I was changing OAuth/Owin settings and Azure publish settings in a Web Application project this morning, but soon after we decided deployment will be to a specific IIS Azure VM (now visible across our local domain). All code/setting changes have been reverted.
At one point I also changed the drivers\etc\hosts file to allow a dummy name for Microsoft OAuth, but that has been reverted.
Notes:
My startup URL is http://localhost:22222/
I am running under IIS Express (as my local Dev VM will not allow me to install full IIS)
When I start the Web Application with IE I simply get "This page can't be displayed"
If I start it with Chrome I get "This webpage is not available", but it also changes the browser URL to https://localhost (note the s, i.e. using SSL).
I have pulled the project down fresh from source control. No change.
The project is under TFS source control.
Another developer on the same project has the latest files and it works fine.
If I run any other Web Application project, they work just fine.
All OWIN registration of providers has been commented out. No change.
Deleted the entire project folder and pulled fresh from TFS. No change. This probably means a local machine setting somewhere is the cause?
What could I have damaged in my Web Application to cause this problem? I have been scratching my head for hours now and nothing we try is working. The application simply will not start in any browser.
Project Web Settings tab:
Answer at bottom, given to this chromium issue [issue 444479] helped me:
Same here - I also believe caused by HSTS - see
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
If you have (developed) any other localhost sites which send a HSTS
header...
eg. Strict-Transport-Security: max-age=31536000; includeSubDomains;
preload
...then depending on the value of max-age, future requests to
localhost will be required to be served over HTTPS.
To get around this, I did the following.
In the Chrome address bar type "chrome://net-internals/#hsts"
At the very bottom of a page is QUERY domain textbox - verify that localhost is known to the browser
If it is, DELETE the localhost domain using the textbox above
Your site should now work using plain old HTTP
HTH,
Jay
ps. This is not a permanent solution, but will at least get it working
between projects. If anyone knows how to permanently exclude localhost
from the HSTS list please let me know :)
Give it a try.
Related
All,
I am migrating a working .Net Framework Website from IIS 8.5 on a Microsoft Windows Server 2012 to IIS 10 on a Microsoft Windows Server 2019.
The new web site is showing the error
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.
As far as I can see the website on the new server is configured the same as on the existing.
Neither have directory Browsing enabled nor a default file set as is recommended by most of the posts which exist discussing this error.
I have run the following which is also recommended.
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -ir
The problem still exists.
I came across a post saying there might be an issue if paths referenced in the web.config are not correct but they look fine.
Has anyone got any insight into what else might cause this issue?
Are there any differences between IIS 8.5 and IIS 10 or between windows servers 2012 and 2019 which might cause this issue?
Thanks
This problem occurs because the website doesn't have the Directory Browsing feature enabled. Also, the default document isn't configured. To resolve this problem, use one of the following methods:
Method 1: Enable the Directory Browsing feature in IIS
To resolve this problem, follow these steps:
Start IIS Manager. To do it, select Start, select Run, type inetmgr.exe, and then select OK.
In IIS Manager, expand server name, expand Web sites, and then select the website that you want to change.
In the Features view, double-click Directory Browsing.
In the Actions pane, select Enable.
Method 2: Add a default document
To resolve this problem, follow these steps:
Start IIS Manager. To do it, select Start, select Run, type inetmgr.exe, and then select OK.
In IIS Manager, expand server name, expand Web sites, and then select the website that you want to change.
In the Features view, double-click Default Document.
In the Actions pane, select Enable.
In the File Name box, type the name of the default document, and then select OK.
More information you can refer to this link: HTTP Error 403.14 - Forbidden when you open an IIS webpage.
All those clowns glibly posting that "HTTP Error 403.14 - Forbidden: The Web server is configured to not list the contents of this directory" can be fixed by configuring the web site by either enabling the Directory Browsing feature or adding a default document are really not understanding what they are talking about. Anyone can copy a solution from one post and paste to another.
I'm not going to pretend I know what I am talking about but I have fixed my issue and will share what I did here to see in the hope it helps others.
I created a project (of the same type as the application I was trying to deploy) using my IDE (MSVS) in the same .Net version of the application I was trying to deploy. In this case it was creation of an MVC project in .Net Framework 4.5.
I did nothing to it. All I wanted was a skeleton.
I replaced all the files in the home directory of the web site I had an issue with, with the files of this skeleton project.
I attempted to browse to the web site and it worked successfully. Note the directory browsing was not enabled nor was a default directory set.
This proved to me that those settings were irrelevant.
