Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

403 - Forbidden: Access is denied. You do not have permission to view this directory or page error. How to fix?

Posted on 2012-09-06
11
Medium Priority
?
16,606 Views
Last Modified: 2013-02-12
Hi there;

I have a web application that utilizes IIS which I implemented in ASP.NET and the website is currently hosted in a hosting company.

In my implementation for authentication, i designed my implementation as just typing letters on the screen like ghost key thing. No text box for inputting the characters.

Now, in my local machine, there is no problem but when it comes to the hosting. It simply gives the error as follows:

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

I tried to give full rights to IIS_User and ASP.NET user full rights but it simply fails.

Where to set and how to set this? It's a single directory named as Admin.

Regards.

P.S. The site is working correctly except for that module in the hosting.
0
Comment
Question by:jazzIIIlove
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Assisted Solution

by:databoks
databoks earned 500 total points
ID: 38374353
Try the following:

1. Can you access the page from the server itself(locally)?
2. Check the Permissions on the site in IIS.
0
 
LVL 10

Expert Comment

by:gaurav05
ID: 38375172
Hi,

check directory path and default document settings.
0
 
LVL 16

Assisted Solution

by:Easwaran Paramasivam
Easwaran Paramasivam earned 500 total points
ID: 38375697
You get this error because directory browsing is not enable. Either you enable it, or you specify a valid default page for this directory. Please do refer below links:

http://forums.iis.net/p/1188558/2018710.aspx#2018710

http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_update/403-forbidden-access-is-deniedyou-do-not-have/4732a91a-1594-4516-90c8-bff4051c2eb8
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 26

Expert Comment

by:Alan Warren
ID: 38375835
Hi jazzIIIlove,
Re:
In my implementation for authentication, i designed my implementation as just typing letters on the screen like ghost key thing. No text box for inputting the characters.
Can you elaborate on this a little bit please?

Alan
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 38400149
Hi Alan;

Once you open my website and type the secret key word (not to into a field or so), the page redirects to admin panel which requires username and password. I used a javascript check for this.

->My problem is that redirection fails in remote server, successful in local.
->My concern is that when directory browsing is enabled what are the risks? Can anyone see my project content in remote?

Regards.
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 38429749
Ah Alan, any updates?

Regards.
0
 
LVL 10

Assisted Solution

by:gaurav05
gaurav05 earned 500 total points
ID: 38431749
Hi,

If Default document is disabled and Directory browsing is enabled then
anonymous user who do not specify file name see a listing of content
of the home folder.
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 38469069
Hi there;

Default document is home.aspx. So, any security risks?

Regards.
0
 
LVL 26

Accepted Solution

by:
Alan Warren earned 500 total points
ID: 38857938
Hi Jazz,
when you set up the site on your local iis, you would have had to add home.aspx to the default documents and possibly escalated it to the top of the heap.

Curious if you did this on the remote server too?
Some hosting sites have a control panel GUI that allows site admins/owners to modify the default documents settings.

The default documents list is usually something like:
default.htm
default.asp
index.htm
index.html
iisstart.htm
default.aspx

The default documents for your site (the one with home.aspx as the default doc) should look like this:
home.aspx
default.htm
default.asp
index.htm
index.html
iisstart.htm
default.aspx

And; at least one of those files must exist in each folder, if not, then iis will serve up a generic directory listing as a response ( a security risk ).

So my first question is, ( assuming you are navigating to ~/Admin/ ), do you have at least one of those files in the Admin folder?


Assuming you meant Admin Folder when you said "the page redirects to admin panel which requires username and password".

My second question is, do you have a web.config in the ~/Admin/ folder; and if so, is it configured to allow anonymous access?
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authorization>
     <allow users="*" />
    </authorization>
  </system.web>
</configuration>

Because your users need to be able to access the Admin folder in order to authorize themselves (login). The login functionality should always be accessible to users who are not authenticated, or they won't be able to login. I suspect this isn't the case though, or it would not work on your local machine.

On the issue of security risks, I expect you know that only iis documents are protected by .net authentication, so for example, if you had an access db or a pdf doc (non iis documents) in a secure folder, if the end user knows the name of the file, iis will serve it up, even though it may be in a restricted folder, protected by a web.config.

Alan
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 38879603
>>So my first question is, ( assuming you are navigating to ~/Admin/ ), do you have at least one of those files in the Admin folder?
Yes.
>>My second question is, do you have a web.config in the ~/Admin/ folder; and if so, is it configured to allow anonymous access?
Yes.

Thanks.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question