IIS HTTP Error 403.1 - Forbidden: Execute access is denied - asp.net

I have a ASP.NET 1.1 application running on IIS 6 / Windows Server 2003.
It's our application, but we're trying to specifically replicate a customer's installation so the app folder has been copied entirely from their production server onto our test machine, and then we've created the Virtual Directory and Web Application for IIS manually.
Internet Information Services (IIS) Manager:
Application Pools
Web Sites
Default Web Site
xxxxx (Virtual Directory)
yyyyy (Web Application)
Web Service Extensions
The problem I have is that when we access the app, we get the standard IIS security error message:
The page cannot be displayed
You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed.
--------------------------------------------------------------------------------
Please try the following:
•Contact the Web site administrator if you believe this directory should allow execute access.
HTTP Error 403.1 - Forbidden: Execute access is denied.
Internet Information Services (IIS)
Now this is pretty standard, except as far as I can see it's not anything so simple.
I have checked:
IIS user has read access to the directory
IIS user and Network Service users have read/write access to the Temporary ASP.NET Files folder
Virtual directory is set to the correct version of ASP.NET
ASP.NET 1.1 Web Service Extension is allowed
Virtual directory has the correct mappings of file extensions and all verbs to the aspnet 1.1 DLL
Virtual directory properties allow Scripts and Executables to be run
Anonymous access is turned on and the username and password is correct
What am I missing?

When you did create an application on IIS did you check allow script execution ? You need to turn two first choices on in order to execute anything from this application including virtual directory you have made.
Right click on parent application > Home Directory tab > Executive Permissions set to Scripts only...

You might also need to check the "Edit Feature Permissions..." button on the right pane of the Handler Mappings settings for the specific application and enable "Execute". This is what held my co-workers and I for 3 hours with otherwise pretty identical symptoms.

Related

IIS Express Folder rights

I have created a Web application. i need to add 2 virtual directories. i have gone to the properties of the application and in the web tab i have created the 2 directories. i have the run the site and gone into the IIS express config and changed the physical path of the 2 directories. the directories are mapped from a server.
when i run the site i get "Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server."
how do i know which user is IIS express is using to know how to give access to the directories?
Thanks
Gareth

HTTP Error 500.19 - Internal Server Error 0x80070003 Cannot read configuration file

I'm getting the above error when I publish my application and move it from development to production server. Below are the error details.
Detailed Error Information
Module IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0x80070003
Config Error Cannot read configuration file
Config File \?\C:\inetpub\wwwroot\WorkmenCompTest\web.config
Requested URL http://localhost:80/wictest
Physical Path C:\inetpub\wwwroot\WorkmenCompTest
Logon Method Not yet determined
Logon User Not yet determined
This website used to work previously but recently the published version stopped working due to this error. As far as I can tell, the only change was installing iTextSharp and iTextSharp xmlworker through nuget.
I have tried, without success:
giving modify permission on the site folder to Everyone
checking the web.config file, and using an older version of the web.config file (from when the site worked).
uninstalling iTextSharp and iTextSharp XMLWorker
The project still runs without issue from Visual Studio.
This is solved. The error was caused by the folder name not matching the path for the virtual directory. Oh wow I feel dumb.
Check the applicationhost.config file under - .vs\lpsWeb-UI\config folder of your application root.
Under sites section of the config file check what the physical path points to.
If you modify those you should be able to fix the issue.
This is because of different physical path in the IIS.To change the physical path of application content
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
User Interface
To use the UI
Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
In the Connections pane, expand the Sites node and click to select the site in which your application runs.
In the Actions pane, click View Applications.
On the Applications feature page, select an application from the list and then click Basic Settings in the Actions pane.
In the Physical path box, change the path of the application content.
Click OK.
DefaultAppPool application pool runs under the Network Service account. This account is local to the computer and this account does not exist on another computer. Make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the WorkmenComp file server. Alternatively, you can create a workgroup account on the WorkmenComp file server.
I am getting this HTTP Error 500.19 error when I am giving physical path as Z:\App_Live in IIS
Instead of using z:\ ,
I used network path \\server\share\live_folder in the IIS physical path – something like this \\server\share\wwwroot\inetpub\wwwroot
Also you may need to specify username/password in "connect as".

