Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, August 10, 2011 7:29 PM
I am new to IIS security and deploying asp.net web apps. I updated code to an existing asp.net web application using Visual Studio 2008 and deployed updated files to remote server with IIS7 and Server 2008 installed. I deployed by copy/past from local machine to remote machines' inetpub\wwwroot\foldername...I did not change anything else since the folder it belonged in was named the same.
The site opens from client machine when I am logged in with my administrator account. But other users who are authorized to see the app, are met with 401 error message: 401 - Unauthorized: "Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
I am at a loss on why user cannot access the web site. What should I look at?
All replies (47)
Tuesday, August 23, 2011 5:18 PM âś…Answered
Martin,
Thank you for your undying help in sticking by me through this troubleshooting. For now, I have found a work-around. Here is what I did:
1. I created a new folder called "webApp2" on remote server, inheriting permission from wwwroot. I did not add or modify permissions to the new folder in any way. Physical path: c:\inetput\wwwroot\webApp2
2. I copied and pasted the files only from the old webApp (original, unmodified files) on local machine to new folder on remote machine.
3. In IIS 7 on remote server, I right-clicked on the new folder webApp2 and selected "Convert to Application". The Basic Settings chosen are: Alias: webApp2, Application pool: Classic .NET AppPool, Physical path: c:\inetpub\wwwroot\webApp2
4. That's it! Users who have been granted access by the custom code, now have access.
I do not consider this a solution to the problem because I did not deploy the modified code. I consider this a work-around -- users have their application back while I figure out how to get the modified application to deploy correctly.
I sincerely appreciate your help. I learned a great deal. I will report back when I have successfully deployed the modified files to let you know what the solution was.
Doreen
Wednesday, August 10, 2011 9:18 PM
Hello,
You might check this http://forums.iis.net/t/1180253.aspx thread post
for Unblocking files of use.
When copying you need to use XCOPY or Robocopy with proper command-line switches
so permissions are part of the files.
Since your learning about security and permissions
read http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/ IIS Net guide
for Users and Account Permissions.
Your doing Developement and will have various errors and messages
read this Microsoft Support Article http://support.microsoft.com/kb/943891 and print a copy of the list
for Reference.
Martin
Thursday, August 11, 2011 1:01 PM
Thank you Martin. I read all the articles, not sure any one is helping me solve this.
I am pretty sure when I copied the files from my local machine to remote server, I copied the entire folder, not just the files within (wished I would have just moved the files now), so am thinking I messed up the folder permissions.....so I made sure the replaced folder inherited from the parent folder in this case wwwroot, but that did not make a difference.
I saved the former folder in a zipped file before I copied the modified project - if I put it back will the permissions return to pre-move permissions?
Thursday, August 11, 2011 2:17 PM
Hi,
If you saved the former folder in zip archive it is total guess work as to what permissions were stored with the files.
Did you read the information about User Group Account permissions ?
If the IIS Server is ( not set) to "Inherit Permissions" you will not get a change in permissions at a higher Folder or Level.
I suggest using the User and Account information go to each Directory / Folder and set the proper permissions.
The next time for Moving Projects the Microsoft Deployment tool for Visual Studio makes all of this easier.
If your going to manually move files and projects use XCOPY to move the files with permissions
or use Robocopy or Robocopy GUI tools to create the archive.
Martin
Thursday, August 11, 2011 3:15 PM
Where do I check to see if IIS 7 is set to inherit permissions? So my only option is to go clickity click on permissions on the folder I moved? A majority of the other apps in the same directory inherit from parent-wwwroot folder only and they work so my assumption is the same should work for this particular folder and it is not working.
I did read the information about User Group Account permissions and it only goes into detail about IIS_WPG, IUSR (not applicable), IIS_IUSRS. Only IIS_IUSRS is used in parent permissions (wwwroot).
wwwroot folder security settings are as follows -- note that Special is not inherited for NETWORK and INTERACTIVE:
SYSTEM (FC through Write permissions (are black check marked))
NETWORK (List folder contents(black), Special(gray))
Administrators(*(FC through Write(black))
Users((Read & exec, List folder.., Read(black))
IIS_IUSRS(Read & exec, List folder..., Read(black))
INTERACTIVE(List folder(black), Special(gray))
Trusted Installer(FC through Write (black))
In my server manager Local Usera nd Groups, Group there are no members of IIS_IUSRS.
IIS_WPG members are: IIS_IUSRS, LOCAL SERVICE, NETWORK SERVICE, SERVICE, SYSTEM
Are you suggesting that possibly the permission on the folder itself is not being recognized by IIS7? How do I make that happen?
