This is very simple to reproduce:
Create a new VM (xtra small in my case, tried both Windows 2012
and 2008R2)
Install IIS using default config.
Create a Web Site using IIS Manager specifying a folder such as
C:\inetpub\simple.
Using Windows Explorer, create a new file called index.txt
Rename the file to index.htm
Edit the file with Notepad to make it a basic but valid html5
document and Save.
From IIS Manager, select the new website and click the Browse
Website link on the right side of the screen.
I get:
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.
Now look at the Contents of the web site in IIS Manager and you will see that the file has a .txt extension pasted onto the end : index.htm.txt
This does not happen on my local server.
I am new to Azure and probably missing something very basic but right now I feel like I am going insane. Can anyone put me out of my misery?
This is IIS configuration issue, not Azure specific. And I would not even say it is an issue at all.
index.html is not in the list of default documents for IIS. And has never been. index.htm however is. You get 403.14 forbidden, because Directory Browsing is by default forbidden in IIS. Again, absolutely typical IIS configuration which hasn't changed for ages!
Your solutions:
Configure index.html to be in default documents (read how to do this here)
enable directory browsing (read how to do it here)
For the sake of others as stupid as me, this is all down to Windows Explorer configuration. Normally, the first thing that I do with a new Windows install is to turn off 'Hide known filename extensions'. This time I forgot.
I've encountered an error deploying a site to a server. When trying to load the home page, or access authentication on the new site in IIS, I get the error:
Config Error: This configuration section cannot be used at this path.
This happens when the section is locked at a parent level. Locking is
either by default (overrideModeDefault="Deny"), or set explicitly by a
location tag with overrideMode="Deny" or the legacy
allowOverride="false".
More detail can be found here, in Scenario 7 matches my hex error code.
The solution given on the linked site above is to set Allow for overrideModeDefault in the section mentioned in my error, in the applicationHost.config file. In my case, under Security in system.webServer. But if I look at the applicationHost.config on my local computer, where the site is properly deployed already, that section is set to Deny.
If this solution is correct, how is my local instance running just fine with the same web.config? According to my applicationHost.config, that section should be locked, but it's not. I'd prefer to not change the applicationHost.config file, because there are many other sites running on that server. Is there another solution?
I had the same problem. Don't remember where I found it on the web, but here is what I did:
Click "Start button"
in the search box, enter "Turn windows features on or off"
in the features window, Click: "Internet Information Services"
Click: "World Wide Web Services"
Click: "Application Development Features"
Check (enable) the features. I checked all but CGI.
btw, I'm using Windows 7. Many comments over the years have certified this works all the way up to Windows 10 and Server 2019, as well.
You could also use the IIS Manager to edit those settings.
Care of this Learn IIS article:
Using the Feature Delegation from the root of IIS:
You can then control each of machine-level read/write permissions, which will otherwise give you the overrideMode="Deny" errors.
For Windows Server 2012 and IIS 8, the procedure is similar.
The Web Server (IIS) and Application Server should be installed, and you should also have the optional Web Server (IIS) Support under Application Server.
Browse to “C:\Windows\System32\inetsrv\config” (you will need administrator rights here)
Open applicationHost.config
Note: In IISExpress and Visual Studio 2015 the applicationHost.config is stored in $(solutionDir).vs\config\applicationhost.config
Find the section that showed up in the “config source” part of the error message page. For me this has typically been “modules” or “handlers”
Change the overrideModeDefault attribute to be Allow
So the whole line now looks like:
<section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Allow" />
After saving the file, the page loaded up fine in my browser.
Warning:
Editing applicationHost.config on 64-bit Windows
You need to unlock handlers. This can be done using following cmd command:
%windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/handlers
Maybe another info for people that are getting this error on IIS 8, in my case was on Microsoft Server 2012 platform. I had spend couple of hours battling with other errors that bubbled up after executing appcmd. In the end I was able to fix it by removing Web Server Role and installing it again.
