I have a legacy web app hosted using PHP by IIS. Access to some of the directories of that app is restricted using the following configuration in web.config of the root directory. That makes the Windows username available as REMOTE_USER, so that the app can map that username into an individual database to check authorization. This works and MUST NOT be changed.
<location path="lsgprog/bibliothek/adm">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Access to some other directories is restricted as well and as well using credentials provided by Windows. So those other directories have anonymousAuthentication disabled and windowsAuthentication enabled as well. The difference is 1. that those settings are made in the GUI of IIS and 2. that authorization is actually checked against the file system. This means that the directories simply have read access only for some special groups of users, those groups and users are maintained by some Active Directory and because the app uses Windows auth, things simply work. Users authenticate at their Windows, open Internet Explorer, request the restricted parts of the site, IIS gets the username, group membership etc., checks access to the restricted directories in the file system and grants or denies it.
All of that is configured manually using the GUI of IIS and I want to migrate that to web.config. Enabling Windows auth for some directories is already documented above, what I'm missing is how to allow/deny access to users and groups, which is the file system part. I've already found the element authorization, which pretty much looks like what I want, but whatever I try doesn't work.
<location path="lsgprog/vfristen">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"
roles="*"
verbs="GET,HEAD,POST" />
</authorization>
</system.web>
</location>
My expectation was that the above is enough to DENY access to all users, but that doesn't work and any approach based on ALLOW doesn't as well. I hoped that users and roles could simply be mapped against the username and group names of the currently requesting user. What I don't want is form based authorization or converting directories to "apps" or anything that needs to be done outside of web.config.
So, is what I'm trying to do possible at all and if so, how? Thanks!
In this scenario there are multiple options, first - try and add a web.config file to the folder that needs to have its' own permissions e.g. under lsgprog/vfristen, the minimum web.config example which will deny all users access:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Why does it work - IIS looks at each folder structure for web.config files, in this case the child will overwrite the parent but only the nodes that are inside the child - meaning it will preserve all other settings from the parent (root) web.config:
Make application and directory-specific configuration settings in an ASP.NET application
Although the documentation above is for ASP.NET it applies at the IIS level as well.
Second option to try - since the question mentioned the root of the project is lsgprog then this setting in web.config:
<location path="lsgprog/vfristen">
Should be changed to (remove the root folder of the project from the path):
<location path="vfristen">
Finally third option which could also work is overwriting it at the Machine.config level as mentioned in the above document:
Use the location element in the Machine.config file
When the allowOverride attribute is false, the Web.config files in the web application directories can't override the settings that you specified in the element. This is a useful setting in environments where you must restrict application developers in how they configure a web application. The following example shows a part of a Machine.config file that requires authentication to access the MyApp application on the default Web site and that can't be overridden by settings in a Web.config file:
Machine.config
<configuration>
<location path="Default Web Site/MyApp" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
You could try to add the below code in your site web.config file:
<location path="foldername">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
<location path="foldername/page1.php">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="DOMAIN\ADGROUP" />
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>
Edit: need to install the URL Authorization in iis to make this rule work.
https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization
Well, I'm at a loss. I've looked everywhere and I'm still getting errors. I have a folder with a couple of pdf files stored in it. The folder is called "docs" and it's in the root directory of my project. I placed a web.config file in the folder with the following code...
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
I also tried placing the code in my root web.config file using the following code...
<location path="/docs">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Both of these code blocks produce a 500 server error. Unfortunately, I don't have access to the detailed server error since I'm on shared hosting. Any ideas?
Edit: Sorry... That's what I get for posting a question a 1am. I want to secure the folder so that only those users who are logged in and authorized can access it and download files.
I had a similar problem (see here). The solution was to add the web.config to the directory but also to add a handler directive to it. This worked for me.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="PDFHandler" verb="*"
path="*.pdf"
type="System.Web.StaticFileHandler"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
I want to secure the folder so that only those users who are logged
in and authorized can access it and download files.
If you just want to restrict downloads to logged-in and authenticated users, then GlenBee’s solution is by far the simplest and most effective one.
If you need to restrict access by role and/or claim, you have two choices:
If you are comfortable with security by obscurity, you can control access to the page that has the links to the files. The files are stored within the wwwroot, so that all you need to do is link to them on a page that does the role/claim filtering. The downside is that anyone can guess the file paths and names, and gain access to them without having the correct role/claim (although you should still secure the file directory for only authenticated users as per GlenBee’s solution).