Having googled around, some sites point to paths in config files causing an issue if they do not exist, eg a logging path to d:\logs where that directory was missing. It didn't fix my issue but there's no harm checking.
I stumbled across a post which talked about the roles and features enabled on the server. In Web Server (IIS)/Web Server/Application Development they had selected "Application Initialisation" and "ASP".
The Windows Sever 2012 server I was moving the application from, where it work without a hitch, did not have those selected so had not selected them on the Windows Server 2019 I was moving them to when I set that server up.
It made no sense that this would be the solution but having tried everything else I activated those two options.
Stone me if the issue was resolved.
As a check I removed those two options and the problem came back and when I reselected them it went away again.
This struck me as pretty conclusive only having thought I'd found the cause of the problem I built the website from scratch and the problem came back again.
It took a number of iterations but eventually I got there, more by luck than judgement and whatever the cause was it was due to an issue in the application which wasn't being logged in event viewer so focus on permissions to files being written to: not only that the app pool account is set up on the directories it needs access to but also that it has modify or even full control.
All those muppets robotically posting advice on configuring the web site by either enabling the Directory Browsing feature or adding a default document will no doubt copy this and paste it into their posts to claim the credit but c'est la vie.
I hope this post is of use to someone, apart from those muppets.
(EDIT) - I decided to make this page more like instructions since i have figured this out.
Deploy my VS Express 2013 Web Application to an MS Server on my LAN running:
Windows Server 2008 Standard
IIS 7.0
MS SQL Express
This is some information to help anyone with a similar situation.
I can access the Web Application locally (from VS Express) when I click Debug - Start Debugging. ALSO - At this point it is connected to the MS SQL Express Server on my LAN and not a local database.
Time to publish the Web Application to my IIS 7 Server!!!
NOTE - The method below WORKS FOR ME. There might be better ways to do it but I found any info on this exact setup very limited.
VS Express 2013 Web Deploy pre-reqs:
(on IIS 7 Server)
-Web Deploy is installed, http://www.iis.net/downloads/microsoft/web-deploy
-Set Up Security on Web Deploy, this site helps:
http://www.iis.net/learn/install/installing-publishing-technologies/installing-and-configuring-web-deploy
In Project:
Right Click your project name, choose PUBLISH...
PROFILE - Name or import your profile
CONNECTION
-Server: LAN address of your IIS server
-Site Name: Name of Site on IIS
-User/Pass: (Credentials you set up earlier in Prerequisites)
-Destination URL: (I leave blank for now)
SETTINGS - Click the arrow below FILE PUBLISH OPTIONS and check the 'Exclude App Data' setting (this is assuming you are running MS SQL on the IIS Server).
Select your Database string, it should be in the drop down list)
PREVIEW - Web Deploy will give you errors when you try to PREVIEW, resolve these errors using MS Websties, Stack Overflow, etc. **WHEN YOU GET THIS ERROR: "#ERROR_FRAMEWORK_VERSIONS_DO_NOT_MATCH" (full Error message below), your Web Deployment is ready
PUBLISH the web deployment, it wont work, thats okay. It creates a publish profile
Right-click the project and choose PUBLISH again, this time use under the CONNECTION tab choose WEB DEPLOYMENT PACKAGE, take note of your folder location (Step 8). All the database/file settings should be the same (doublecheck if you like), PUBLISH the Web Deployment package
Log onto your IIS Administration (on the Server), right click the NAME of the Server (top level) and choose DEPLOY - IMPORT SITE. Navigate to the folder where you saved the package in step 7. (or transfer it with a USB Stick, etc)
IMPORTANT - When importing the profile, at the second screen, UNCHECK the boxes related to .NET 32-Bit etc. (there are two of them)
Leave everything else on defaults and import the site (successfully?).
At this point when I browse the site from IIS I get a 403 Forbidden Error.
I fixed this using code from comment below:
After that my Web App was from the IIS Server. I'm continuing with MVC tutorials found here:
http://www.asp.net/mvc/tutorials/mvc-5
I'm hoping once I understand enough about MVC and EF6 I can connect the Web App to MySQL rather than MS SQL and still build Code First Applications. If anyone has info on that please post it in the comments.
If this post helped you please Vote up top, I'm new to the STACK.
**Full Error Message from post above:
Web deployment task failed. (The versions of the .NET Framework Configuration Provider (rootWebConfig32) are different on the source (4.0) and destination (2.0). Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_FRAMEWORK_VERSIONS_DO_NOT_MATCH.)