Thursday, August 11, 2011 3:48 PM
Hello,
In IIS Manager using the edit Permissions open the Pane then Security Tab and look
at the Advanced Tab it shows what is the "Inherited" permissions setting currently being used..
The Advanced Tab for the "Default" Web Site is where you can change the "Inherit" permissions setting.
It is bad to assume that the other Web Sites and folders had "Inherited" permissions.
If the your list of Accounts and Groups have the correct permissions use
them to manually set permissions for the Folders and Files for where you put files.
"Are you suggesting that possibly the permission on the folder itself is not being recognized by IIS7?"
Yes It is possible the permissions are not being reflected have you restarted the Web Site or Server
since making the Virtual Directory and the Alias in IIS Server ?
How do I make that happen?
Use IIS Manager or Windows Explorer to modify or change the permissions for the files and folders.
You will likely need to restart the Web Site or Server to see the changes.
You should also read the guide below for Access Control Lists and Permissions.
Reference IIS Net: Acls and permissions http://learn.iis.net/page.aspx/583/secure-content-in-iis-through-file-system-acls/ .
Martin
Thursday, August 11, 2011 5:54 PM
In IIS7 > Basic Settings, I clicked the Test Connection button and this is what I found under Test: Authorizaton: *Cannot verify access to path (C:\inetpubl\wwwroot\foldername. * Details: "The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\computer_name>$ has Read access to the physical path. Then test these settings again."
Thursday, August 11, 2011 6:36 PM
Hello,
Read this http://www.it-notebook.org/iis/article/test_connection_authorization_failed.htm for more information.
If you need to change permissions use Icacls for IIS AppPool\app pool name> which us the Application Pool User.
Martin
Thursday, August 11, 2011 6:43 PM
ok thank you Martin - I realized after I posted that error that it didn't mean anything as the other working apps...have the same error message.
Here is an excerpt from my log file:
2011-08-11 22:15:54 10.100.10.35 GET /lnc - 80 domain\username 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 301 0 0 203
2011-08-11 22:16:11 10.100.10.35 GET /lnc/ - 80 domain\username 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 3 5 0
2011-08-11 22:16:18 10.100.10.35 GET /lnc/ - 80 domain\username 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 3 5 0
2011-08-11 22:16:18 10.100.10.35 GET /lnc/ - 80 domain\username 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 3 5 0
HTTP status code
301.0 means "Moved Permanently" (not sure why because I copied over existing folder-I didn't move it)
401.3 means "Unauthorized due to ACL on resource"
Thursday, August 11, 2011 6:55 PM
Hi,
Check this http://support.microsoft.com/kb/942042 Microsoft Support for the 401.3 and suggestions.
Check that the IIS Server has the folder marked as "Application" is may be why your getting 301 errors.
Glad you posted the log it makes things easier.
Martin
Thursday, August 11, 2011 7:12 PM
In IIS > Connections my site has the globe (not a folder) icon -- which I assume is what you mean when you say "the folder marked as 'Application'"
I added Authenticated Users with Read permission per Microsoft 401.3 article but nothing happened. I will reset IIS after users go home and see if that produces a change.
Thursday, August 11, 2011 7:19 PM
Hi,
Yes, Not a "Folder Icon" marked as application is "Globe with Page Note in Left Corner"..
A reset of the IIS some times is like "Magic" for changes in permissions and configuration.
HTH
Martin
Thursday, August 11, 2011 8:18 PM
Unfortunately IISRESET did not have any effect. I may have to address the 301 error? Back to the drawing board.
Thursday, August 11, 2011 11:39 PM
Hi,
Maybe this http://forums.iis.net/t/1180261.aspx thread will help
with the 301 error.
Martin
Friday, August 12, 2011 11:30 AM
Thanks again Martin. I really appreciate your hel in stepping through the troubleshooting. This mornings log has these errors: 401.2, 301.0, 401.3
2011-08-12 15:03:34 10.100.10.35 GET /lnc - 80 - 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 2 5 0
2011-08-12 15:03:34 10.100.10.35 GET /lnc - 80 domain\username 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 301 0 0 0
2011-08-12 15:03:34 10.100.10.35 GET /lnc/ - 80 domain\username 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 3 5 15
Error 401.2 is Logon failed due to server configuration. All I changed over previous attempts was to add "Authenticated Users" with Read permissions on the web app. I verified that IIS is inheriting this info.
301.0 (Moved Permanently error) - The thread you pointed me to seems to suggest I need to set up a redirection (how?) and that IIS is not the problem.
401.3 Unathorized due to ACL on resource. So this suggests the change I made didn't effect anything.
If I were to redeploy the app to a new folder name on remote server from Visual Studio and create a new site in IIS - do you think that would behave differently?
