IIS custom site HTTP Error 401.3 - Unauthorized - iis

I've created a new site within IIS and pointed to my local Documents directory
C:\Users\name\Documents
via
http://localhost:8080/
The error I'm getting is
HTTP Error 401.3 - Unauthorized
I've checked the properties of the Documents folder under Security. for IIS_IUSRS, Read & Execute, List folder contents and Read are checked.
Others like SYSTEM, myUsername, Administrators have more rights to this folder.
Not sure what I'm missing here, please advise.

Download Procmon from here and start tracing. Reproduce the issue and stop procmon.
Filter procmon trace for "access denied". It'll tell you what permissions are needed and for which folder.
Share a screenshot of procmon trace if you find it difficult to analyze and I will try and guide you.

"C:\Users\name\Documents" would typically be a terrible place to put a web site. It is essentially the same as "My Documents" which is a special Windows folder. And it would have a number of non-web site folders. Try using C:\Web (or something like that) and add IIS_IUSRS to that folder.
BUT, if you really want to use your My Documents as the root of a web site, you can create a web.config file in C:\Users\name\Documents with the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="None" />
</system.web>
</configuration>

Related

Export to excel in classic asp stopped working [duplicate]

IIS 7.5 , 2008rc2, classic asp, 500 error msg:
The page cannot be displayed because an internal server error has occurred.
I need to know how to configure IIS to get a more detailed error.
I've tried setting to true all of debugging options in the ASP configuration.
But that didn't work. Can anyone help me?
I have come to the same problem and fixed the same way as Alex K.
So if "Send Errors To Browser" is not working set also this:
Error Pages -> 500 -> Edit Feature Settings -> "Detailed Errors"
Also note that if the content of the error page sent back is quite short and you're using IE, IE will happily ignore the useful content sent back by the server and show you its own generic error page instead. You can turn this off in IE's options, or use a different browser.
If you're on a remote server you can configure your web.config file like so:
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<asp scriptErrorSentToBrowser="true"/>
</system.webServer>
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
</system.web>
Double click "ASP" in the site's Home screen in IIS admin, expand "Debugging Properties", enable "Send errors to browser", and click "Apply".
Under "Error Pages" on the home screen select "500", then "Edit feature settings" and select "Detailed Errors".
Note that the same steps apply for IIS 8.0 (Windows Server 2012).
After trying Vaclav's and Alex's answer, I still had to disable "Show friendly HTTP error messages" in IE
TLDR:First determine where in the pipeline you're getting the error from (scroll looking for screenshots of something that resembles your error), make changes to get something new, repeat.
First determine what error message you are actually seeing.
If you are seeing the file located here...
%SystemDrive%\inetpub\custerr<LANGUAGE-TAG>\500.htm
...which generally looks like this:
**...then you know you are seeing the currently configured error page in IIS ** and you do NOT need to change the ASP.net customErrors setting, asp error detail setting, or "show friendly http errors" browser setting.
You may want to look at the above referenced path instead of trusting my screenshot just in case somebody changed it.
"Yes, I see the above described error..."
In this case, you are seeing the setting of <httpErrors> or in IIS Manager it's Error Pages --> Edit Feature Settings. The default for this is errorMode=DetailedLocalOnly at the server node level (as opposed to the site level) which means that while you will see this configured error page while remote, you should be able to log on locally to the server and see the full error which should look something like this:
You should have everything that you need at that point to fix the current error.
"But I don't see the detailed error even browsing on the server"
That leaves a couple of possibilities.
The browser you are using on the server is configured to use a proxy
in its connection settings so it is not being seen as "local".
You're not actually browsing to the site you think you are browsing to - this commonly happens when there's a load balancer involved. Do a ping check to see if dns gives you an IP on the server or somewhere else.
Your site's httpErrors settings is set for "Custom" only. Change it to "DetailedLocalOnly". However, if you have a configuration error, this may not work since the site level httpErrors is also a configuration item. In that case proceed to #4
The default for httpErrors for all sites is set for "Custom". In this case you need to click on the top level server node in IIS Manager (and not a particular site) and change the httpErrors settings there to DetailedLocalOnly. If this is an internal server and you're not worried about divulging sensitive information, you could also set it to "Detailed" which will allow you to see the error from clients other than the server.
