Link to home
Create AccountLog in
Avatar of 8fort8
8fort8

asked on

403 errors on my IIS website

For some reason the default website is now refusing all connections with this error
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

This seems to be an obvious permissioning issue however I haven't set or changed any permissions directly myself.
How can I fix this?
Avatar of yawkey13
yawkey13
Flag of United States of America image

Does the user specified in the app pool that the site is using have access to the root folder housing the site?
Avatar of 8fort8
8fort8

ASKER

I believe so.User generated image
Check the identity running the app pool, not the site. then make sure that identity has access to the actual windows folder where the site resides. Outside of IIS, go to My Computer, navigate to the folder where the web files are located, right click, and go to properties.

User generated image
Avatar of 8fort8

ASKER

App Pool identity:    ApplicationPoolIdentity

User generated imageUser generated image
Avatar of Dan McFadden
Can you post some http logs?  Seeing what is causing the 403s might shed some more light on the issue.

Dan
Avatar of 8fort8

ASKER

This is a typical log:
logs.txt
Something on your network is using the Web Proxy Autodiscovery Protocol.  That's what the wpad.dat file is used for.

Can you ID the following IP Addresses?

- 192.168.1.100
- 192.168.1.102
- 192.168.1.104
- 192.168.1.120
- 192.168.1.126
- 192.168.1.131

Reference link:  https://technet.microsoft.com/en-us/library/cc995261.aspx

This is more of a browser item.

Article:  https://support.microsoft.com/en-us/kb/271361

Dan
Avatar of 8fort8

ASKER

Those are desktop pcs. I'm also getting this from the internet in. It doesn't seem to mater if I try locally or from the net. This server a DC it is used to deliver anywhere access and it forwards other requests to an exchange server. The forward works but no local services can be accessed properly.
I would check to see if wpad is in the DNS blocklist.  Can you run the following commands from the article:  https://technet.microsoft.com/en-us/library/cc995158.aspx

- is wpad dns blocking enabled?
- is anything in the block list?

Dan
Avatar of 8fort8

ASKER

Looks like it is:
C:\Users\Administrator.MYNET>dnscmd /info /globalqueryblocklist

Query result:
String:  wpad
String:  isatap

Command completed successfully.

Should it be removed?
How did it get there?
What was recently installed that wants to deploy a wpad.dat (auto proxy) script?

Dan
Avatar of 8fort8

ASKER

This is where this gets tricky.
 Nothing was recently installed however...
 1 week ago when this started:
I was trying to implement a backup/fail over strategy for our network connectivity by placing a url rewrite on another server on this network. The router supports only 1 ip we have 3 domain names. When pointed to the first server (with exchange) the rewrite worked except anywhere access's  remote desktop feature (located on the second server) would not connect. When the router was pointed to the second server (the DC) the rewrite would lose certain features on the exchange web app. This was resolved by adding a server farm to the dc to point to the exchange server. Adding the server farm to the second server having resolved connectivity issues to the exchange server it seemed a similar solution may work for the reverse configuration. So a server farm for the dc was added to the first server.  This failed to produce any change so it was deleted. There seemed to be no ill effects at the time but these issues started 4-5 hours after the farm was deleted so that may be an issue.
 
About the time this started I was adding users and features to users profiles through the anywhere access dashboard. As I was using it it began to freeze when i added remote access and computers to user accounts. Eventually it stop working altogether and required a reboot. When it rebooted it also installed an update. the next time I tried to log in only 403 errors. Again 4-5 hrs later ** however mydomain.net/remote will serve a highly corrupt login page that will log into a corrupt second screen but nothing else
A Web platform installer icon has appeared in the IIS panel at the bottom

These may just be coincidental. I can think of a few ways these COULD/MAY? have corrupted some setting but I really don't know what setting nor where to look.
Sorry for the delay.

Well, I'd venture to say that something was changed.

Anyway, can you check the following:

1. your DHCP service for a WPAD entry.  If one exists, delete it.
--- Link:  https://technet.microsoft.com/en-us/library/cc995090.aspx
2. your DNS service for a WPAD CNAME (alias).  If one exists, delete it.
--- Link:  https://technet.microsoft.com/en-us/library/cc995062.aspx

I'm not sure if placing your servers in a web farm (or not) can have this effect, but you definitely installed/changed/reconfigured your server setups.  You haven't mentioned how you did this, so I cannot specifically say yes or no.

Dan
Avatar of 8fort8

ASKER

No dns or dhcp entry's.  No reconfiguration that I know of. I'm beginning to suspect a built in account may have been corrupted when the dashboard crashed. Or perhaps I had some "help" no ones telling me about.
I'd try disabling the wpad with the 3rd command from the TechNet article above.

Is:

dnscmd /config /enableglobalqueryblocklist 0

Open in new window


Dan
Avatar of 8fort8

ASKER

No change
OK... next to try to disable the query at the browser level.  This is an IE thing.  You can check to see if the "Automatic detect setting" option is enabled in Internet Options > Connections tab > LAN Settings.

If the "Automatic detect setting" is checked, uncheck it.

Then see if browsing is functioning.

The other thing to check to see is if your web site expecting authentication to view pages.

In IIS Manager > select your site > go into the Authentication feature.  Enable Anonymous and disable any other protocol.

Dan
Avatar of 8fort8

ASKER

No change with the browser.
IIS already Anonymous enabled.
ASKER CERTIFIED SOLUTION
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of 8fort8

ASKER

That's the Exchange farm on the DC that points to the Exchange VM.
The router points 80, 443 and a few others to the DC.
The DC hosts the mail.xyz.org server farm that points to the exchange server .0.7.
The farm that was deleted was the xyz.net farm on .0.7 that pointed to the DC .0.8.
Avatar of 8fort8

ASKER

When you sent me this line from the logs I was sure it was the farm forward for exchange. I pored over every setting in the entire site. Comparing it to the model VM I created that was working. NOTHING WAS DIFFERENT. Just by chance I started testing local access and found different error pages if I used localhost as apposed to the url or ip. This led me to try turning off different servers and the farm. When I was looking closer at the farm I noticed an extra rule in the rewrite. It is automatically entered when you select rewrite rules. Some one must have forgotten to remove it. I disabled it and TaDa EVERYTHING WORKS!
   So as it turned out you were right on the money. It was an entry in the ARR farm.
Thanks for the help
No problem.  Glad its been solved.

Dan