Friday, August 12, 2011 12:01 PM
Hi,
Yes, The redeploy of the Application is likey a better approach.
Check this http://forums.iis.net/t/1180325.aspx thread it has good desciption
and suggestion for "Inherited Pemissions" with copying / moving applications.
You have learn what to watch for while deploying the files and permissions.
Martin
Friday, August 12, 2011 2:59 PM
I am truely at a loss at this point. I redployed the site from VS2008 using Copy Web site into a new folder name and site in IIS. I was able to access it under two accounts, my admin acct and my regular user account-thought I made some headway but found that other users were still prompted for credentials when they should not have been. I deleted the IIS site then redeployed the original files that were on the server before starting all this and now I get 403 Forbidden: access denied for my admin account and everyone. Geesh.
The log throws these 3 errors in this order when I attempt to log in on the last deployment:
401.2
301.0
403.1
Friday, August 12, 2011 3:13 PM
Hi
Ok,
Then there is something going with the Remote Server and configuration.
How this server with IIS7 and Server 2008 installed.
Problems with Domain Policy Accounts Pemissions etc..
You need to check the IIS Net Install guides and see that the Roles and Features are installed correctly.
Look for Authorization Authentication rules and policies they prevent Your Account
or others from deploying Applications. You may need to check Your Acount Profile and Permissions.
You should not have this much problem deploying an application.
Martin
Friday, August 12, 2011 6:44 PM
I don't think it should be this hard either. When I figure it out, I bet it is going to be something really simple. Urgh!
Friday, August 12, 2011 9:18 PM
Hi
I have re-read the previous posts. Yes, It is always simple just hard to find.
In the first post was this http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/ guide for
Account and User Permissions. And you created a table of current permissions.
I think the missing permissions are for IUSR and IIS_IUSRS for the web.config and maybe more files.
Martin
Monday, August 15, 2011 1:05 PM
My understanding is IUSR is a built-in user account needed for anonymous logon which isn't applicable to this app. I added it with read and execute permissions and it had no affect.
IIS_IUSRS is a built-in group account that replaces IIS_WPG. IIS_IUSRS is a member of IIS_WPG in my situation.
This app uses Application pool is set to Classic .NET AppPoll with LocalSystem identity.
In IIS Windows Authentication and ASP.NET Impersonization is Enabled.
In the web.cofig file for this app, the only override over machine.config is authorization - - there are 4 domain/users who are allowed.
<authorization>
<allow users="domain\jusername1,domain\username2,ldomain\username3, domain\username4"/>
<deny users="*"/>
</authorization>
The permissions on the folder inherited from wwwroot the following roles:
SYSTEM
NETWORK
NETWORK SERVICE
Adminstrators
Users
IIS_IUSRS
INTERACTIVE
Trusted Installer
In my troubleshooting I have added Authenticated Users with Full Control and LocalService with Read & Exec, List Contents and Read and IUSR with Read & Exec, List Contents and Read. Adding each had no affect on my ability to access the application. Still get 401 Unathorized: Access is denied due to invalid credientials.
Monday, August 15, 2011 1:31 PM
Hi,
Ok Then different approach and tool to find the problems.
First check "Default" permissions http://support.microsoft.com/kb/981949/en-us also note the "ASP.NET" settings.
information for System Internals Process monitor you can find the User or Account denied access.
Get the Process Monitor at the Technet Systems Internals web site and copy or install on the
system and read the guide.
Martin
Monday, August 15, 2011 1:53 PM
Thanks. Just finished kb 981949 and the only glaring difference I noted in permissions between inetpub and wwwroot was that wwwroot did not list CREATOR OWNER. I surmise that where I see "Special permissions" checked is actually inheriting from inetpub CREATOR OWNER (even though that is not obvious). On to next article...
I ran Process Monitor and here's and excerpt from the ACCESS DENIED entry when app attempts to open default.aspx page. I am not sure what it all means:
12:15:14.7357118 PM w3wp.exe 1696
CreateFile
C:\inetpub\wwwroot\LNC\Default.aspx
ACCESS DENIED
Desired Access: Generic Read,
Disposition: Open,
Options: Sequential Access,
Attributes: RE,
ShareMode: Read, Write, Delete,
AllocationSize: n/a,
Impersonating: domain\username1
12:15:14.7367475 PM w3wp.exe 1696 QuerySecurityFile C:\inetpub\custerr\en-US\401.htm SUCCESS Information: Owner, Group, DACL
I added IUSR to Users group since the article said it was supposed to be a member (even though we are not using anonymous access). NT AUTHORITY\Authenticated Users was also supposed to be a member of Users group and it was already there (unlike the authors problem).