You're missing a module on the server like UrlRewrite (this one bites me a lot, and it often gives the generic message regardless of the httpErrors settings).
"Logging on to the server is not an option for me"
Change your site's httpErrors to "Detailed" so you can see it remotely. But if it doesn't work your error might already be a config error, see #3 immediately above. So you might be stuck with #4 or #5 and you're going to need somebody from your server team.
"I'm not seeing the error page described above. I'm seeing something different"
If you see this...
...and you expect to see something like this...
...then you need to change "Send errors to browser" to true in IIS Manager, under Site --> IIS --> ASP --> Debugging Properties
If you see this...
or this...
...you need to disable friendly errors in your browser or use fiddler's webview to look at the actual response vs what your browser chooses to show you.
If you see this...
...then custom errors is working but you don't have a custom error page (of course at this point were talking about .net and not classic asp). You need to change your customErrors tag in your web.config to RemoteOnly to view on the server, or Off to view remotely.
If you see something that is styled like your site, then custom errors is likely On or RemoteOnly and it's displaying the custom page (Views->Shared->Error.cshtml in MVC for example). That said, it is unlikely but possible that somebody changed the pages in IIS for httpErrors so see the first section on that.
In web.config under
<system.webServer>
replace (or add) the line
<httpErrors errorMode="Detailed"></httpErrors>
with
<httpErrors existingResponse="PassThrough" errorMode="Detailed"></httpErrors>
This is because by default IIS7 intercepts HTTP status codes such as 4xx and 5xx generated by applications further up the pipeline.
Next, enable "Send Errors to Browser" under the "ASP" section, and under "Error Pages / Edit Feature Settings", select "Detailed errors".
Also, give Write permissions on the website folder to the IIS_IUSRS builtin group.
try setting the value of the "existingResponse" httpErrors attribute to "PassThrough". Mine was set at "Replace" which was causing the YSOD not to display.
<httpErrors errorMode="Detailed" existingResponse="PassThrough">
One thing nobody's mentioned is as a very quick and temporary fix, you can view the error on the localhost of that web server.
You may also verify that if you changed your main website folder (c:\inetpub\wwwroot) to another folder you must give read permission to the IIS_IUSRS group in the new folder.
Fot people who have tried EVERYTHING and just CANNOT get the error details to show, like me, it's a good idea to check the different levels of configuration. I have a config file on Website level and on Application level (inside the website) check both. Also, as it turned out, I had Detailed Errors disabled on the highest node in IIS (just underneath Start Page, it has the name that is the same as the webservers computername). Check the Error Pages there.
Found it.
http://blogs.iis.net/ksingla/archive/2009/02/16/iis-7-5-updates-to-custom-errors-and-compression.aspx
run cmd as administrator, go to your system32\inetsrv folder and execute:
appcmd.exe set config -section:system.webServer/httpErrors -allowAbsolutePathsWhenDelegated:true
Now I can see detailed asp errors .
If you run the browser in the server and test your url of the project with the local ip you have received all errors of that project without a generally error page(for example 500 error page).
In my case it was permission issue.
Open application folder properties -> Security tab -> Edit -> Add
IIS AppPool\[DefaultAppPool or any other apppool] (if use ApplicationPoolIdentity option)
IUSRS
IIS_IUSRS
Double check the encoding of the asp file you are testing.
For instance if you created a file like below on a Windows Server Core 2019 :
echo "<%# LANGUAGE=Javascript %>" > test.asp
echo "<%Response.Write("test");%>" >> test.asp
Then test.asp will be encoded in Unicode, and requesting it will produce a 500 without any details.
Do a notepad test.asp, then click on "Save As..." and choose "ANSI" encoding to fix it.

IIS - http Runtime Error

I had already published my site using the IIS Manager.
I successfully can access it with my PC but when my colleagues tried to access it, it says,
HTTP Runtime Error.
Is there something wrong in the config file? How come I can access it with no error? Can anyone help us with this?
http runtime error
Is not a lot to go by.
What do the windows event logs say?
What is the website, Asp.net or something else?
If it is asp.net, update this setting and post what error they see:
<?xml version="1.0"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>

Sharepoint error details(call stack information) is not displayed in the sharepoint site