IIS forgets virtual directory permissions - An error occurred loading a configuration file: Failed to start monitoring changes

I have a website with a virtual directory that contains PDFs.
Users access the PDFs by using a URL such as http://myApp.com/PDFs/12345678.pdf, where PDFs is a virtual directory mapped to \\\actualPhysicalServerName\PDFsDirectory\.
This works.
I routinely re-deploy the application. Once the application is redeployed and the website restarted, users can no longer access the virtual directory until IIS is restarted.
Accessing the above URL gives the following error:
An error occurred loading a configuration file: Failed to start monitoring changes to \\\actualPhysicalServerName\PDFsDirectory\web.config because access is denied.
at System.Web.FileChangesMonitor.FindDirectoryMonitor(String dir, Boolean addIfNotFound, Boolean throwOnError)
at System.Web.FileChangesMonitor.StartMonitoringFile(String alias, FileChangeEventHandler callback)
at System.Web.Configuration.WebConfigurationHost.StartMonitoringStreamForChanges(String streamName, StreamChangeCallback callback)
at System.Configuration.BaseConfigurationRecord.MonitorStream(String configKey, String configSource, String streamname)
at System.Configuration.BaseConfigurationRecord.InitConfigFromFile()
Restarting the application pool does not help.
I have to restart IIS.
Once IIS is restarted, the virtual directory can be accessed as expected.
Is this expected behavior? Have I set up my virtual directories incorrectly?
I am using IIS 7.5, Windows 7 server, and .NET 4.5.
I solved this problem this way:
Created new pool with "No managed code" and "Classic" settings.
Converted virtual directory to application, connecting with a user account with permissions on the share
Have application use the new pool
For anyone else frustrated with the same issue - while I did not find the crux of the problem, I did figure out that this problem was related to the Identity of the Application Pool that the website was running under.
In my case, the solution was to change the App Pool identity from the ApplicationPoolIdentity Built-in account to a custom account that is an administrator on all of the machines involved.
To do this
Right click on the application pool in IIS, Choose Advanced Properties.
Under ProcessModel->Identity , choose Identity. Choose Custom Account (Built-in account, Application Pool Identity is the default in IIS 7.5)
Switch to using a Custom Domain account, that is an administrator on this machine, as well as the machine where the virtual directory is hosted.
Restart the Application Pool.
I had a Virtual directory pointing to images on UNC share. All was working fine until we updated parent app to .NET 4.5.
We had to convert the VirDir to Virtual Application with 4.0 Integrated Application Pool.
Old topic but I was able to solve it by following these instructions (basically add ASPNET and IUSR to permissions:
In Windows Explorer, browse to the application folder or to the virtual directory that contains the content (for example, c:\inetpub\wwwroot\xx).
Right-click the folder, and then click Properties.
On the Security tab, click Add.
On the "Select Users or Groups" window, click on Advance
Click on Find Now button, you will see List of users
Select ASPNET and IUSR_(machinename) then click OK to close the"Select Users or Groups" window
Allow the following permissions for the ASPNET and IUSR_(machinename) account:
-Read & Execute
-List Folder Content
-Read

Trying to set up an application in IIS gives me error: Error message 401.2.: Unauthorized: Logon failed due to server configuration

I created a web application by going to IIS right-clicking on Default Web Site and selecting Add Application. Then I give the Alias name, select DefaultAppPool and point it to Physical path.
When I try to browse to http://localhost/mywebapp I get 'Access is denied' with following details:
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
Anonymous Authentication is enabled on the IIS Website.
The web application is ASP.NET MVC5 application.
The web application is running under its default identity: ApplicationPoolIdentity
Here are the settings for DefaultAppPool
Make sure your application is not on a network share or in the windows user (magic) directory. (It can be in the Visual Studio default magic user directory if you follow my instructions below)
If you're on Win7, create a new MVC 3 application, ^F5 to run. Then in solution explorer, right click the project and select properties. In the left pane, select the Web tab. The default is Cassini ( Use Visual Studio Development Server). Select the next radio, Use Local IIS Web server. Now ^F5 and it will launch your app from IIS. You can also find your application in IIS manager and in the right pane, select browse 80. Now that it's working, compare the differences in your two application.
Your approach should also work. You might try creating a new MVC application and use your approach to test on IIS. The most common mistake is creating a vDir, not an application
The error message is pretty good. To set ACLS on the application pool identity, follow the instructions under Securing Resources at http://learn.iis.net/page.aspx/624/application-pool-identities/
Also see Understanding Built-In User and Group Accounts in IIS 7
IF the new MVC app should fail, repeat, but create a Web Forms app.
Make sure IUSR has permission to the directory that webapp is sitting in.
Also, if your application is accessing permissioned resources(File IO, MSMQ...etc), you will have to change the Identity of the app pool or make sure ISUR has permission.
Make sure that the NETWORK SERVICE account (or whatever system account IIS is using) has permissions to the application folder.
To check the system account that's being used, go to the application pool settings, and the system account will be listed under the Identity tab:
EDIT
Make sure that the application is using the correct application pool. Also, if you haven't already specified a default document, that could be your problem. You can test this by including a page name in the URL, e.g. http://localhost/mywebapp/default.aspx