If you need to ensure that, without exception, no-one can access the files except those people authorized to do so by virtue of their role/claim (or some other requirement, such as direct ownership), you will have to protect not just the page with the links (filtering for role/claim/ownership), but also create a file handler that passes the files off to the user to be downloaded (filestream, etc.), and to have the files themselves stored outside of wwwroot so they cannot be accessible via plain HTTP. This ‘file hand-off script’ ensures that the user being handed the file actually has the role/claim/ownership required, instead of just being able to blindly guess the path to the file; and storing the file outside of wwwroot ensures that only the script can grab the file in the first place.
I am doing the same thing, here is the contents of the web.config that I placed in the folder:
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
And with the errors:
A simple solution I do is turn on health monitoring and have it email me errors, this is in my root web.config:
<system.web>
<healthMonitoring enabled="true">
<eventMappings>
<clear/>
<!-- Log ALL error events -->
<add name="All Errors" type="System.Web.Management.WebBaseErrorEvent, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" startEventCode="0" endEventCode="2147483647"/>
<!-- Log application startup/shutdown events -->
<!--<add name="Application Events" type="System.Web.Management.WebApplicationLifetimeEvent" startEventCode="0" endEventCode="2147483647"/>-->
</eventMappings>
<providers>
<clear/>
<!-- Provide any customized SqlWebEventProvider information here (such as a different connection string name value -->
<add name="SqlWebEventProvider" connectionStringName="ConnectionString" maxEventDetailsLength="1073741823" buffer="false" type="System.Web.Management.SqlWebEventProvider"/>
<add name="EmailWebEventProvider" buffer="false" type="System.Web.Management.SimpleMailWebEventProvider" from="website#example.com" to="webmaster#example.com" subjectPrefix="Website Error: "/>
</providers>
<rules>
<clear/>
<add name="All Errors Default" eventName="All Errors" provider="SqlWebEventProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:00:00"/>
<!--<add name="Application Events Default" eventName="Application Events" provider="SqlWebEventProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:00:00"/>-->
<add name="All Errors To E-Mail" eventName="All Errors" provider="EmailWebEventProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:00:00"/>
</rules>
</healthMonitoring>
</system.web>
<system.net>
<mailSettings>
<smtp from="no_reply#example.com">
<network host="mail.example.com" userName="website#example.com" password="P#$$w0rd"/>
</smtp>
</mailSettings>
</system.net>
I have 2 login pages: Login.aspx-for customer login and xlogin.aspx for admin login
i just uploaded my project to the server and all application pages works great
but when i log in the admin xlogin.aspx i'm being forwarded to the admin.aspx page - but i get this error:
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
This is my web.config
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<clear/>
<add name="PROJEntities" connectionString="metadata=res://*/PROJModel.csdl|res://*/PROJModel.ssdl|res://*/PROJModel.msl;provider=System.Data.SqlClient;provider connection string="Data Source=000.000.0.00;Initial Catalog=DBNAME;User ID=MYUSERNAME;Password=MYPASS;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient"/>
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="720" slidingExpiration="true" defaultUrl="~/Gateway.ashx"/>
</authentication>
<customErrors mode="Off"/>
<pages enableEventValidation="false" viewStateEncryptionMode="Never"></pages>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<system.web.extensions>
<scripting>
<webServices>
<jsonSerialization>
<converters>
<add type="PROJ.Presentation.Common.DateTimeConverter" name="DateTimeJavaScriptConverter"/>
</converters>
</jsonSerialization>
</webServices>
</scripting>
</system.web.extensions>
</configuration>
Dear olga is clear what the message says. Turn off the custom errors to see the details about this error for fix it, and then you close them back. So add mode="off" as:
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Relative answer:
Deploying website: 500 - Internal server error
By the way: The error message declare that the web.config is not the one you type it here. Maybe you have forget to upload your web.config ? And remember to close the debug flag on the web.config that you use for online pages.
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
This can be the message you receive even when custom errors is turned off in web.config file. It can mean you have run out of free space on the drive that hosts the application. Clean your log files if you have no other space to gain on the drive.
In my case I got this message because there's a special char (&) in my connectionstring, remove it then everything's good.
Cheers
I am trying to deploy an ASP.NET application. I have deployed the site to IIS, but when visiting it with the browser, it shows me this:
Server Error
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
After fiddling around with the web.config, I got:
The page cannot be displayed because an internal server error has occurred.
How can I see the actual issue behind this server error?
First, you need to enable and see detailed errors of your web messages, because this is a general message without giving information on what's really happening for security reasons.
With the detailed error, you can locate the real issue here.