I noted that in applicationHost.config file under authentication there is an attribute "anonymousAuthentication enbable="true" userName="IUSR" but there are other areas where authentication anonymous is set to false so I wonder if that's all kosher or what?
Tuesday, August 16, 2011 12:15 AM
Hi,
For the Web.config problem look at IIS Net Library Reference http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication
for Anonymous Authentication.
Excerpt from the Top paragraphs:
By default, IIS 7 uses Anonymous authentication.
You must disable Anonymous authentication
for any Web site
Web application
Web service
for which you want to enable other authentication methods such as Basic or Windows authentication.
You can use IIS Manager to use change the Authentican Methods required as shown in the images.
From the Process Monitor results
the domain name user listed "username1"
has the wrong permissions or credentials.
Check this http://forums.iis.net/t/1148826.aspx thread.
Martin
Tuesday, August 16, 2011 11:11 AM
Just thought I'd share these logs. They are corresponding entries from IIS log and Process Montior. What I noted that is different today is that the process monitor is not recording the 401 unauthorized page error ...although the error is happening in the browser. I will read your articles.
=============================================== IIS LOG:
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2011-08-16 15:01:37
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2011-08-16 15:01:37 10.100.10.35 GET /appName - 80 - 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 2 5 0
2011-08-16 15:01:37 10.100.10.35 GET /appName - 80 domain\username1 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 301 0 0 0
2011-08-16 15:01:37 10.100.10.35 GET /appName/ - 80 domain\username1 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 3 5 0
2011-08-16 15:01:39 10.100.10.35 GET /favicon.ico - 80 domain\username1 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 404 0 2 0
================================================= Process Monitor:
8:01:15.4928869 AM w3wp.exe 3952 Thread Create SUCCESS Thread ID: 2300
8:01:16.6354771 AM w3wp.exe 3900 Thread Exit SUCCESS Thread ID: 2220, User Time: 0.0000000, Kernel Time: 0.0000000
8:01:37.5264889 AM w3wp.exe 3952 CreateFile C:\inetpub\wwwroot\appName SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: RE, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: domain\username1, OpenResult: Opened
8:01:37.5266079 AM w3wp.exe 3952 QueryStandardInformationFile C:\inetpub\wwwroot\appName SUCCESS AllocationSize: 4,096, EndOfFile: 4,096, NumberOfLinks: 1, DeletePending: False, Directory: True
8:01:37.5266392 AM w3wp.exe 3952 QueryAllInformationFile C:\inetpub\wwwroot\appName BUFFER OVERFLOW CreationTime: 9/17/2009 8:46:08 AM, LastAccessTime: 8/11/2011 11:04:40 AM, LastWriteTime: 8/11/2011 11:04:40 AM, ChangeTime: 8/11/2011 11:04:40 AM, FileAttributes: D, AllocationSize: 4,096, EndOfFile: 4,096, NumberOfLinks: 1, DeletePending: False, Directory: True, IndexNumber: 0x100000001ae00, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, AlignmentRequirement: Byte
8:01:37.5267398 AM w3wp.exe 3952 CloseFile C:\inetpub\wwwroot\appName SUCCESS
8:01:37.5303880 AM w3wp.exe 3952 CreateFile C:\inetpub\wwwroot\appName SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: RE, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: domain\username1, OpenResult: Opened
8:01:37.5304162 AM w3wp.exe 3952 QueryAllInformationFile C:\inetpub\wwwroot\appName BUFFER OVERFLOW CreationTime: 9/17/2009 8:46:08 AM, LastAccessTime: 8/11/2011 11:04:40 AM, LastWriteTime: 8/11/2011 11:04:40 AM, ChangeTime: 8/11/2011 11:04:40 AM, FileAttributes: D, AllocationSize: 4,096, EndOfFile: 4,096, NumberOfLinks: 1, DeletePending: False, Directory: True, IndexNumber: 0x100000001ae00, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, No Buffering, AlignmentRequirement: Byte
8:01:37.5305140 AM w3wp.exe 3952 CloseFile C:\inetpub\wwwroot\appName SUCCESS
Tuesday, August 16, 2011 11:34 AM
Hi,
Have you checked IE Security settings ?
Have you added the Web Site to the intranet zones ?
The logs from Process Monitor look better.
Was the "Magic" result of Server Restart or Web Site Restart ?
Martin
Tuesday, August 16, 2011 1:11 PM
Yes to your first two questions. I didn't solve this yet - the problem I noted previously (about the process monitor) is that it's not recording the 401 page error. The error still happens. So now I'm getting less information about the problem than before. Weird.
