403 - Forbidden: Access is denied. ASP.Net MVC [duplicate] - asp.net-mvc

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
ASP MVC in IIS 7 results in: HTTP Error 403.14 - Forbidden
I published my application on server. When I enter my domain i got this error:
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
What's happend?

Are you hosting the site on iis? if so make sure the account your website runs under has access to local file system?
Straight from msdn .....
The Network Service account has Read and Execute permissions on the IIS server root folder by default. The IIS server root folder is named Wwwroot. This means that an ASP.NET application deployed inside the root folder already has Read and Execute permissions to its application folders. However, if your ASP.NET application needs to use files or folders in other locations, you must specifically enable access.
To provide access to an ASP.NET application running as Network Service, you must grant access to the Network Service account.
To grant read, write, and modify permissions to a specific file
In Windows Explorer, locate and select the required file.
Right-click the file, and then click Properties.
In the Properties dialog box, click the Security tab.
On the Security tab, examine the list of users. If the Network Service
account is not listed, add it.
In the Properties dialog box, click the Network Service user name, and in
the Permissions for NETWORK SERVICE
section, select the Read, Write, and
Modify permissions.
Click Apply, and then click OK.
Click here for more

In addition to the answers above, you may also get that error when you have Windows Authenticaton set and :
IIS is pointing to an empty folder.
You do not have a default document set.

I just had this issue, it was because the IIS site was pointing at the wrong Application Pool.

I had the same issue (on windows server 2003), check in the IIS console if you have allowed ASP.NET v4 service extension (under IIS / ComputerName / Web Service extensions)

Related

Can't access a file

I've inherited a new project. The website (MVC.NET) is referencing a file location on the Windows 2012 server (it appears to be hard coded) but the file is not in the same directory as the website.
Part of the code copies a file from one location to another using File.Copy but this is causing an exception.
Apparently it was working yesterday and today it isn't. The website is down and as such I'm looking to resolve it.
The error message from the browser is
Access to the path 'C:\Websites\Website\Content\Images\Uploads\Certificate 1.jpg' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path 'C:\Websites\Website\Content\Images\Uploads\Certificate 1.jpg' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
The easiest way to fix this (as a temporary fix just to get the website up and running) I thought was to give full permissions to that folder, meaning adding Everyone with full permission. It didn't work. I'm not curious as to why.
I'm aware of the risks this has but my question is why this doesn't work. Why do I still see the same error message?
I can RDP into the server and access the file without issue. As such, I don't believe this is a server issue (for ServerFault or SuperUser).
I suspect it's a protection thing in .NET. In the same way (if I remember right) we had to set special permissions in IIS to allow parent paths in ASP.
What do I need to do?
Edit
I've uploaded the website to another server and the same issue persists, suggesting the fault is not anything to do with the computer but more due to .NET or IIS
IIS is set to use Integrated Managed Pipe (not classic) and I've tried adding permission for NETWORK SERVICE and IUSR.
The solution was odd... I don't understand the why/how but I understand the what. I have no idea if this will help others, but I've posted the answer regardless
The application allows pictures to be uploaded, which are stored in
C:\someUploads
When the website is loaded, it copies the files from C:\someUploads to the website path as shown in the original post.
This is where the issue was occurring. I removed all the images in the website path (as shown in the original post) and restarted the website and it just worked, copying all the files in as expected. I closed the website, restarted IIS and the app pool (recycle) and it's still working.
Check the folder exists in Web.config and include
<add key="filePath" value="C:\Websites\Website\Content\Images\Uploads\" />
and check the folder path of IIS Server location.

How to publish ASP.NET MVC on IIS server

I am struggling with trying to publish a site.
I have made a basic web site with ASP.NET MVC and I now want to host it on a pc.
I have opened ISI manager and added a new site. I set the default directly to the directly where the files for the site are stored but when i navigate to the pc I don't get my site. I get an IIS server error in application error.
What steps do i need to do to get the a basic site to run on the server.
First, you need to have installed iis, this is done you have to register the asp.net framework, for this you need to run a command line.
Go to cmd and type:
aspnet_regiis -i
Done so please enter
http:// localhost/AplicationName
If you get an error, then you should really post that error with your question. However, since the most common problem in the scenario you describe is permissions, I'm going to assume that that is your problem.
Unless you're going to put your code in a directory owned by IIS (such as "inetpub"), then you need to give the IIS user or group rights to the directory your code is in. You can do this by right-clicking the directory in Windows Explorer, and choosing "Properties". Then click the "Security" tab. Use the "Edit..." button to add the IIS user or group. It should be named something along the lines of "IIS_*". You'll need to grant full control, so just like any other publicly available directory (including "inetpub"), you should ensure that there's nothing secure or compromising in that directory.