Also, if you can run the browser on the server, you get details on the error, because the server recognizes that you are local and shows it to you. Or if you can read the log of the server using the Event Viewer, you also see the details of your error.
###On IIS 6
<configuration>
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
</system.web>
</configuration>
###On IIS 7
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<asp scriptErrorSentToBrowser="true"/>
</system.webServer>
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
</system.web>
</configuration>
Note: You can avoid the Debug=true. You only need to close the custom errors for a while and get the detailed error page.
This can help: How to enable the detailed error messages (from IIS).
I was pulling my hair out over this issue. Making sure the following entry was in the root web.config file fixed it for me:
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
</configuration>
Remember that you have to add this to the existing XML elements, if they're already there. You can't just add at the end of the file, because you can't have multiple copies of any element.
For me, the following code in the web.config was the culprit. When I removed it, the web site worked fine.
<staticContent>
<mimeMap fileExtension=".mp4" mimeType="video/mp4" />
</staticContent>
I finally solved this "500 Internal server" error when deploying the ASP.NET MVC 3.0 application on godaddy.ocm shared hosting.
somehow there were discrepancies on the version of DLL files referenced and version mentioned in file web.config.
I tried all the options mentioned in various forum. Nothing helped, although everyone suggested the same kind of fix, but somehow it didn't work in my scenario. Finally after banging my head for two days.
I decided to delete all DLL file reference and delete web.cofig (make a local copy) from the project and let the application throw the error and then add the DLL files one by one making copy to local=true.
After all the DLL files were added, I created a new ASP.NET MVC application and copied the web.config of new application to my actual application.
So my actual application now has a new web.config, and then I copied the connectionstring and other references from the local copy of web.config that I saved.
I just compiled the application and published to a local folder
and FTP the published folder to goDaddy.
It worked and finally my problem was solved.
In my case, I put a mistake in my web.config file. The application key somehow was put under the <appSettings> tag. But I wonder why it doesn't display a configuration error. The error 500 is too generic for investigating the problem.
My first attempt to publish and then run a very simple site serving only HTML produced "The page cannot be displayed because an internal server error has occurred."
The problem: I had the site set to .NET 3.5 in Visual Studio (right click web site project -> Property Pages -> Build), but had the Web Site in Azure configured as .NET 4.0. Oops! I changed it to 3.5 in Azure, and it worked.
In addition to the other suggestions, make sure to change the existingResponse attribute of the httpErrors node to Auto from Replace, or to remove that property entirely.
<httpErrors existingResponse="Replace" />
^^^^^^^ not going to work with this here
Server Error 500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed. Goddady. Hosting - Web - Economy - Windows Plesk
In my case, I replace this code:
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<asp scriptErrorSentToBrowser="true"/>
</system.webServer>
<system.web>
<customErrors mode="Off"/>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
</configuration>
Then change framework 3.5 to framework 4. It shows my detailed error. I delete code in:
<httpModules></httpModules>
It solved my problem.
IIS also reports status code 500 without any event log hints if there are insufficient permissions on the physical home directory (i.e. IIS_IUSRS has no access).
For IIS 10 There is a extra step to do other than changing the customErrors=Off to show the error content.
<system.web>
<customErrors mode="Off" />
</system.web>
<system.webServer>
<httpErrors existingResponse="PassThrough" errorMode="Detailed"/>
</system.webServer>
Raul answered the question in this link Turn off IIS8 custom errors by Raul
Probably your web.config file is wrong or is missing some tag. I solved my problem using the correct config tags for .NET 4.
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
</namespaces>
</pages>
<authentication mode="None"/>
</system.web>
I realized the permissions for the files and folders in your server also matter. I uploaded my files from a linux operating system and usually the permissions are limited for read and write. So when uploaded, the permission are still same as in the local machine.
I had the same error and i just changed the permissions for the folder i had uploaded and the error was gone.
Hope it helps someone.
500 Internal Error
Windows Hosting Error
Godaddy Hosting issue
I have been facing the same issue, but now my issue has been resolved. Always use in this hosting this it works.
I will also recommend you all to do whatever changes you are looking to make in your web.config file. Please do it one by one and test the same on the live domain so that you can find the exact problem or the features that your hosting provider does not allow you to use.