Here's the Audit failure event for username1 from Event viewer, Security:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] { xyz}
EventID 4656
Version 0
Level 0
Task 12800
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2011-08-16T17:00:22.929Z
EventRecordID 11696572
Correlation
- Execution
[ ProcessID] 4
[ ThreadID] 68
Channel Security
Computer serverName.name.domain
Security
- EventData
SubjectUserSid S-1-5-21-xyz-xyz-xyz-xyz
SubjectUserName username1
SubjectDomainName domain
SubjectLogonId 0x319c63c
ObjectServer Security
ObjectType File
ObjectName C:\inetpub\wwwroot\appName\Default.aspx
HandleId 0x0
TransactionId {00000000-0000-0000-0000-000000000000}
AccessList %%1538 %%1541 %%4416 %%4419 %%4423
AccessMask 0x120089
PrivilegeList -
RestrictedSidCount 0
ProcessId 0xf70
ProcessName C:\Windows\SysWOW64\inetsrv\w3wp.exe
==========
btw if anyone is following this post here's a more detailed article about how to set up auditing for Windows server 2008:
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
Tuesday, August 16, 2011 1:32 PM
Hi,
Question who set-up the Server and accounts ?
Maybe Steve Schofield's guide
http://www.iislogs.com/steveschofield/detecting-permission-issues-using-auditing-and-process-monitor would help ?
The problems are stiil with the same user " SubjectUserName username1 ".
The account "username1" is this a "Real User" and has Logon rights etc and is part of "Local Groups and Users" ?
What happens if you remove just the "username1" ? And test with the others ?
I looks like you have it narrowed down to the "username 1" Account.
Martin
Tuesday, August 16, 2011 1:59 PM
A former employee set up the server and accounts and wrote the app I am having difficulty deploying. I wrote mods to app and simply want to redeploy them in the same folder. The app works fine and it does include a permission aspect but right now the issue is no one can access the app so the app doesn't yet control who has access. All users do not have access to the app, not just username1. Also keep in mind there are several other web apps deployed on this server that are working fine. Nothing has changed on the server except I tryed to copy new files to this one particular app.
I believe the problem began when I copied the entire folder from dev machine to remote server obliterating whatever permissions were there.....
username1 is me, my regular logon account that I use to log on comparable to all other employees. I also have an administrative account which I use to logon to remote server. I am able to access the app from client when logged on with my admin account and not able to access app with my regular user account. I also have a test regular user account that behaves same as my regular logon account. I have 3 other regular users test this for me and same behavior for all regular users - no access to app.
In Local Users and Groups there are 3 users: Administrator, ASPNET, Guest
There are several groups notably "Users" of which "Authenticated Users" is a member of. I believe Authenticated Users should cover all domain users (if it does not, that may be my problem) ....the other members of **Users **group are ASPNET, domain\Domain Users, INTERACTIVE, IUSR.
Currently I have Users set with Modify, Read & Execute, List folder contents, Read, Write permission on this apps folder. It inherits RE, List... Read (I added Modify and Write after-the-fact in attempt to get some access--no luck).
At any rate Steve's guide left me wondering where to find the audit tools he referred to and how to set it up. The guide I posted had more detail (for a newbie like me).
Tuesday, August 16, 2011 2:17 PM
Hi,
So the Server has settings and configuration problems and was customed for the other apps.
You find out if there is more information about the Users and Accounts for the working applications.
You can add the ASP.NET account with rad,execute,list,modify that is normal for ASP.NET based applications.
Your correct your problems are with "I believe Authenticated Users should cover all domain users " you should
check for the settings in the Web.config both in main Application folder or sub folders.
Steves Guide is using stiil using
Process Monitor along with Audit using Local Security Policy on the Server.
Martin
Tuesday, August 16, 2011 2:30 PM
Currently my status codes from logs are coming in sets of 4:
401 2 5 0
301 0 0 0
401 2 5 0
401 3 5 0
So it appears to me from what I've learned/gleaned: IIS and browser are confused about what type of athentication to use. In IIS under Authentication I have Windows Authentication and ASP.NET Impersonation enabled (Anonymous, basic, forms are disabled).
One forum I read mentioned that changing the order of providers to check that NLTM is before Negotiate but I haven't for the life of me found out where I can change this in IIS even though the forum was descriptive. i am hesitant to make any changes to the applicationhost.config file directly as I don't want to effect behavior of any other apps on server (there are many).
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/c9239a89-fbee-4adc-b72f-7a6a9648331f/?prof=required (look at Jay-Dubb's answer)
Tuesday, August 16, 2011 2:42 PM
Ok,
For how IIS & IE Browser check this http://support.microsoft.com/kb/264921 .
Check this http://forums.iis.net/t/1152426.aspx post for the 401 error.