1. Open "Turn windows features on or off" by: WinKey+ R => "optionalfeatures" => OK
Enable those features under "Application Development Features"
Tested on Win 10 - But probably will work on other windows versions as well.
I ran these two commands from an elevated command prompt:
%windir%/system32/inetsrv/appcmd unlock config /section:anonymousAuthentication
%windir%/system32/inetsrv/appcmd unlock config /section:windowsAuthentication
As per my answer to this similar issue;
Try unlocking the relevant IIS configuration settings at server level, as follows:
Open IIS Manager
Select the server in the Connections pane
Open Configuration Editor in the main pane
In the Sections drop down, select the section to unlock, e.g. system.webServer > defaultPath
Click Unlock Attribute in the right pane
Repeat for any other settings which you need to unlock
Restart IIS (optional) - Select the server in the Conncetions pane, click Restart in the Actions pane
This Did the trick for me, for IIS 8 Windows server 2012 R2
Go to "Turn on Features"
Then go to all default setting , Next, Next, Next etc..
Then, select as shown below,
Then reset IIS (optional) but do it safer side.
This is an additional solution as its a generic problem everyone have different of problem and thus different solution. Cheers!
The best option is to Change Application Settings from the Custom Site Delegation
Open IIS and from the root select Feature Delegation and then select Application Settings and from the right sidebar select Read/Write
On Windows Server 2012 with IIS 8 I have solved this by enabling ASP.NET 4.5 feature:
and then following ken's answer.
To fix this open up the IIS Express applicationhost.config. This file is stored at C:\Users[your user name]\Documents\IISExpress\config\applicationhost.config
Update for VS2015+: config file location is $(solutionDir).vs\config\applicationhost.config
Look for the following lines
<section name="windowsAuthentication" overrideModeDefault="Deny" />
<section name="anonymousAuthentication" overrideModeDefault="Deny" />
<add name="WindowsAuthenticationModule" lockItem="true" />
<add name="AnonymousAuthenticationModule" lockItem="true" />
Change those lines to
<section name="windowsAuthentication" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<add name="WindowsAuthenticationModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />
Save it and refresh Asp.net Page.
In our case on IIS 8 we found the error was produced when attempting to view Authentication" for a site, when:
The server Feature Delegation marked as "Authentication - Windows" = "Read Only"
The site had a web.config that explicitly referenced windows authentication; e.g.,
Marking the site Feature Delegation "Authentication - Windows" = "Read/Write", the error went away. It appears that, with the feature marked "Read Only", the web.config is not allowed to reference it at all even to disable it, as this apparently constitutes a write.
Seems that with IIS Express and VS 2015, there's a copy of the applicationHost.config file at $(solutionDir).vs\config\applicationhost.config so you'll need to make changes there. See this link: http://digitaldrummerj.me/iis-express-windows-authentication/
Make sure these lines are changed per below:
<section name="windowsAuthentication" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<add name="WindowsAuthenticationModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />
In my case it was that on server was not enabled "HTTP Activation" under .NET Framework Features. So for Windows Server 2012 the solution which worked for me was:
Server Manager -> Add roles and features -> Features -> make sure that under .NET Framework of version you want to use is checked "HTTP Activation"
The Powershell way of enabling the features (Windows Server 2012 +) - trim as needed:
Install-WindowsFeature NET-Framework-Core
Install-WindowsFeature Web-Server -IncludeAllSubFeature
Install-WindowsFeature NET-Framework-Features -IncludeAllSubFeature
Install-WindowsFeature NET-Framework-45-ASPNET -IncludeAllSubFeature
Install-WindowsFeature Application-Server -IncludeAllSubFeature
Install-WindowsFeature MSMQ -IncludeAllSubFeature
Install-WindowsFeature WAS -IncludeAllSubFeature
The error says that the configuration section is locked at the parent level.
So it will not be directly 1 config file which will resolve the issue,
we need to go through the hierarchy of the config files to see the inheritance
Check the below link to go through the File hierarchy and inheritance in IIS
https://msdn.microsoft.com/en-us/library/ms178685.aspx
So you need to check for the app config settings in the below order
ApplicationHost.config in C:windows\system32\inetsrv\config. Change the overrideModeDefault attribute to be Allow.
