Error 403 while getting cfm page - iis-7

I have a very weird behavior from Coldfusion 8 and IIS 7.
On the IIS, a site is declared and one of the subsirectories is a virtual directory poiting to a local filesystem. Everything is working except for a subdirectory. All of the sudden, I get an error 403 Access Denied as soon as I try to access a subfolder.
I place a simple CFM page to make my tests:
<html>
<head>
</head>
<body>
<cfoutput>Test</cfoutput>
</body>
</html>
This request works: http://myserver/vDir/fckeditor/editor/test.cfm
While this one triggers a 403: http://myserver/vDir/fckeditor/editor/filemanager/test.cfm
I checked the following and could not find any difference:
NTFS rights -> same on both directories. The user running the
ColdFusion service has 'Full Control'
IIS Authentication -> same on both folders
Authorization Rules -> same on both folders
Handler Mappings -> same on both folders
I turned on the Failed Request Tracing and added a rule to capture the event. It appears that the wildcard Coldfusion ISAPI filter is actually throwing the exception:
CALL_ISAPI_EXTENSION:
DllName ColdfusionInstallationPath\runtime\lib\wsconfig\1\jrun_iis6_wildcard.dll
MODULE_SET_RESPONSE_ERROR_STATUS:
ModuleName IsapiModule
Notification 128
HttpStatus 403
HttpReason Access denied.
HttpSubStatus 0
ErrorCode 0
ConfigExceptionInfo Notification
EXECUTE_REQUEST_HANDLER ErrorCode The operation completed successfully. (0x0)
Do anyone have a clue on how to solve this?
P.S. this post is cross-posted on ServerFault at https://serverfault.com/questions/307204/error-403-while-getting-cfm-page

This is definitely an IIS 7/7.5 issue - try modifying permissions on the whole folder - you might need to restart IIS just in case the permissions need to be applied.

Related

Integration of Tomcat 7 with IIS 7

After following all the steps related to integration of tomcat7 and IIS7 i am getting below error.Any idea what might be the cause?First time when I did all the steps as mentioned in tutorial my site was coming up then suddenly it stop coming up.Again i removed my site from IIS and followed the steps but then every time below error is coming:-
HTTP Error 500.0 - Internal Server Error
The page cannot be displayed because an internal server error has occurred. Detailed Error Information
Module IsapiFilterModule
Notification AuthenticateRequest
Handler StaticFile
Error Code 0x80070001
Physical Path D:\New\IISROOT
Logon Method Anonymous
Logon User Anonymous
Failed Request Tracing Log Directory D:\New\Tomcat\logs
I have checked the logs but trace log is not created as well as isapi_redirect.logs
I have followed the below steps:
1.created the two files workers.properties and uriworkermap.properties in tomcat\conf
-In workers.properties i added the below information
worker.list=mysite worker.mysite.host=localhost worker.mysite.port=8009 worker.mysite.type=ajp13
-In uriworkermap.properties i added the below information
/mysite/*=mysiteworker
2.Created isapi-rediect.properties in Tomcat\bin
extension_uri=/jakarta/isapi_redirect.dll log_file=D:\DLNew\Tomcat\logs\isapi_redirect.log log_level=debug worker_file=C:\Tomcat\conf\workers.properties worker_mount_file=c:\Tomcat\conf\uriworkermap.properties
3.Add ISAPI Filter
In AddIsapi Filter dialog box i have given filtername as jakarta and Executable path as c:\Tomcat\bin\isapi\isapi-redirect.dll
2.Add Virtual Directory
In Add VirtualDirectory Dialog box i have given Alias as jakarta and PhysicalPath as c:\Tomcat\bin\isapi
3.selected jakarta virtual directory in connections panel -Double-click the 'Handler Mappings' icon in 'Features View'. -Click the 'Edit Feature Permissions' link in the 'Actions' panel. -Ensure that the 'Execute' option is selected.
4.Register the ISAPI Extension In ISAPI OR CGI restriction Dialog box i have given ISAPI or CGI path as c:\Tomcat\bin\isapi\isapi-redirect.dll and description as jakarta and i enabled the checkbox of allow extension path to execute
I am able to access the application through Tomcat by using the url as:http://localhost:80/mysite
But application is not comming up through IIS: i am getting below exception in browser
HTTP Error 500.0 - Internal Server Error The page cannot be displayed because an internal server error has occurred. Detailed Error Information Module IsapiFilterModule Notification AuthenticateRequest Handler StaticFile Error Code 0x80070001 Physical Path D:\New\IISROOT Logon Method Anonymous Logon User Anonymous Failed Request Tracing Log Directory c:Tomcat\logs