Issue hosting ASP.NET MVC 4 application using IIS 7.5 after creating virtual directory - Script files are not working

I have an ASP.NET MVC 4 application that I am trying to host in IIS 7.5. I tried creating a virtual directory using "Use Local IIS Web server" option in Project properties and have set the Anonymous Authentication and Windows Authentication set in IIS.
When I run the application, it opens in the browser with the url, "http://localhost\ApplicationName" and I am able to view only the tab names I have created. When I right click and view the page source, I have my scripts listed and the body defined with divs and tables. When I click the tab names, nothing happens.
In the view page source, when I click any script, it throws an error,
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Detailed Error Information
Module IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL http://localhost:80/Scripts/Script.js
Physical Path C:\inetpub\wwwroot\Scripts\Script.js
Logon Method Anonymous
Logon User Anonymous
In IIS, I have enabled Anonymous, ASP.NET Impersonation and Windows Authentication.
Also, When I look at the Advanced settings for the directory, it shows the physical path in C\Users........ but in the Detailed Description, it shows the Physical Path as "C:\inetpub\wwwroot\Scripts\Script.js".
Am I giving the path wrong? or should I place the project files in "C:\inetpub\wwwroot\Scripts\Script.js"?
Please help. I have been struggling with this for a while now and it's driving me crazy.
Are you using URL Bundles or are you manually hard coding .JS paths in your front-end code? Are you seeing good/expected behavior when you run the site in debug mode within Visual Studio? I would try and gather some hints with those considerations and perhaps furnish some more information...

Unable to get windows authentication to work through local IIS

So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).
If I fire up the web app using the VS webserver, it all looks fine - the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).
Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.
I have set up IE and FF to enable Windows auth as follows:
IE
Add URL to intranet group
Ensure Windows auth is enabled in the advanced settings
FF
Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.
But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.
We don't have active directory here but my understanding is that it should work fine with a local account.
I can't think of anything else I need to do. Any suggestions?
Edit: we've recently switched to using Active Directory and the problem remains.
Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.**
You have to whitelist a domain specified in the hosts file in order for windows authentication to work:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
Type DisableStrictNameChecking and press ENTER.
Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service.
NOTE:
The original Microsoft KB links on this answer were broken and have been removed.
This article provided the instructions for setting DisableStrictNameChecking.
I recently spent three days trying to solve the same problem and it drove me crazy. It was happening on a load-balanced setup where one of the servers was authenticating correctly while the other failed. Investigating the problem - and eventually solving it - it turned out to be unrelated to the load-balanced environment, it could happen with any server when authenticating using Windows Authentication and the server is called with a name other than the one recognized by Active Directory
1. Enable Kerberos logging
To correctly diagnose your issue, you will need to enable Kerberos logging on the machine hosting your IIS site. To do so, add the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Add Registry Value LogLevel with ValueType REG_DWORD and value
0x1.
Once you turn on logging, then you try to authenticate, you will get errors logged in your Windows Application Log. You can ignore the error KDC_ERR_PREAUTH_REQUIRED (this is just part of the handshake) but if you get the error KDC_ERR_C_PRINCIPAL_UNKNOWN that means your AD controller doesn't recognize your server therefore you need to follow the steps below.
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
if you're getting KDC_ERR_C_PRINCIPAL_UNKNOWN, that means the name "mysite.mydomain.com" is different from how the AD recognizes your machine so it's unable to provide a valid kerberos ticket. In that case, you need to register a Service Principal Name (SPN) for " 'www.mysite.mydomain" on the AD.
On your AD controller, run this command - you will need Domain Admin privilege:
Setspn -A HTTP/mysite.mydomain YOUR_MACHINE_HOSTNAME
3. Use a custom identity for your Application pool
Finally, make you Application pool use a custom account that belongs to the Active Directory instead of using NetworkService. This can be done in advanced settings of your application pool.
and .. voila.
Notes: The problem could (unlikely) be related to having multiple SPNs registered to the same machine, in that case you will need to run a command to remove duplicate SPNs, but I doubt this is the case. Also try adding a different binding to your site (that doesn't use a custom name) something like htttp://localhost:custom_port_number and see if authentication works. If it works, this is an extra indication that you're suffering from the same problem I had.
Did you try putting the domain in front of the user name?
DOMAIN\username
If you don't have a domain account, try prefixing your username with the machine name:
MYCOMPUTER\myusername
You should check to see if you have Windows Authentication installed/enabled. That may sound weird but in IIS 7 you have to install and enable the various authentication methods. Check out http://support.microsoft.com/kb/942043/ for more info, see quoted section below.
Cause 1
The Web application is configured to use Integrated Windows
authentication. However, the Windows Authentication feature is not
turned on. Or, the Integrated Windows authentication native module
section of the ApplicationHost.config file or of the Web.config file
is not valid. To resolve this problem, see Resolution 1.
Original
Usually when you try to view an asp.net web page hosted on IIS and receive a login prompt it doesn't mean your credentials weren't received or that you aren't authenticated. What it means is that the account that your website is running under doesn't have the right permissions to work with the files.
In IIS 6 and 7 you can easily change the user account that your app pool runs under. Try changing the app pool identity to an account with more access specifically designed for this. Or if you want to stick with the existing account (IUSR_? Network Service?) you can grant that account more permissions on the directory where your website is stored.
This article is specifically targeted at BizTalk but has almost no references to it and focuses on troubleshooting permissions issues with IIS and app pools: http://msdn.microsoft.com/en-us/library/aa954062.aspx
Why local IIS? Can you use local IIS Express?
If so, try this. It seems that IIS Express by default has Windows Authentication set to false.
Change
<windowsAuthentication enabled="false">
to "true" in applicationhost.config file (under 'C:\Users[Profile]\Documents\IISExpress\config' folder). This works for me.
To ensure that IIS uses Windows Authentication, I think you should try to turn of other authtentication methods. If Anonymous Authentication is enabled, Windows authentication will not work. You can also read this Microsoft Support Article which describes IE and IIS requirements in details.
I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and there is no login page in my application.
I got the error fixed by adding the below in my Web config file.
Under the tag system.web, I changed authentication mode="None" to
authentication mode="Forms".
Under the tag appSettings, I added add key="owin:AutomaticAppStartup" value="false"
After reading the answer of Espen Burud, I solved my problem by changing in the root's web.config:
<allow users="*" />
to
<deny users="?" />
The page that needs Windows Authentication is not in the root, but in a sub directory with its own web.config with deny users ? but that did not make Windows Authentication working. Apparently, you need to deny users in the root for that to work.
The IIS config has Anonymous Authentication enabled; that did not matter. After the above change of web.config, Windows Authentication worked.
For Dot Net Core 2.2 and running on IIS, I was having issues with 401.2 Unauthorized when I would check the Enable Windows Authentication within my application. It was a exceedingly simple test website that did basically nothing, just to try and get windows authentication to work. I finally got the auth to work, and here's what you'll need:
Within Startup ConfigureServices:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
Open the application's Properties, click Debug option on the left and make sure you check Enable Windows Authentication.
But here's the kicker that I had forgotten... Configure your system to have Windows Authentication installed on IIS. This was never setup on my machine, and regardless what I did, I would always get a 401 unauthorized error. After installing this (Win 10, IIS v10.0.18362.1) I now get a login prompt. This isn't exactly what I need at this point, but at least it's not the unauthorized error. Good luck and hopefully this helps.