ApplicationName.config or web.config in the applications directory
Web.config in the root directory.
Web.config in the specific website (My issue was found at this place).
Web.config of the root web (server's configuration)
machine.config of the machine (Root's web.config and machine.config can be found at - systemroot\MicrosoftNET\Framework\versionNumber\CONFIG\Machine.config)
Go carefully through all these configs in the order of 1 to 6 and you should find it.
I noticed one answer that was similar, but in my case I used the IIS Configured Editor to find the section I wanted to "unlock".
Then I copied the path and used it in my automation to unlock it prior to changing the sections I wanted to edit.
. "$($env:windir)\system32\inetsrv\appcmd" unlock config -section:system.webServer/security/authentication/windowsAuthentication
. "$($env:windir)\system32\inetsrv\appcmd" unlock config -section:system.webServer/security/authentication/anonymousAuthentication
I needed to change the SSL settings on a subfolder when i got this nice message. In my case following action helped me out.
Opened C:\Windows\System32\inetsrv\config\applicationHost.config
And changed the value from overrideModeDefault="Deny" to "Allow"
<sectionGroup name="system.webServer">
...
<sectionGroup name="security">
<section name="access" overrideModeDefault="Allow" />
</sectionGroup>
In my case, I got this error because I was operating on the wrong configuration file.
I was doing this:
Configuration config = serverManager.GetWebConfiguration(websiteName);
ConfigurationSection serverRuntimeSection = config.GetSection("system.webServer/serverRuntime");
serverRuntimeSection["alternateHostName"] = hostname;
instead of the correct code:
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection serverRuntimeSection = configApp.GetSection("system.webServer/serverRuntime", websiteName);
serverRuntimeSection["alternateHostName"] = hostname;
in other words, I was trying to operate on the website's web.config instead of the global file C:\Windows\System32\inetsrv\config\applicationHost.config, which has a section (or can have a section) for the website. The setting I was trying to change exists only in the applicationHost.config file.
In my case, it was something else.
When I loaded the solution in a new version of Visual Studio, VS apparently created a new project-specific applicationhost.config file:
MySolutionDir\.vs\config\applicationhost.config
It started using the settings from the new config, instead of my already customized global IIS Express settings.
(\Users\%USER%\Documents\IISExpress\config\applicationhost.config)
In my case this was the setting that needed to be set. Of course it could be something else for you:
<section name="ipSecurity" overrideModeDefault="Allow" />
Received this same issue after installing IIS 7 on Vista Home Premium. To correct error I changed the following values located in the applicationHost.config file located in Windows\system32\inetsrv.
Change all of the following values located in section -->
<div mce_keep="true"><section name="handlers" overrideModeDefault="Deny" /> change this value from "Deny" to "Allow"</div>
<div mce_keep="true"><section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Deny" /> change this value from "Deny" to "Allow"</div>
Can You try this:
Go to application path where you're getting deny error, right click
Properties->Security tab
In that, change the permissions and check the checkbox read and write. Then it will work without any error hopefully.
For Windows Server 2008 and IIS 7, the procedure is similar.
please refer to this:
http://msdn.microsoft.com/en-us/library/vstudio/bb763178(v=vs.100).aspx
in add role service, u will see "Application Development Features"
Check (enable) the features. I checked all.
In my case I was getting this error when attempting to update the authentication settings in IIS also in addition to browsing. I was able to remove this error by removing the authentication setting from the web.config itself. Removing a problematic configuration section may be less invasive and preferable in some cases than changing the server roles and features too much:
Section Removed:
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
I had the similar issue, but I used the following powershell script which helped me to achieve above steps in on button click.
#Install IIS
Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-Asp-Net45, Web-Mgmt-Console, Web-Scripting-Tools, NET-WCF-HTTP-Activation45, Web-Windows-Auth
the list of features can be added or removed based on the requirement.
