8fort8
asked on
403 errors on my IIS website
For some reason the default website is now refusing all connections with this error
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
This seems to be an obvious permissioning issue however I haven't set or changed any permissions directly myself.
How can I fix this?
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
This seems to be an obvious permissioning issue however I haven't set or changed any permissions directly myself.
How can I fix this?
yawkey13
Does the user specified in the app pool that the site is using have access to the root folder housing the site?
ASKER
I believe so.
ASKER
Check the identity running the app pool, not the site. then make sure that identity has access to the actual windows folder where the site resides. Outside of IIS, go to My Computer, navigate to the folder where the web files are located, right click, and go to properties.
ASKER
App Pool identity: ApplicationPoolIdentity
Can you post some http logs? Seeing what is causing the 403s might shed some more light on the issue.
Dan
Dan
ASKER
This is a typical log:
logs.txt
logs.txt
Something on your network is using the Web Proxy Autodiscovery Protocol. That's what the wpad.dat file is used for.
Can you ID the following IP Addresses?
- 192.168.1.100
- 192.168.1.102
- 192.168.1.104
- 192.168.1.120
- 192.168.1.126
- 192.168.1.131
Reference link: https://technet.microsoft.com/en-us/library/cc995261.aspx
This is more of a browser item.
Article: https://support.microsoft.com/en-us/kb/271361
Dan
Can you ID the following IP Addresses?
- 192.168.1.100
- 192.168.1.102
- 192.168.1.104
- 192.168.1.120
- 192.168.1.126
- 192.168.1.131
Reference link: https://technet.microsoft.com/en-us/library/cc995261.aspx
This is more of a browser item.
Article: https://support.microsoft.com/en-us/kb/271361
Dan
ASKER
Those are desktop pcs. I'm also getting this from the internet in. It doesn't seem to mater if I try locally or from the net. This server a DC it is used to deliver anywhere access and it forwards other requests to an exchange server. The forward works but no local services can be accessed properly.
I would check to see if wpad is in the DNS blocklist. Can you run the following commands from the article: https://technet.microsoft.com/en-us/library/cc995158.aspx
- is wpad dns blocking enabled?
- is anything in the block list?
Dan
- is wpad dns blocking enabled?
- is anything in the block list?
Dan
ASKER
Looks like it is:
Should it be removed?
How did it get there?
C:\Users\Administrator.MYN
Query result:
String: wpad
String: isatap
Command completed successfully.
Query result:
String: wpad
String: isatap
Command completed successfully.
Should it be removed?
How did it get there?
What was recently installed that wants to deploy a wpad.dat (auto proxy) script?
Dan
Dan
ASKER
This is where this gets tricky.
Nothing was recently installed however...
1 week ago when this started:
These may just be coincidental. I can think of a few ways these COULD/MAY? have corrupted some setting but I really don't know what setting nor where to look.
Nothing was recently installed however...
1 week ago when this started:
I was trying to implement a backup/fail over strategy for our network connectivity by placing a url rewrite on another server on this network. The router supports only 1 ip we have 3 domain names. When pointed to the first server (with exchange) the rewrite worked except anywhere access's remote desktop feature (located on the second server) would not connect. When the router was pointed to the second server (the DC) the rewrite would lose certain features on the exchange web app. This was resolved by adding a server farm to the dc to point to the exchange server. Adding the server farm to the second server having resolved connectivity issues to the exchange server it seemed a similar solution may work for the reverse configuration. So a server farm for the dc was added to the first server. This failed to produce any change so it was deleted. There seemed to be no ill effects at the time but these issues started 4-5 hours after the farm was deleted so that may be an issue.
About the time this started I was adding users and features to users profiles through the anywhere access dashboard. As I was using it it began to freeze when i added remote access and computers to user accounts. Eventually it stop working altogether and required a reboot. When it rebooted it also installed an update. the next time I tried to log in only 403 errors. Again 4-5 hrs later ** however mydomain.net/remote will serve a highly corrupt login page that will log into a corrupt second screen but nothing else
A Web platform installer icon has appeared in the IIS panel at the bottom
These may just be coincidental. I can think of a few ways these COULD/MAY? have corrupted some setting but I really don't know what setting nor where to look.
Sorry for the delay.
Well, I'd venture to say that something was changed.
Anyway, can you check the following:
1. your DHCP service for a WPAD entry. If one exists, delete it.
--- Link: https://technet.microsoft.com/en-us/library/cc995090.aspx
2. your DNS service for a WPAD CNAME (alias). If one exists, delete it.
--- Link: https://technet.microsoft.com/en-us/library/cc995062.aspx
I'm not sure if placing your servers in a web farm (or not) can have this effect, but you definitely installed/changed/reconfig
Dan
Well, I'd venture to say that something was changed.
Anyway, can you check the following:
1. your DHCP service for a WPAD entry. If one exists, delete it.
--- Link: https://technet.microsoft.com/en-us/library/cc995090.aspx
2. your DNS service for a WPAD CNAME (alias). If one exists, delete it.
--- Link: https://technet.microsoft.com/en-us/library/cc995062.aspx
I'm not sure if placing your servers in a web farm (or not) can have this effect, but you definitely installed/changed/reconfig
Dan
ASKER
No dns or dhcp entry's. No reconfiguration that I know of. I'm beginning to suspect a built in account may have been corrupted when the dashboard crashed. Or perhaps I had some "help" no ones telling me about.
I'd try disabling the wpad with the 3rd command from the TechNet article above.
Is:
Dan
Is:
dnscmd /config /enableglobalqueryblocklist 0Dan
ASKER
No change
OK... next to try to disable the query at the browser level. This is an IE thing. You can check to see if the "Automatic detect setting" option is enabled in Internet Options > Connections tab > LAN Settings.
If the "Automatic detect setting" is checked, uncheck it.
Then see if browsing is functioning.
The other thing to check to see is if your web site expecting authentication to view pages.
In IIS Manager > select your site > go into the Authentication feature. Enable Anonymous and disable any other protocol.
Dan
If the "Automatic detect setting" is checked, uncheck it.
Then see if browsing is functioning.
The other thing to check to see is if your web site expecting authentication to view pages.
In IIS Manager > select your site > go into the Authentication feature. Enable Anonymous and disable any other protocol.
Dan
ASKER
No change with the browser.
IIS already Anonymous enabled.
IIS already Anonymous enabled.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's the Exchange farm on the DC that points to the Exchange VM.
The router points 80, 443 and a few others to the DC.
The DC hosts the mail.xyz.org server farm that points to the exchange server .0.7.
The farm that was deleted was the xyz.net farm on .0.7 that pointed to the DC .0.8.
The router points 80, 443 and a few others to the DC.
The DC hosts the mail.xyz.org server farm that points to the exchange server .0.7.
The farm that was deleted was the xyz.net farm on .0.7 that pointed to the DC .0.8.
ASKER
When you sent me this line from the logs I was sure it was the farm forward for exchange. I pored over every setting in the entire site. Comparing it to the model VM I created that was working. NOTHING WAS DIFFERENT. Just by chance I started testing local access and found different error pages if I used localhost as apposed to the url or ip. This led me to try turning off different servers and the farm. When I was looking closer at the farm I noticed an extra rule in the rewrite. It is automatically entered when you select rewrite rules. Some one must have forgotten to remove it. I disabled it and TaDa EVERYTHING WORKS!
So as it turned out you were right on the money. It was an entry in the ARR farm.
Thanks for the help
So as it turned out you were right on the money. It was an entry in the ARR farm.
Thanks for the help
No problem. Glad its been solved.
Dan
Dan