Solved

IIS7.5 - You do not have permission to view this directory or page using the credentials that you supplied.

Posted on 2010-09-10
7
11,237 Views
Last Modified: 2012-05-10
I am getting the following error on IIS7.5 (Windows 2008 R2 Server) on any DotNet site running (copied over from an IIS6 W2K3 Server) on IIS.
"403 - Forbidden: Access is denied."
"You do not have permission to view this directory or page using the credentials that you supplied."
I have forms authentication on all the web.config files.
The IUSR account had read/execute privileges in all the affected DotNet sites, and files.
URL authorization role is installed.
Basic authentication is installed.
default pages are set - "default.aspx"

still no luck - what other settings are required on a new IIS7.5 setup?  What other security settings are needed?
0
Comment
Question by:bd9000
7 Comments
 
LVL 1

Accepted Solution

by:
Arthalius earned 500 total points
Comment Utility
Is your web application located outside of the default InetPub folders? Starting in IIS 7.5, the default application pool identity is no longer NetworkService, but is now ApplicationPoolIdentity. If you have configured a custom application pool identity, you'll need to verify that your custom pool identity has access to the folder. If you are using the stock pool identity, just make sure the "DefaultAppPool" identity can access the folder.

The IIS worker process runs under the configured app pool identity, your content won't display if the identity (and worker process) can't read the files on the filesystem.

Here's some documentation on the change: http://blogs.iis.net/webdevelopertips/archive/2009/10/02/tip-98-did-you-know-the-default-application-pool-identity-in-iis-7-5-windows-7-changed-from-networkservice-to-apppoolidentity.aspx
0
 
LVL 9

Expert Comment

by:shalabhsharma
Comment Utility
Use process Monitor to trouble shoot permission problem

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
0
 

Author Comment

by:bd9000
Comment Utility
Do I need to create an account called "DefaultAppPool" or "IIS AppPool" ?
I can find neither account on the system.

The sites are in a folder called "sites" (so it's not the default)
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:bd9000
Comment Utility
okay, it's hidden (why would they hide this account from the GUI is beyond me) - i typed it in directly
IIS APPPOOL\DefaultAppPool
I granted that account full access to the sites folder, still no luck. :(


0
 

Author Comment

by:bd9000
Comment Utility
I tried also using the command line tool:

icacls e:\sites /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)

no luck, there. (the command works fine, but these permissions are not helping, either)

gave full control to IIS_IUSRS and IUSR

still no luck.

0
 

Author Comment

by:bd9000
Comment Utility
I just tried "Everyone" with full control.  Still no dice.

I'll try NetworkService tomorrow.  must.. get... sleep...
0
 
LVL 9

Expert Comment

by:Valliappan AN
Comment Utility
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now