I had an issue where I was putting in the override = "Allow" values (mentioned here already)......but on a x64 bit system.......my 32 notepad++ was phantom saving them. Switching to Notepad (which is a 64bit application on a x64 bit O/S) allowed me to save the settings.
See :
http://dpotter.net/technical/2009/11/editing-applicationhostconfig-on-64-bit-windows/
The relevant text:
One of the problems I’m running down required that I view and possibly edit applicationHost.config. This file is located at %SystemRoot%\System32\inetsrv\config. Seems simple enough. I was able to find it from the command line easily, but when I went to load it in my favorite editor (Notepad++) I got a file not found error. Turns out that the System32 folder is redirected for 32-bit applications to SysWOW64. There appears to be no way to view the System32 folder using a 32-bit app. Go figure.
Fortunately, 64-bit versions of Windows ship with a 64-bit version of Notepad. As much as I dislike it, at least it works.
I had the same issue.
Resolved it by enabling Application Server feature. Restarted iis
after that.
This worked for me
Also in IIS 8 you can solve this problem by changing the server to IIS Express. Goto debug->Properties
In the Web select the server as IIS Express from the dropdown and then rebuild the solution
To make a change at Application Level (Web.Config):
Please remove the Trust Level from the web.config:
Actually I was getting this error when I was trying to host my Website on the Hosting Server where I don't have control on their Server. Removing the above line from my Application web.config solved my issue.
I have classic ASP running on IIS 7.
Even though I configured the ASP "Debugging Properties" to "Send Errors to Browser = True", the web app REFUSES to send errors to the browser and continues to send a 500 internal server error.
My browser has "Show Friendly HTTP Error Messages" unchecked.
Failed Request Tracing is installed (not sure if that's related)
Happens both on web pages loaded locally on the server and remotely
The App Pool is integrated (not sure if that matters)
Any ideas?
Try :
Internet Information Services (IIS) Manager —> Default Web Site —> Click Error Pages properties and select Detail errors
I was having the same issue with a Classic ASP app running in a subfolder of a site. I had enabled detailed errors and the 500 was still showing. My resolution was to enable parent paths in the ASP section in IIS for the site as the application was referencing the parent folder using "../":
I had this occuring on a Classic ASP application running in a subfolder of a site. The solution was:
IIS > Click into your Site > Click into your Application folder > Error Pages > Edit Feature Settings > set to: Detailed Errors
IIS Manager >> double click the ASP icon to open the ASP page. Expand the Debugging Properties node and set Send Errors To Browser to True.
Refer : http://www.chestysoft.com/asp-error-messages.asp
If your website is configured to connect to the physical path of the website as a specific user, instaed of using pass-through authentication, you may get this error if there is a permissions error with this user. It may also be necessary to restart the Windows Process Activation Service and then restart IIS.
If you are hosting the project in a shared environment then you can use the following snippet to view the errors.
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
<system.web>
<customErrors mode="Off" />
<compilation debug="true" />
</system.web>
Refer this URL for complete information http://blogs.iis.net/rickbarber/working-past-500-internal-server-error
Hope it helps someone
I had a 500 error with an ASP Classic application I had just installed on a new server (Windows 2019). Every URL on the application returned 500, no matter what. But no errors were being shown in the Windows event log, and despite configuring detailed errors, as mentioned in several the other answers here, no specific error was being displayed in the browser.
The only clue was in the IIS logs, which showed the HTTP status code as 500, and the IIS substatus code as 19. So a 500.19 error.
That led me to
and the specific issue I was having was answered by the second part of this section:
https://learn.microsoft.com/en-us/troubleshoot/iis/http-error-500-19-webpage#hresult-code-0x80070005
which says:
Don't configure the website to use UNC pass-through authentication to
access the remote UNC share. Instead, specify a user account that has
the appropriate permissions to access the remote UNC share.
and (this is the part I needed to do):
Grant the Read permission to the IIS_IUSRS group for the
ApplicationHost.config or Web.config file. To do it, follow these
steps:
In Windows Explorer, locate the folder that contains the
ApplicationHost.config file that is associated with the website, or
locate the virtual directories or the application directories that
contain the Web.config file that is associated with the website.