Intermittent 401 and 302 Errors on Static Files

I'm developing a website for a client of ours and have been having a nagging issue for weeks. The problem is intermittent and might happen twice in a day or once in 2 weeks.
When it happens, the client will start getting 401.3 "Unauthorized" errors when trying to load static script or style tags on the page. It's always a .css or .js file that gets denied and setting <modules runAllManagedModulesForAllRequests="false" /> hasn't fixed the problem. When the problem happens it effectively blocks the file until the application pool is restarted.
The site is using Forms Authentication with the stock "AspNetSqlMembershipProvider". The site has protected files in an /Accounts folder, styles in /Styles, and scripts in /Scripts. The site has anonymous access enabled and has a separate web.config in the /Accounts folder which deny's access to anonymous users (though that shouldn't even matter with runAllManagedModulesForAllRequests=false).
I've looked through the event logs and I see this:
2012-06-06 14:23:32 [ipaddress] GET /subfolder/Styles/Site.css ver=11 443 - [ipaddress] Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:12.0)+Gecko/20100101+Firefox/12.0 https://thesitename.net/subfolder/Account/Login.aspx 401 3 5 1493 429 62
Sometimes after a short period of time it fixes itself or if I restart the application pool I get this:
2012-06-06 14:30:30 [ipaddress] GET /subfolder/Styles/Site.css ver=11 443 - [ipaddress] Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:12.0)+Gecko/20100101+Firefox/12.0 https://thesitename.net/subfolder/Account/Login.aspx 200 0 0 2533 455 78
I finally got the hosting provider to enable failed request tracing and finally got a trace of the error:
Every failed request tracing file I got this time said the failure happens right after the "FILE_CACHE_ACCESS_END" event. What is this event doing and why would access be denied?
EDIT:
You should probably try following the "failed request tracing" instructions here. The error is almost certainly NTFS permissions related.
Looks like you are getting a Win32 "path not found" error in the problem line (the 3 right after the HTTP status code, field sc-win32-status).
Are these files on a network share? It looks like there might be some connectivity issues between the web server and the drive hosting these files. This might be in the form of an authorization error for the IIS user when attempting to read those files, which would explain the 401 error.
W3C Extended Log File Format (IIS 6.0) here: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true
Win32 status codes here: http://msdn.microsoft.com/en-us/library/ms681382.aspx
I would look into the reason for that error in the health monitoring logs (event code 3005: System.Data.Linq.ChangeConflictException) before anything else. If your problems start to occur after this error, then there is a good chance that eliminating this error will resolve your problems.
Here are some pages that discuss this error and might be of help to understand the error and how to fix it:
http://blogs.microsoft.co.il/blogs/bursteg/archive/2007/11/25/linq-to-sql-concurrency-changeconflictexception-row-not-found-or-changed.aspx
http://sebastienlachance.com/post/SystemDataLinqChangeConflictException-Row-not-found-or-changed.aspx
http://weblogs.asp.net/okloeten/archive/2008/04/28/6139181.aspx
I've been struggling with this error for longtime.
One of the strange causes of this error is when the resources (files or folders) are in a share (SMB share) with limited or no access rights to "everyone". This overrides the rights you may specifically add to the folder or files and causes a 401.3 error for anonymous access.

IIS7 won't display ASP.Net error message or stack trace

I'm trying to debug an error in an ASP.Net 3.5 application. We recently moved the application from IIS6 to 7. In IIS6, code like this:
Throw new Exception("My message")
Would display a page giving the error message, nearby lines of code, and a stack trace (using "debug" compilation mode and no custom errors).
In IIS7, the "detailed" error message gives only the module and error code:
HTTP Error 500.0 - Internal Server Error
The page cannot be displayed because an internal server error has occurred.
Detailed Error Information
Module global.asax
Notification BeginRequest
Handler StaticFile
Error Code 0x00000000
Requested URL [My URL]
Physical Path [My Path]
Logon Method Not yet determined
Logon User Not yet determined
Failed Request Tracing Log Directory [My Directory]
I even set up Failed Request Tracing, which purports to give a stack trace but which still doesn't give me any line numbers or error messages, only the module name and HTTP status.
No. 111.
Severity Warning
Event -MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName global.asax
Notification 1
HttpStatus 500
HttpReason Internal Server Error
HttpSubStatus 0
ErrorCode 0
ConfigExceptionInfo
Notification BEGIN_REQUEST
ErrorCode The operation completed successfully. (0x0)
How can I get the information I was getting in IIS6? I already know the error is in global.asax, I need a line number and a specific error message.
Also, I'm not sure if this is related but the site is precompiled and aspnet_compiler.exe apparently sets the web.config "debug" switch to false when it compiles (even with the "-d" option). My machine.config has no "deployment" tag. I just set "debug" back to true and recycle after compiling, which I assume would put the site back in debug mode, right?
There is a setting in the error page config that tells IIS the level of detail information to show for local and remote requests. You might want to verify this is configured correctly. To access this setting launch the Internet Information Services Manager and go to
Site Home\Error Pages\Edit Feature Settings
Make sure you disable this setting in production

Classic asp "An error occurred when verifying security for the message." iis7 transport level security