I think your issue might be permissions. What is your authentication set to? In debug mode, you're typically working as yourself, whereas if you deploy, you are setup as a different user, most likely anonymous. With that in mind, you should be able to correct your problem.
Good luck!
It was a combination of things. I finally got it working.
I created a Deployment package following instructions found on MS site and others.
Before Publishing my deployment package, I ran a "Preview" (PREVIEW section of the wizard). This was bringing up various errors related to Security and other issues I fixed using MS support sites.
WHAT I FOUND ON MY OWN - (Its fairly simple), after you create the Deployment package without issue, go to IIS on the Server side, click the Server Name in IIS (top level) and choose Deploy - Import Package. In the second or thu=ird step there is a screen where you select items to be imoported (mine had everything checked). I UNCHECKED the two related to .NET Config files and imported it. Voila, it worked.
It still wasn't letting me view the site. I had to add this line to the web.config file and it fixed everything.
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
If anyone wants a mored etailed description of what I did let me know and I will try and redo my process/tutorial with more exact instructions.
to get the same publish behaviors with direct publish from VS, you can uncheck following box : properties\Package/PublishWeb\include IIS express settings as configured in ISS express
I develop ASP.NET MVC 3 application. I've downloaded UrlRewriting module and created some rules for my website locally.
Next i published this website on the Internet to check performance. Thats ok.
Then i continued my work locally again. I commented code block in the web.config file regarding these rules.
So there are no rules in IIS Manager too.
The problem is that rules still affect! For example, i defined "Canonical hostname rule" to redirect browser to "www.*" site name. So this rule still affect, i.e. local IIS server redirect my locally running website to the real one on the Internet.
Also i installed IIS Express to try it out too. Result is the same.
I cant figure it out where the problem is.
So, there are no rewrite rules on IIS server and IIS Express, but they still affect.
Late answer is late. Most likely the redirect was "permanent" so a 301, then it will be cached in the browsers. If you want it to be temporary redirect with code 307.
The URL Rewrite module seams to my a little buggy when the configuration changes becouse the loaded configuration doesn't refreshed until the IIS isn't restarted.
So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).
If I fire up the web app using the VS webserver, it all looks fine - the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).
Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.
I have set up IE and FF to enable Windows auth as follows:
IE
Add URL to intranet group
Ensure Windows auth is enabled in the advanced settings
FF
Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.
But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.
We don't have active directory here but my understanding is that it should work fine with a local account.
I can't think of anything else I need to do. Any suggestions?
Edit: we've recently switched to using Active Directory and the problem remains.
Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.**
You have to whitelist a domain specified in the hosts file in order for windows authentication to work:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
Type DisableStrictNameChecking and press ENTER.
Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service.
NOTE:
The original Microsoft KB links on this answer were broken and have been removed.
This article provided the instructions for setting DisableStrictNameChecking.
I recently spent three days trying to solve the same problem and it drove me crazy. It was happening on a load-balanced setup where one of the servers was authenticating correctly while the other failed. Investigating the problem - and eventually solving it - it turned out to be unrelated to the load-balanced environment, it could happen with any server when authenticating using Windows Authentication and the server is called with a name other than the one recognized by Active Directory
1. Enable Kerberos logging
To correctly diagnose your issue, you will need to enable Kerberos logging on the machine hosting your IIS site. To do so, add the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Add Registry Value LogLevel with ValueType REG_DWORD and value
0x1.
Once you turn on logging, then you try to authenticate, you will get errors logged in your Windows Application Log. You can ignore the error KDC_ERR_PREAUTH_REQUIRED (this is just part of the handshake) but if you get the error KDC_ERR_C_PRINCIPAL_UNKNOWN that means your AD controller doesn't recognize your server therefore you need to follow the steps below.
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
if you're getting KDC_ERR_C_PRINCIPAL_UNKNOWN, that means the name "mysite.mydomain.com" is different from how the AD recognizes your machine so it's unable to provide a valid kerberos ticket. In that case, you need to register a Service Principal Name (SPN) for " 'www.mysite.mydomain" on the AD.
On your AD controller, run this command - you will need Domain Admin privilege:
Setspn -A HTTP/mysite.mydomain YOUR_MACHINE_HOSTNAME
3. Use a custom identity for your Application pool
Finally, make you Application pool use a custom account that belongs to the Active Directory instead of using NetworkService. This can be done in advanced settings of your application pool.
and .. voila.
Notes: The problem could (unlikely) be related to having multiple SPNs registered to the same machine, in that case you will need to run a command to remove duplicate SPNs, but I doubt this is the case. Also try adding a different binding to your site (that doesn't use a custom name) something like htttp://localhost:custom_port_number and see if authentication works. If it works, this is an extra indication that you're suffering from the same problem I had.