The Windows Server Security article is correct for NTLM you may not need to change the settings.
I suggest use appcmd.exe to backup configuration settings.
I also suggest you test on the Dev box first.
Wow harry migration ;).
Martin
I suggest before making changes backup settings.
Wednesday, August 17, 2011 3:12 PM
I must admit I am very reluctant to make an applicationhost.config change on the server when it worked before and continues to work for all other applications.
If this is an authentication confusion issue - why would that be the case for this app and not others if it was server wide?
I finally got a fresh log of Process Monitor, iis logs and now event viewer windows security logs (thanks to enabling audit failures) - can you help me decipher? (Keep in mind "username1" represents any domain user. Only my admin user account currently can access the app.)
========================================================== process monitor:
11:53:18.8172685 AM w3wp.exe 3876 Thread Create SUCCESS Thread ID: 4732
11:53:26.3931741 AM w3wp.exe 1860 CreateFile C:\inetpub\wwwroot\appName SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: RE,
ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: domain\username1, OpenResult: Opened
11:53:26.3932281 AM w3wp.exe 1860 QueryAllInformationFile C:\inetpub\wwwroot\appName BUFFER OVERFLOW CreationTime: 9/17/2009 8:46:08 AM, LastAccessTime: 8/11/2011 11:04:40 AM, LastWriteTime:
8/11/2011 11:04:40 AM, ChangeTime: 8/11/2011 11:04:40 AM, FileAttributes: D, AllocationSize: 4,096, EndOfFile: 4,096, NumberOfLinks: 1, DeletePending: False, Directory: True, IndexNumber: 0x100000001ae00,
EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, No Buffering, AlignmentRequirement: Byte
11:53:26.3934163 AM w3wp.exe 1860 CloseFile C:\inetpub\wwwroot\appName SUCCESS
11:53:26.4457520 AM w3wp.exe 1860 CreateFile C:\inetpub\wwwroot\appName SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: RE,
ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: domain\username1, OpenResult: Opened
11:53:26.4457814 AM w3wp.exe 1860 QueryAllInformationFile C:\inetpub\wwwroot\appName BUFFER OVERFLOW CreationTime: 9/17/2009 8:46:08 AM, LastAccessTime: 8/11/2011 11:04:40 AM, LastWriteTime:
8/11/2011 11:04:40 AM, ChangeTime: 8/11/2011 11:04:40 AM, FileAttributes: D, AllocationSize: 4,096, EndOfFile: 4,096, NumberOfLinks: 1, DeletePending: False, Directory: True, IndexNumber: 0x100000001ae00,
EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, No Buffering, AlignmentRequirement: Byte
11:53:26.4458867 AM w3wp.exe 1860 CreateFile C:\inetpub\wwwroot\appName\Default.aspx ACCESS DENIED Desired Access: Generic Read, Disposition: Open, Options: Sequential Access,
Attributes: RE, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: domain\username1
11:53:26.4461278 AM w3wp.exe 1860 CloseFile C:\inetpub\wwwroot\appName SUCCESS
11:53:28.2977251 AM w3wp.exe 1860 CreateFile C:\inetpub\wwwroot\favicon.ico\web.config PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-
Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a
11:53:28.2980182 AM w3wp.exe 1860 CreateFile C:\inetpub\wwwroot\FAVICON.ICO NAME NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering,
Attributes: RE, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: domain\username1
11:53:28.2982115 AM w3wp.exe 1860 CreateFile C:\inetpub\custerr\en-US\404.htm SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: RE,
ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: domain\username1, OpenResult: Opened
11:53:28.2982526 AM w3wp.exe 1860 QueryAllInformationFile C:\inetpub\custerr\en-US\404.htm BUFFER OVERFLOW CreationTime: 9/1/2009 1:20:59 PM, LastAccessTime: 9/1/2009 1:20:54 PM,
LastWriteTime: 9/1/2009 1:20:54 PM, ChangeTime: 9/23/2009 3:12:11 AM, FileAttributes: N, AllocationSize: 4,096, EndOfFile: 1,245, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber:
0x90000000085d1, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, AlignmentRequirement: Byte 11:53:28.2982936 AM w3wp.exe 1860 ReadFile C:\inetpub\custerr\en-US\404.htm SUCCESS Offset: 0, Length: 1,245, Priority: Normal 11:53:28.2984347 AM w3wp.exe 1860 QuerySecurityFile C:\inetpub\custerr\en-US\404.htm SUCCESS Information: Owner, Group, DACL 11:53:28.2984677 AM w3wp.exe 1860 CloseFile C:\inetpub\custerr\en-US\404.htm SUCCESS
event viewer, window security log:
A handle to an object was requested.