On II7 we host a WCF/asp.net based API. In order to allow users of a classic asp application to connect to the API we had to publish a version we refer to as "transport". This Transport version is written in asp.net too, it points to the same assembly , its just the security layer is different to allow classic asp to authenticate. Transport level security is used as opposed to message based security.
When using a browser to load the service reference i can loading the svcutil.exe ... WDSL page.
When using my test asp page to call a web method from this reference i get the following returned:
Finished calling Web Service.
Status = Internal Server Error
ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
This suggests that the authentication is failing. When testing using asp.net or the application WCF storm to contact the normal API everything works well.
The API was recently migrated , it would appear something has not been setup correctly but i am at a loss to explain what.
I can browse to the svcutil.exe ... WDSL service reference, when selecting it via the browser i get the expect XML response.
The USER NAME and password utilised work when using the non-classic asp publicaiton of the API using the message based secuirty.
Would it be possible to post some troubleshooting tip that may help diagnoise the issue please specifically regarding transport level security fault finding and setup ?
Thank you
Scott
EDITED TO ADD THE FOLLOWING UPDATE:
Attempted to use the Default App Pool and a new App Pool but same problem persists.
My test page error: ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
IIS LOG shows:
v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (i.e iis 200)
/V3/Transport/DeviceService.svc/DeviceService (500 0 0) (i.e iis error 500)
note: virtual dir defined on TRANSPORT and V3. V3 works ok using .net as opposed to classic asp to authenticate.
EVENT LOG:
The Template Persistent Cache initialization failed for Application Pool 'transport' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.
This reference appears to suggest a fix but many of the DIR paths and references in "appcmd" dont exist.
_http://theether.net/kb/100127
REF http://theether.net/kb/100127
load cmd prompt
CD to C:\Windows\System32\inetsrv
enter: appcmd list config -section:system.webServer/asp
the following path is displayed: c:\inetpub\conf\temp\ASP compiled templates
check path exists (it does)
Check if the NETWORK SERVICE has permissions to access "ASP compiled templates" If not from appcmd execute;
icacls "c:\inetpub\conf\temp\ASP Compiled Templates" /grant "NETWORK SERVICE:(OI)(CI)(M)"
should read "sucessfully processed 1 files"
restarted app pool.
THE "InvalidSecurityAn error occurred when verifying security for the message" problem still persists but the "COULD NOT CREATE A DISK CACHE SUB-DIRECORY .... " error from the eventlog is no longer occurring.
Sorry another update. The network service permission change DID NOT resolve the issue , changeing to the DEFAULT APP POOL solved the problem.
Got a lead at last. Examined:
ServiceSecurityAudit set in service behaviour. Ref http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/#
IIS logs (simply shows the non-specific error 500.)
Fault tracing enabled( also shows error 500).
Custom errors were off
Friendly IE messages were off
Asp client side and server side debugging on
ProcessMon running , no errors.
Web.config httpErrors errorMode="Detailed" /> +
ServiceSecurityAudit found me an "Object reference not set to an instance of an object" so sounds like our app has a bug.
Follow up (17/08/11):
Service Security Audit documented here:
http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/
Was the key for us to resolve this issue. Uncovered the Object Reference Error which indicated out Business Objects and Data Access dlls were out of alignment. Using CLASSIC ASP to contact the WCF.NET API using TRANSPORT AUTHENTICATION there was abolutely no indication of this error until Service Security Audit was enavled on the behaviour.config file in the WCF deployment.

changing aspnet user to the domain user to access iis

I'm running IIS5.0 and I am trying to change the ASP.NET process account to my domain user account.
I have followed everything possible here.
When I browse the .svc file (this is a wcf service) I am getting this error:
Server Application Unavailable The
web application you are attempting to
access on this web server is currently
unavailable. Please hit the "Refresh"
button in your web browser to retry
your request.
Administrator Note: An error message
detailing the cause of this specific
request failure can be found in the
application event log of the web
server. Please review this log entry
to discover what caused this error to
occur.
Eventlog says:
aspnet_wp.exe could not be started.
The error code for the failure is
80070522. This error can be caused when the worker process account has
insufficient rights to read the .NET
Framework files. Please ensure that
the .NET Framework is correctly
installed and that the ACLs on the
installation directory allow access to
the configured account.
When I run the client, I get the following error:
The content type text/html;
charset=utf-8 of the response message
does not match the content type of the
binding (application/soap+xml;
charset=utf-8). If using a custom
encoder, be sure that the
IsContentTypeSupported method is
implemented properly. The first 872
bytes of the response were: '
From ASP.NET 2.0 onwards, the correct method to ensure that a user account has the correct rights to run as the worker process identity is to run this command:
aspnet_regiis -ga [account]
You need to run the aspnet_regiis command that matches the ASP.NET version you plan on running:
ASP.NET 2.0 -
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -ga [account]
ASP.NET 4.0 -
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -ga [account]
If you put your Domain Account under IIS_WPG group, it should ideally work. If it doesn't work, there is a sure shot way of fixing it.
In IIS 6... step 1 is applicable... since you are on IIS 5, ignore step 1
Run it with Local System to begin with. If the applications runs, it means your IIS is configured well and you can proceed with the step 2.
Change the account to your domain account, and ensure that you have put the account in IIS_WPG as well. After that, run the tool called Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Browse the application now. If you still get the error, switch to the Process Monitor and stop capture [menu option].
Search for Access denied and fix it. Link

Resources