Can you run an ASP.NET MVC application from its project folder?

In IIS 5.1, I have setup a website to point to my ASP.NET MVC project directory, and I get a "Service Unavailable" error when I try to access it after building the project. It seems I have to publish the site to a separate directory and point IIS to the published version to get it to work.
I have already tried "aspnet_regiis" but that did not fix the issue. I have also setup wildcard mapping so all requests are sent through the ASP.NET pipeline.
I'm not sure why I would have to publish the files in order to view them. The published version appears to only remove unnecessary files, but the published files seem to be identical to the ones in the actual project directory.
Do you have to publish an ASP.NET MVC website to a different directory in order for IIS to serve it?
Ideally, I would want to set it up such that all I have to do is build the project, and I can immediately view the updated website by visiting localhost.
Update:
The version is set to 2.0, and when I get home I will check if the IUSR account has sufficient privileges. I can't imagine why it wouldn't because the published folder apparently had them by default.
Update #2:
The errors in the event log are:
Failed to initialize the AppDomain:/LM/W3SVC/1/Root
Exception: System.IO.FileLoadException
Message: Could not load file or assembly 'System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Access is denied.
and
Failed to execute the request because the ASP.NET process identity does not have read permissions to the global assembly cache. Error: 0x80070005 Access is denied.
I have given the MY_MACHINE\ASPNET account "Act as operating system" privileges and I still get this error.
Update #3:
So this is interesting... I have XP Media Center Edition, so I forgot I don't have a security tab to verify permissions.
I decided to copy and paste the entire solution into a newly created folder and it works perfectly. This indicates that it's a permission issue but not with the ASPNET user. I will try to activate the Security tab and make a 4th (and hopefully final) update.
Update #4:
It turns out that when I copied the directory, the permissions changed to allow Everyone access to it. When I checked the original project directory, the ASPNET user was not granted any permissions in the directory.
The simple solution was to grant the ASPNET user read privileges on the project directory.
No problems at all. I've been running an MVC app on IIS5.1 for 6 moths while developing it.
First off check the version of ASP.Net used for your site.
If that isn't the problem check that the user account used to run your website has permissions to the directory and all the files and folders contained within it and make sure that the network service has permissions.
take a look at this link - which might help:
http://weblogs.asp.net/bdesmond/archive/2003/09/20/28441.aspx

Resources