Subject:
Security ID: domain\username1
Account Name: username1
Account Domain: domain
Logon ID: 0x3b70764
Object:
Object Server: Security
Object Type: File
Object Name: C:\inetpub\wwwroot\appName\Default.aspx
Handle ID: 0x0
Process Information:
Process ID: 0x744
Process Name: C:\Windows\SysWOW64\inetsrv\w3wp.exe
Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0
iis logs:
2011-08-17 19:04:16 10.100.10.35 GET /appName - 80 - 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 2 5 0
2011-08-17 19:04:16 10.100.10.35 GET /appName - 80 domain\username1 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 301 0 0 62
2011-08-17 19:04:16 10.100.10.35 GET /appName/ - 80 domain\username1 10.100.10.78 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+InfoPath.2;+.NET4.0E;+MS-RTC+EA+2;+MS-RTC+LM+8) 401 3 5 0
Wednesday, August 17, 2011 3:44 PM
Hi,
You should review IIS Net reference http://www.iis.net/ConfigReference/system.webServer/security/authentication again and look
at the Expanded Images for Modes and Types with Settings.
The current error indicated the current User does not have correct** "Credentials to logon to the Application".**
You can set the rules for "Authentication" on per Web Site per Application basis.
Yes, This is correct "If this is an authentication confusion issue" your errors indicate wrong types and selections.
Yes, You can have different settings for "Authentications" current problem is case for this app.
Yes, The settings can be different and not just server wide.
Martin
Wednesday, August 17, 2011 6:20 PM
ok. If I change web.config must I reset the server for the changes to take place? One of the biggest problems I have is that this is production server with so many apps that it is only possible to do this after hours.
I answered my own question. I do not have to reset server to effect web.config file changes.
Wednesday, August 17, 2011 7:25 PM
Can you explain to me what you mean by "look at the Expanded Images for Modes and Types with Settings"?
Wednesday, August 17, 2011 10:24 PM
Hi.
The IIS Net library References and Guides include images that can be "Expanded" "Magnified" to show more information.
If you look at an image in the lower corner is a Magnifier click it to "Expand" the view.
Martin
Thursday, August 18, 2011 2:52 PM
Hi,
A review of problems and suggestions:
First part or start of this thread was moving the files and permissions.
Second was looking at problems with Process Monitor.
Third was looking history of the Server and Applications.
Fourth was updating permissions for folders and users.
Fifth looking at why some users and accounts can not access the application or web site.
There was AFAIK see a discussion of "How the application Functions with Forms or not".
Sixth the remaing problem appears to be the following:
Quotes from Lloyd Zhang - MSFT Orginal Thread http://forums.iis.net/t/1180718.aspx
Anonymous Authentication:
At least one authentication method is needed
but no authentication is needed for all situation.
You can check the following KB to better understand IIS authencitation:
How IIS authenticates browser clients
http://support.microsoft.com/kb/264921
Since forms authentication does not rely on IIS authentication,
you should configure anonymous access for your application in IIS
if you intend to use forms authentication in your ASP.NET application.
An Overview of Forms Authentication
http://www.asp.net/security/tutorials/an-overview-of-forms-authentication-cs
I suggest you use the ASP.NET sample with the guide on your dev box.
The Sample and Guide should help in fixing the current problems.
HTH
Martin
Friday, August 19, 2011 11:01 AM
There is nothing like a crash course in IIS, Windows security, and deploying asp.net applications - all new to me! Thanks for your persistence in helping me. I will return to this problem next Tuesday and we'll see where it goes.
Friday, August 19, 2011 11:34 AM
Hi,
No there is not crash course per say. The IIS Net Forum is here to help.
You can go to Technet http://technet.microsoft.com/en-us/bb291022 they have a Learning Center with videos and guides.
I suggest you have the phone number of your favorite Food Delivery Service and a Case of Soda with Limited Sleep learn the basics free.
General Disclaimer: I am not suggesting you not buy Microsoft Press Books or pay for a Technet Subcription.
If your running a Production Server a Technet Subscription can save time & money in the long run. Yes this kind of an Advertisment.
Martin
Saturday, August 20, 2011 10:18 PM
Hi,
I suggest for Tuesday check this "PRB: Forms Authentication Requests Are Not Directed to loginUrl Page"
and look at the http://support.microsoft.com/kb/313116/EN-US Microsoft Support Topic
and you can test using the suggestions.
The boxes showing Web Application 1 and Web Application 2 look like the current problems.