How to enable the error information in the Sharepoint site by modifying the web.config file.?. I have done the following changes in web.config file
Callstack = true
CustomErrors mode = Off
Compilation debug = true
But still i am not able to get the call stack details(error details) in the sharepoint site for a error, instead of that i am getting this following error
"To enable the details of this specific error message to be viewable on the local server machine, please create a tag within a "web.config" file located in the root directory of the current web application". Please correct me on this?.
custom errors mode off, (or on, I can never remember). Then set debug=true. The catch is that there are many different web.configs used by sharepoint. There's one on the web application level (in inetpub, virtual directories), then there's one for layouts pages, control templates, etc in /web server extensions/14/. You have to make these changes in all of the relevant web configs associated with your code.
And obviously, make sure this is always turned off in production for security reasons.
You do not need to do an iisreset, changing a web.config file will cause one automatically.
Did you run iisreset?
Make sure you're changes in the web.config look like these:
<customErrors mode=”Off” />
<SafeMode … CallStack=”true” … >
<trace enabled=”true” pageOutput=”true”/>
PS: Showing stack traces in a production environment is not recomenned, instead use a tool like ULSViewer for diving through the log files.

ASP pages in IIS using Localhost 401.3 Error do not have permission

I have just installed the IIS so I can view asp files in a browser but when I put the address in a browser as : http://localhost/index.asp I get an error.
The error shows this:
HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.
I really need to get this sorted out, I would highly appreciate any advice on this.
My issue was around the identity used in the app pool. I changed the site's Authentication to "Application pool identity" as well as giving the directory the appropriate permissions.
OK, working from memory here as I am not in front of a Windows machine.
If you right click on your webroot folder /inetpub/wwwroot/ or the website directory you are working on open properties and select security, I think it is, you will see the list of users with their permissions for that folder. There is a section to add new users where you can add the IIS_IUSRS account (search from the list of users if you need to) which will be the default user used when anonymous authentication is enabled. Give this account the relevant permissions (read, write, execute) ensuring you apply to file and subfolders. Refresh the website in IIS and you should hopefully be good to go.
I had one folder not working (extracted from a zip file which came from an email from some kind of MS Sharepointy thing. Or something). The files were all marked with Windows Explorer -> Right Click -> Properties -> Advanced -> Encrypt contents to secure data. Unticking cured it.
In my case I had created an application in IIS 7 on Windows 7 using "Add Application" on the Default Web Site. I had to add the "users" account from the local machine and that got rid of the permissions error.
I had this happen to me and what I needed to do was apparently add a web.config file. Doesn't matter that it was just a PHP site, and that "Everyone" had full control. Until there was a basic Web.config - NO DICE!
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Execute, Script" />
<defaultDocument>
<files>
<clear />
<add value="index.php" />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="default.aspx" />
</files>
</defaultDocument>
<directoryBrowse enabled="false" />
</system.webServer>
</configuration>
Here, the set up process is explained in detail. You can follow the steps.
http://coldfusion-tip.blogspot.com/2013/10/you-do-not-have-permission-to-view-this.html

File Security (IP address access restrictions) in IIS7

I have a web service that contains 2 asmx files (public.asmx and private.asmx). On IIS6 I could go to the properties of private.asmx then, from the 'File Security' tab, deny all computers access except the IP address for localhost.
In IIS7 I only seem to be able to do this for an entire folder. What am I missing?
Funny - I found this question because I have the same problem, but I think the solution is as follows:
In IIS7, browse to the directory containing your public.asmx and private.asmx files.
The title at the top will reflect the current directory, like "WebService Home". Click the "Content View" button at the bottom.
Right-click on your public.asmx file and choose "Switch to Features View".
The title should be "public.asmx Home" to confirm that you're managing the one file.
Add your IP restrictions. In this case, I think you want an Allow entry for 127.0.0.1 and choose "Edit Feature Settings" from the Action menu to Deny access to unspecified clients.
Click your containing folder again (e.g. WebService) and switch to Content View again to repeat these steps on private.asmx.
I am learning the ropes of IIS7 myself, but I hope this answers your question.
Found this question via Google and was looking for how to do it via the .config file but could not find that answer here. I've since tracked down the info:
The ipSecurity element is used by the web.config in IIS7 to restrict access by IP Address. You can use it like this:
<configuration>
<location path="private.asmx">
<system.webServer>
<security>
<ipSecurity>
<add ipAddress="192.168.100.1" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
</ipSecurity>
</security>
</system.webServer>
</location>
</configuration>
Update: Note that the role has to be added for this security to be enabled. See the ipSecurity article linked above.

Resources