Did you try putting the domain in front of the user name?
DOMAIN\username
If you don't have a domain account, try prefixing your username with the machine name:
MYCOMPUTER\myusername
You should check to see if you have Windows Authentication installed/enabled. That may sound weird but in IIS 7 you have to install and enable the various authentication methods. Check out http://support.microsoft.com/kb/942043/ for more info, see quoted section below.
Cause 1
The Web application is configured to use Integrated Windows
authentication. However, the Windows Authentication feature is not
turned on. Or, the Integrated Windows authentication native module
section of the ApplicationHost.config file or of the Web.config file
is not valid. To resolve this problem, see Resolution 1.
Original
Usually when you try to view an asp.net web page hosted on IIS and receive a login prompt it doesn't mean your credentials weren't received or that you aren't authenticated. What it means is that the account that your website is running under doesn't have the right permissions to work with the files.
In IIS 6 and 7 you can easily change the user account that your app pool runs under. Try changing the app pool identity to an account with more access specifically designed for this. Or if you want to stick with the existing account (IUSR_? Network Service?) you can grant that account more permissions on the directory where your website is stored.
This article is specifically targeted at BizTalk but has almost no references to it and focuses on troubleshooting permissions issues with IIS and app pools: http://msdn.microsoft.com/en-us/library/aa954062.aspx
Why local IIS? Can you use local IIS Express?
If so, try this. It seems that IIS Express by default has Windows Authentication set to false.
Change
<windowsAuthentication enabled="false">
to "true" in applicationhost.config file (under 'C:\Users[Profile]\Documents\IISExpress\config' folder). This works for me.
To ensure that IIS uses Windows Authentication, I think you should try to turn of other authtentication methods. If Anonymous Authentication is enabled, Windows authentication will not work. You can also read this Microsoft Support Article which describes IE and IIS requirements in details.
I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and there is no login page in my application.
I got the error fixed by adding the below in my Web config file.
Under the tag system.web, I changed authentication mode="None" to
authentication mode="Forms".
Under the tag appSettings, I added add key="owin:AutomaticAppStartup" value="false"
After reading the answer of Espen Burud, I solved my problem by changing in the root's web.config:
<allow users="*" />
to
<deny users="?" />
The page that needs Windows Authentication is not in the root, but in a sub directory with its own web.config with deny users ? but that did not make Windows Authentication working. Apparently, you need to deny users in the root for that to work.
The IIS config has Anonymous Authentication enabled; that did not matter. After the above change of web.config, Windows Authentication worked.
For Dot Net Core 2.2 and running on IIS, I was having issues with 401.2 Unauthorized when I would check the Enable Windows Authentication within my application. It was a exceedingly simple test website that did basically nothing, just to try and get windows authentication to work. I finally got the auth to work, and here's what you'll need:
Within Startup ConfigureServices:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
Open the application's Properties, click Debug option on the left and make sure you check Enable Windows Authentication.
But here's the kicker that I had forgotten... Configure your system to have Windows Authentication installed on IIS. This was never setup on my machine, and regardless what I did, I would always get a 401 unauthorized error. After installing this (Win 10, IIS v10.0.18362.1) I now get a login prompt. This isn't exactly what I need at this point, but at least it's not the unauthorized error. Good luck and hopefully this helps.
i have an asp.net mvc website. http:/mywebsite.com (just for this example)
I have been testing this asp.net mvc website locally on my machine and everything works fine on my local machine during testing. When i deploy to my web server
when i bring up http://mywebsite.com it goes to HomeController and load the view Views/Home/Index.aspx (which is perfect). So the main default page is fine.
The issue is, if i click any other other links (again that all seem to work fine locally) i get the following error:
The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
Please try the following:
* Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.
* If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted.
* Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
some examples would be:
http:/mywebsite.com\Photos
http:/mywebsite.com\Links
there definitely are controllers and views setup for this (or it wouldn't work locally).
does anyone have any idea how this might work fine locally but somehow on the webserver it doesn't
Are you running the site on II7 in integrated mode? If not, you need to add a wildcard handler so that all URLs get mapped to your application. See Phil Haack's blog post on running ASP.NET MVC ON IIS 6.
Something else to watch out for. I had a static website - deployed on IIS 7.5. Added some MVC Controllers to handle some simple server side apps and then re-deployed it. I didn't copy the web.config file, because I wrongly assumed that everything that was needed was in the one that was automatically created by the server.
You must copy the web.config up as well.