Martin
Tuesday, August 23, 2011 1:12 PM
Thank you - I read through the information. We do not have forms authentication enabled for this app (Or any app for that matter) on the server. I noted today that in process monitor, when I right-click the detail (after recreating the 401 access denied page error) and select properties, the Process tab shows the IIS Worker Process is using NT AUTHORITY\SYSTEM to access the app.
In the folder for this app, SYSTEM has full control which is inherited from wwwroot--so I don't understand why 401 page error is happening.
I added SYSTEM into Users group (read & exec, List folder..., Read) and it still failed to open the application. The owner of the folder is server Administrators (as it is for all web apps on this server).
Tuesday, August 23, 2011 1:46 PM
Hi,
You should read the full article and the sections for the web.config and discussion.
Example for Web Application 1
configuration>
<system.web>
<authorization>
<allow users="User1,User2,User3" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Example for Web Application 2:
<configuration>
<system.web>
<authorization>
<allow users="User4,User5,User6" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
What you may have as a problem us the Allow Users ?
Martin
Tuesday, August 23, 2011 2:26 PM
This particular application has never recognized the allow users values in the web.config file. Custom code controls security to the app - it reads from a view in the database and if the user is an "active" employee and they were "granted" access then the default.aspx page appears. If they aren't granted access, they should receive a custom accessdenied.aspx. I haven't emphasized this facet of the app because the problem isn't with this functionality. The server isn't allowing anyone, except the owner of the app to access the app. It isn't getting far enough to allow the custom code to generate.
I have given myself as a regular user full (domain\username1) access to this app through this custom functionality and I receive 401 error. Others with full access receive same error. Others who should not have access receive the same error. The one and only account that can open the app is my adminstrator account (domain\admin_username1) which is a member of the administrators group on server and is owner of the app.
I am highly frustrated by this not working - it simply doesn't make sense since many of the other apps deployed on this server are having no problems whatsoever and the only thing I did was add the same app to the same folder that existed before. I did add a new app to IIS when it didn't work initially by browsing to the app path - just to make sure it was associated correctly.
Incidentally I also redployed the original files and they don't open either. There is something with permissions or authentication with eitehr NT AUTHORITY\SYSTEM or all Authenticated Users.....I have literally given them full permissions and nothing has changed.
Here is a copy of the web.config for the record:
*<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<configSections>
<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication" />
<sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="Everywhere" />
<section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication" />
<section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication" />
</sectionGroup>
</sectionGroup>
</sectionGroup>
</configSections>
<connectionStrings>
<add name="webAppConnectionString" connectionString="Data Source=server1;Initial Catalog=webApp;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<authentication mode="Windows" />
<authorization>
**<allow users="domain\username1,domain\username2,domain\username3,domain\admin_username1" />
** <deny users="*" />
</authorization>
<customErrors mode="Off" />
<pages>
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</controls>
</pages>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<compilation debug="true">
<assemblies>
<add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add assembly="System.Web.Extensions.Design, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
<add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</assemblies>
</compilation>
<httpHandlers>
<remove verb="*" path="*.asmx" />
<add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false" />
</httpHandlers>
<httpModules>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</httpModules>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</modules>
<handlers>
<remove name="WebServiceHandlerFactory-Integrated" />
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</handlers>
<defaultDocument>
<files>
<clear />
<add value="default.aspx" />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
*
Tuesday, August 23, 2011 3:00 PM
Hi,
Ok, You re-deployed the files which reverted the permissions so you need to check file permissions.
FYI: For Users Accounts it best not to give full premissions just read,execute,list are standard.
You have a web.config with:
<system.web>
<authentication mode="Windows" />
<authorization>
**<allow users="domain\username1,domain\username2,domain\username3,domain\admin_username1" />
** <deny users="*" />
</authorization>
You may have web.confg that over-rides or is locked at the Server Level.
Preventing your application web.config to operate as expected.
If the Server Level configuration works for the other apps
remove the over-ride section in your web.config and see if that works.
Martin
Wednesday, February 13, 2013 1:08 AM
Hello
I was also facing the same problem and i have tried all above options but it didnt work. so i have modified the properties in web.config file,properties are -
<authorization>
<deny users="*"/>
</authorization>
Please change this property to
<authorization>
<allow users="*"/>
</authorization>
I have changed that and now its working perfectly for me.
Monday, September 23, 2013 6:22 PM
We were also getting the error for files .html, .css and image files .jpg .png
These files were created on a MAC, zipped and opened on ther server. All of the security settings for an image file that was uploaded to test and the ones that would not work were the same.
The FIX was to uncheck "Encrypt contents to secure data" this can be found by right clicking the files/folder select "properties" on the "General" tab click the "Advanced.." button on bottom right and make sure the "Encrypt contents to secure data" check box is unchecked.
Hope this helps,
RiptideHosting.com