<?xml version="1.0"?>
<configuration>
<system.web>
<trust level="Medium"/>
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" />
<sessionState mode="InProc" cookieless="false" timeout="90" />
<authentication mode="Forms">
<forms loginUrl="default.aspx"
defaultUrl="default.aspx"
protection="All"
cookieless="UseCookies"
slidingExpiration="false"
timeout="30"
name="aeon.corpusjuris.in" />
</authentication>
<customErrors
mode="Off"
defaultRedirect="errorpage.aspx">
<error statusCode="403" redirect="errorpage.aspx"/>
<error statusCode="404" redirect="errorpage.aspx"/>
</customErrors>
<!-- <httpModules>
<add name="HTTPCaching" type="HTTPCaching"/>
</httpModules>
-->
</system.web>
<runtime>
<performanceScenario value="HighDensityWebHosting" />
</runtime>
<system.webServer>
<!-- <modules runAllManagedModulesForAllRequests="true">
<add name="HTTPCaching" type="HTTPCaching"/>
</modules>
-->
<defaultDocument>
<files>
<clear />
<add value="default.aspx" />
</files>
</defaultDocument>
<httpErrors errorMode="Detailed" />
<asp scriptErrorSentToBrowser="true"/>
<staticContent>
<clientCache cacheControlCustom="public"
cacheControlMaxAge="60:00:00"
cacheControlMode="UseMaxAge" />
</staticContent>
</system.webServer>
<system.web.extensions>
<scripting>
<webServices>
<jsonSerialization maxJsonLength="90000000">
</jsonSerialization>
</webServices>
</scripting>
</system.web.extensions>
</configuration>
If you're using a custom HttpHandler (i.e., implementing IHttpModule), make sure you're inspecting calls to its Error method.
You could have your handler throw the actual HttpExceptions (which have a useful Message property) during local debugging like this:
public void Error(object sender, EventArgs e)
{
if (!HttpContext.Current.Request.IsLocal)
return;
var ex = ((HttpApplication)sender).Server.GetLastError();
if (ex.GetType() == typeof(HttpException))
throw ex;
}
Also make sure to inspect the Exception's InnerException.
500 internal server error can arise due to several reasons. First reason might be that web.config file is not properly created, means you have missed some tag in the web.config file. Secondly this error can be due to some code problem. To check which component of the web application is causing this error you can check Application setting in web.config file. The detail of solving and tracing 500 internal server error with diagram is given here:
Make sure your account uses IIS 7. For more information, see Customizing IIS Settings on Your Windows Hosting Account.
Follow the instructions in Changing Pipeline Mode on Your Windows IIS 7 Hosting Account. Select Integrated Pipeline Mode.
In your Project References section, set Copy Local to True for the following assemblies:
System.Web.Abstractions
System.Web.Helpers
System.Web.Routing
System.Web.Mvc
System.Web.WebPages
Add the following assemblies to your project, and then set Copy Local to True:
Microsoft.Web.Infrastructure
System.Web.Razor
System.Web.WebPages.Deployment
System.Web.WebPages.Razor
Publish your application.
Sometimes, the reason might be one of your .dll assemblies is not registered correctly on the server.
For example, you can successfully run a C# Excel web application on your local machine with Office installed, while getting the 500 error on server deployment, because there is no Office suite installed on the server, and thus you get the server error.
For those who have this possibility (VPS hosting not web hosting):
Connect to your hosting server via Remote Desktop. Open Web Browser from your remote desktop and you will see the detail description of the error.
You don't need to modify web.config or expose any details to anybody else.
If you are using IIS 8.5 it may be that you need to change the ApplicationPool ID setting from ApplicationPoolId to NetworkService
Right click the Application Pool in question, click on "Advanced Settings" and then scroll down to ID - it will probably be set to ApplicationPoolIdentity. Click the button (..) and select NetworkService from the dropdown list instead.
Also make sure that if it is a .NET 2.0 application that you are not referencing the 4.0 framework in your App Pool.
Before changing the web.config file, I would check that the .NET Framework version that you are using is exactly (I mean it, 4.5 != 4.5.2) the same compared to your GoDaddy settings (ASP.Net settings in your Plesk panel). That should automatically change your web.config file to the correct framework.
Also notice that for now (January '16), GoDaddy works with ASP.Net 3.5 and 4.5.2. To use 4.5.2 with Visual Studio it has to be 2012 or newer, and if not 2015, you must download and install the .NET Framework 4.5.2 Developer Package.
If still not working, then yes, your next step should be enabling detailed error reporting so you can debug it.
I recently got into same problem, the disk space was full on the server. Clearing some space has resolved the issue.
Try compiling in Debug mode (in Visual Studio). If you are in Release mode, a lot of URL Rewrite errors will not be available.
Image shows the Debug selection combobox in Visual Studio