Error 500.19 - IIS 7.5 Site based on UNC - File Permissions Problem

I'm trying to get a website in my IIS 7.5 (Win 7 Pro machine) to run via a UNC path to the code for one of the default website and an underlying App. This is the first time I've ever tried to set up a site/app in IIS 7.5 based off a UNC path: a folder on another server in the same domain.
I've tried various things to try to get this resolved. The app pool is running under ApplicationPoolIdentity on my Win 7 Pro PC where I have this site set up.
The runtime error I get when trying to run the app in the browser via http://localhost/TheAppName is:
Module: IIS Web Core
Notification: Unknown
Handler: Not Yet Determined
Error Code: 0x800700005
Config Error: Cannot read configuration file due to insufficient permissions
Config File: \\?\UNC\theServerName\www\TheAppName
Requested URL: http://localhost:80/TheAppName
Physical Path: (nothing showing up here)
Logon Method: Not yet determined
Logon User: Not yet determined
I put in fake names for the server and app name above for privacy for this post.
So it's having trouble reading the web.config found in that UNC path for this site.
I tried to add a local user on the target server and then then gave that user permissions to the web.config and then used that user RemoteServerName\LocalUserICreated as the app pool's Identity on my machine but it had no effect.
No clue what to do here and how to go about it.
I assume the UNC path is to a different server?
If so are both servers in the same domain? If so then IIS needs to run the website under a user account that has permissions to read the files.
If not you need to create identical user accounts (same username, same password) on the web server and the file storage server and then change IIS to run the website under this user account.
Hope this helps/works.
When you create a web application or virtual directory from a UNC path, you need to provide the credentials to IIS for the connection.
In the Add Application dialog, below the Physical path section is the "Connect as..." button - you can then choose either "Application user (pass-through authentication)" or "Specific user".
Which ever you choose, they have to be credentials that will be recognised by the remote server - "Pass-through" will try and use the current desktop (or browser) credentials to authenticate the user which (if you're connecting via a VPN as per your comments) almost certainly won't be valid. In this case you should use "Specific user" and provide (ideally) a domain user with suitable permissions to run the site.
When we've needed to do this in the past, we'd create an account on the domain that the local AppPools would run under, and then this could be used in these situations as well.
If you've already created the application, the dialog can be reached using the "Basic Settings..." action link.
I took me a few hours to finally solve the same issue for myself. Turned out I used the wrong slashes in my physical path. It should be \ these, not // these.
Zhaph and Alan both identify the work-around suggested by Microsoft. Here's the rest of the information from Microsoft's page on your problem:
Cause
IIS 6.0 uses the hosting worker-process identity to connect to a remote directory. Then, IIS 6.0 authenticates the user against the remote directory. However, IIS 7.0 introduces delegation scenarios. In IIS 7.0, you can delegate Web-site settings and application-level settings to a Web.config file.
For pass-through authentication, the Web.config file is stored in a UNC directory. Therefore, the default-process identity in IIS 7.0 must examine the Web.config file first to determine whether any security-related settings must be applied before the authentication process starts. The default-process identity in IIS 7.0 does not have sufficient permissions to open the Web.config file. Therefore, the Web request is rejected.
If there is no Web.config file in the UNC directory, IIS 7.0 uses the rules that are defined for the parent directory. For the Web content to be served in this scenario, the worker-process identity must have access to the whole content directory. Otherwise, the Web request is rejected.
Resolution
To resolve this behavior and to make sure that pass-through authentication works correctly, follow these steps:
Make sure that all the user accounts that access the UNC directory have at least the Read permission for the UNC directory.
Note This behavior is the same as the behavior in IIS 6.0.
Make sure that the IIS worker-process identity is running under a domain account or under a workgroup account that also exists on the UNC file server. If it is necessary, create an account on the UNC file server that has the same user name and the same password as the IIS worker-process identity.
Notes
This behavior differs from the behavior in IIS 6.0.
By default, the DefaultAppPool application pool runs under the Network Service account. This account is local to the computer, and this account does not exist on another computer. Therefore, make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the UNC file server. Alternatively, you can create a workgroup account on the UNC file server and on the computer that is running IIS 7.0.
If there is a Web.config file in the UNC directory, edit the discretionary access control list (DACL) for the Web.config file so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the Web.config file so that the DACL contains the account that you created in step 2.
If there is no Web.config file in the UNC directory, edit the DACL for the UNC directory so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the UNC directory so that the DACL contains the account that you created in step 2.
Note This behavior differs from the behavior in IIS 6.0.

Resources