instead.
Back in the Permissions dialog box, the Read & execute and Read checkboxes in the Allow column should already be checked, so just click OK.
IIS 6.0/7.0 (Windows Vista, Windows Server 2003/2008)
On these operating systems, w3wp.exe runs as a "real" account (such as NETWORK SERVICE) instead of a virtual account. Follow the steps in the previous section, but in step 4, substitute the actual account shown in Task Manager (or IIS_WPG) for IIS APPPOOL\DefaultAppPool (or IIS_IUSRS).

IIS application pool identity not allowing the server to start

This question:
IIS application pool access to remote directory on network ask how to allow iis to have the ability to access a file on a network drive. The answer is to set up a user with the appropriate rights and set the application pool identity to that user. We've done that and when we restart the app pool we get a 503 error on our web app.
It appears that the app isn't actually starting.
Here are more details which may help you analyze the problem:
This is Windows Server 2008 R2, iis 7
Our username is abc123\_svc_OSAT (Domain name isn't actually abd123 but I need to obscure it rather than risk publishing internal company information)
As abc123\_svc_OSAT I can map a drive to \\FPIAPPS01\Logs which is a directory on a network server so we know that this user has network access.
In iis we click on our app pool, select Advanced Settings, select Identity, Select the .. button, select "Custom Account" and set it to the user abc123\_svc_OSAT and use the proper password. We then stop and start that application pool.
When looking at the app in a browser we get a 503 error. Checking the logs at C:\inetpub\logs\LogFiles\W3SVC1 we don't see any error. However, the application appears not to have actually started.
Does abc123_svc_OSAT need a specific permission which we may be
missing?
Is there any other place with a log file which we should
look to get a better idea of what is causing the problem?
Thank you.
Does abc123_svc_OSAT have access to directory that hosts your ASPX files? The log files you are looking at are only for logging access to your website. You will want to check the event viewer to see the actual IIS error.
We ended up making the user an administrator and that worked. That's probably too broad for sufficient security rights. We'll keep looking. But it does show that the issue was somehow related to user roles rather than a password issue.

What are the IIS 8 required NTFS Permissions?

This questions has been asked, A LOT, but I've yet to figure out a proper solution. I've got a Windows Server 2012 server with of course IIS 8. I'm setting up a very, very, simple website on it with an HTML file that has Hello World in it. On the folder for the website I have the following permissions set up:
SYSTEM (local account, Full Access)
Administrators (local group, Full Access)
FTP (domain account, Full Access)
NAME_OF_APPPOOL (virtual account, Full Access)
So, with all of these permissions I still get a 401.3 - Unauthorized error from IIS. What am I missing in all of this?
The only thing that's made the website accessible so far was a desperate attempt by putting Everyone with read-only permissions. I think we can all agree that's just dumb as far as security goes...
Update
This is what the Application Pool Identity is set to at the moment.
Check #5 to make sure the AppPool the site is using is actually set to use the Identity you are adding NTFS permissions for.
Specify an Identity for an Application Pool (IIS 7)
Open IIS Manager.
In the Connections pane, expand the server node and click Application Pools.
On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
For the Identity property, click the ... button to open the Application Pool Identity dialog box.
If you want to use a built-in account, select the Built-in account option and select an account from the list.
So, since I was trying to access an HTML page (static content) it appears that IIS doesn't use the AppPool identity for static content... (double-U, T, and F?) So, to make it work you have to add IUSR as referenced here: IIS 8 401.3 with ACL and static content. Anyway, it works now, I'm just sooooo looking forward to the day when I put MVC on that site and it starts failing, again...

IIS7 Accessing Network Share

I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...

Setting up a virtual directory on IIS7

I'm setting up our server so we can install an ASP.Net web application on it.
I right clicked Sites in the IIS7 Manager and selected Add Virtual Directory and I clicked the Test Settings button, this messages is displayed:
The server is configured to use pass-through authentication with a built-in
account to access the specified physical path. However, IIS Manager cannot
verify whether the built-in account has access. Make sure that the application
pool identity has Read access to the physical path. If this server is joined to
a domain, and the application pool identity is NetworkService or LocalSystem,
verify that <domain>\<computer_name>$ has Read access to the physical path.
Then test these settings again.
The message does not tell us how to do any of these things.
The server I'm setting up has Windows7 Home Premium installed on it. The computer is set up with all defaults set and has a computer name such as MyComputer-PC (not the real name). There is no domain set up.
Can you tell us how to do what is described in the message?
1) Go to IIS, click on the IIS entry that holds your virtual directory. On the right click on Basic Setting to see which appliatino pool it's using.
2) Go to IIS, go to application Pools. Right click on your application pool and check the advance setting -> Identity property to find out which user it's using.
3) Go to the folder that your IIS Entry maps to, make sure that user is added to this directory. If you want to give it write permission, give it write. Otherwise, make give it read & execute is fine.
The message is pretty clear in what needs to be done. Go to the Application Pool section of IIS and open the advanced settings of the default Application pool. Check what username is specified in the Identity property.
Go to the location where you are physically storing your virtual directory and go to the folder properties -> Security. Ensure that the user has the appropriate access.
Basically, you can ignore this message if you don't plan to write files to your site directory.
This message means that IIS can't check if it's system windows account has enough permissions on your site folder.

Resources