Note
The Web.config file may not be in the virtual directories or the
application directories in IIS. Even in this situation, you have to
follow these steps.
Right-click the folder that contains the ApplicationHost.config file,
or right-click the virtual or application directories that may contain
the Web.config file.
Select Properties.
Select the Security tab, and then Select Edit.
Select Add.
In the Enter the object names to select box, type
\IIS_IUSRS, select Check Names, and then select OK.
Note
is a placeholder for the computer name.
Select the Read check box, and then select OK.
In the Properties dialog box for the folder, select OK.
Note
Make sure that the folder properties are inherited by the
ApplicationHost.config and Web.config files so that IIS_IUSRS has the
Read permission for those files.
I have deployed a web site to a Win 2008 Web server with IIS7. The site works fine on a Win 2003 Standard server with IIS6. On the 2008 box, whenever I request a page (htm or aspx) from a folder named Reports, I get challenged with the Windows Authentication dialog box.
I have Anonymous Authentication and Forms Authentication enabled on the site. I applied Full Control permissions to the root of the site for both NETWORK SERVICE and IIS_IUSRS, but that hasn't make a difference.
Like a previous post already mentioned, here are the detailed steps to fix this:)
If there is a folder in the application named "Reports" and SQL Server Reporting Services are installedon the server, then Reporting Services Virtual Directory folder that is also named "Reports" will be in conflict with the application "Reports" folder.
To fix this open Reporting Services Configuration Manager (Start->All Programs->MS SQL Server->Configuraton Tools) and change the Virtual Directory under the "Report Manager URL" in the menu on the left.
Did you install MSSQL Reporting Services on your new machine? It'll use the Reports folder for the reporting toolkit (default setting) and under MSSQL 2008 you can't enable anonymous Access out of the box.
whats is the authentication mode in your web.config, verify that is not in Windows
<authentication mode="Windows" />
also be sure to disable integrated windows authentication in iis
You could try running FileMon from SysInternals to see if it is the file system that is sending back the "access denied".
Quote from another forum that solved this issue for me:
"SQL Server Reporting Services creates a folder called Reports by default if you install it on IIS. If you install SQL 2008 then Reporting Services doesn't need to use IIS and instead will try to reserve the URL with the HTTP.Sys service.
I believe this is the cause of the conflict you are seeing. What you could try is changing the URL that Reporting Services uses via the SQL Server Reporting Services Configuration Manager."
Well speaking on the same subject here, yesterday I was deploying my application on Windows Server 2008 running IIS7 w/MSSQL 2008 on there too. In my website's tree structure I had a folder named Reports that had a subfolder in it, and then the actual pages. It looked like this "Reports/SalaryReports/SalaryReport.aspx" The interesting thing was that when I clicked on a hyperlink to go to "Reports/SalaryReports/SalaryReport.aspx" I got a username/password prompt from my server. This did not happen on the VS development server when I ran the application on the development machine. So I was like hmm? I looked at the code-behind in SalaryReport.aspx and did not find anything unusual. So then I put a Default.aspx directly in the Reports folder (thinking maybe it was something wrong with the authentication going two nodes down from the root to get to SalaryReport.aspx) but the server still requested username/password even though there was no security settings applied to this new Default.aspx. So I figured it must be that the folder is named "Reports", so I renamed it to "Reports1" and bigno! Everything worked!....I will still look further in this issue today, but it seems that either an IIS 7 HttpModule (not one of mine) is trying to "reserve" the folder that is named "Reports" for itself or something else...I'll look into the SQL Server Reporting services as the above post mentioned...
Anyways, just wanted to share:)
I'm supposing you don't have a SQL Reporting Services running on the same server:
1 - Give rights to user "IUSR" and the user that's running your application pool.
2 - Overwrite child folder permissions and ownership.
2 - Check if there's a web.config file on that folder setting different access rules.