Ошибка 403 iis

In a previous post, you learned how to troubleshoot 401 – Unauthorized: Access is denied due to invalid credentials. In this post, we will cover how to troubleshoot HTTP Error 403.14 – Forbidden in Internet Information Services (IIS).

Contents

  1. HTTP Error 403.14 – Forbidden
  2. Cause of error
  3. Resolving the error
    • Directory browsing is not enabled
    • Enable directory browsing using the IIS Manager
    • Default document is not configured
    • ASP.NET is not installed on the server
  4. Common 403 substatus codes
  5. Conclusion
  • Author
  • Recent Posts

Surender Kumar has more than twelve years of experience in server and network administration. His fields of interest are Windows servers, Active directory, PowerShell, web servers, networking, Linux, virtualization, and Kubernetes. He loves writing for his blog.

Latest posts by Surender Kumar (see all)

  • Kubernetes DaemonSets — Wed, Sep 6 2023
  • Static Pods in Kubernetes — Fri, Sep 1 2023
  • Encrypt Kubernetes Secrets at rest — Mon, Aug 28 2023

HTTP Error 403.14 – Forbidden

HTTP Error 403.14 Forbidden

HTTP Error 403.14 Forbidden

The HTTP Error 403.14 – Forbidden is displayed when you try to access a website hosted on IIS having detailed errors enabled. As you can see in the screenshot, the error page says The Web server is configured to not list the contents of this directory and also indicates the most likely causes of this error.

If the detailed errors are not enabled, you will see a custom error page with a generic message: 403 –Forbidden: Access is denied.

403 Forbidden Access is denied

403 Forbidden Access is denied

Cause of error

As indicated by the detailed error page, there are three likely causes of this error:

  1. Directory browsing is not enabled—Directory browsing is the ability of a web server to list the contents of the website’s root directory in a web browser. The following screenshot shows what a website looks like when directory browsing is enabled:

What a website looks like in a browser when directory browsing is enabled

What a website looks like in a browser when directory browsing is enabled

As you can see in the screenshot, directory browsing enables visitors to view files and browse through the directories. The chances are pretty slim that you want your website to look like this.

  1. Default document is not configured—The default document is a file that is served by the web server when the client does not specify a particular file in a uniform resource locator (URL). By default, web server software recognizes file names such as default.htm, default.html, default.aspx, index.html, index.htm, etc. The following screenshot shows a list of default documents supported by IIS:

Viewing the default document for a website in the IIS Manager

Viewing the default document for a website in the IIS Manager

To add a custom default document (e.g., awesomehome.html), click Add and then type the name of the default document. You could even change the order of documents by selecting one and then clicking the Move Up or Move Down options in the Actions pane on the right.

  1. The ASP.NET feature is not installed on the server—The default documents, such as aspx and index.html, only work with websites that use traditional frameworks. With modern frameworks and programming technologies such as MVC, the default pages are defined and handled right inside the application code by the developers. So, if your website is using MVC or a similar technology, you need to install the ASP.NET feature on the server. See how to install ASP.NET on the web server.

Resolving the error

We covered the possible causes of this error in the previous section. Now, depending on your scenario, you could try the following steps to fix this error:

Directory browsing is not enabled

If you know that your website should list the contents of the root directory so that visitors can browse the files and folders, you need to enable the Directory Browsing option, using either the IIS Manager or the web.config file.

Enable directory browsing using the IIS Manager

Open the IIS Manager, select your website, and then double-click the Directory Browsing option under IIS in Feature view.

Viewing the directory browsing feature in the IIS Manager

Viewing the directory browsing feature in the IIS Manager

Now click Enable in the Actions pane on the right.

Enabling directory browsing using IIS manager

Enabling directory browsing using IIS manager

Enable directory browsing using the web.config file

If you’re using a shared hosting server, you could enable directory browsing using the web.config file itself:

Open the web.config file and paste the following code between the <system.webServer> and </system.webServer> tags:

<directoryBrowse enabled="true" />

Enable directory browsing using the web.config file

Enable directory browsing using the web.config file

Default document is not configured

If your website uses a traditional framework and you see a file with a name such as default.aspx, index.html, or index.php in the website’s root directory, make sure the same filename is also available in the list of default documents. You could even ask the developer about the name of the default document for your website. For instance, I know that my website is supposed to use home.html as the default document. Therefore, I will add it either using the IIS Manager or the web.config file. See the following screenshots for reference:

Adding a default document for the website using the IIS Manager

Adding a default document for the website using the IIS Manager

Adding a default document to a website using the web.config file

Adding a default document to a website using the web.config file

ASP.NET is not installed on the server

If neither of the above solutions works, it is likely that your website is using MVC or a similar technology that requires the ASP.NET development feature on the server, and it is not currently installed. This error is common when you try to host an MVC website on a web server for the first time. To install ASP.NET, use the following PowerShell command:

Install-WindowsFeature Web-Asp-Net45 -IncludeAllSubFeature

This command installs ASP.NET 4.5 or higher on the web server, and your MVC website will start working.

If your website is supposed to use a legacy version of ASP.NET (e.g., 3.5 or below), use the following command instead:

Install-WindowsFeature Web-Asp-Net -IncludeAllSubFeature

Installing ASP.NET on a web server using PowerShell

Installing ASP.NET on a web server using PowerShell

Common 403 substatus codes

The following table covers some common HTTP 403 substatus codes, along with their possible causes and troubleshooting advice:

Subscribe to 4sysops newsletter!

Status Code Possible Cause Troubleshooting Advice
403.1 Execute access is forbidden This error indicates that the appropriate level of the execute permission is not granted. To resolve this error, make sure the application pool identity has the execute permission.
403.2 Read access is forbidden This error indicates that the appropriate level of the read permission is not granted. To resolve this error, make sure the application pool identity has the read permission.
403.3 Write access is forbidden This error indicates that the appropriate level of the write permission is not granted. To resolve this error, make sure the application pool identity has the write permission.
403.4 An SSL connection is required This error indicates that the request was made over a nonsecure HTTP channel but the web application is configured to require an SSL connection.
403.13 The client certificate has been revoked This error indicates that the client browser tried to use a certificate that was revoked by issuing certificate authority.
403.14 The directory listing is denied We covered how to fix this error above.

Conclusion

The key to troubleshooting any IIS-related error is to enable the detailed errors. When the detailed errors aren’t helpful in revealing the actual HTTP status and substatus codes, you could use Failed Request Tracing to understand what’s going on with the HTTP request. I hope you find this post helpful.

IIS Regedit addition

You do not have permission to view this directory or page using the credentials that you supplied.

Every time IIS (Internet Information Services) is given a folder to access with information on a website, the 403 error page will appear if the right permissions are not given to the folder. It is a simple fix, but I don’t know why Microsoft hasn’t posted a proper answer on their KB, MSDN or their other support forums on this issue.

If you have just created an HTTP/HTTPS site on IIS 7/8/9/10 (true for most other IIS installs as well), you need to assign IIS_IUSRS security permissions to your assigned web folder. The following steps 1 to 7 describes the procedure.

1. Right click on the folder (the folder you assigned for web access in IIS)

2. Choose “Properties” (or “Edit Permissions” if you right clicked while inside the IIS window)
IIS8_folder_right

3. Go to “Security” tab
IIS8_folder_security

4. In the top box, “Group or user names”, open “Edit…” (will take you to Permissions window)
IIS8_folder_add_per

5. You will most likely cannot fine IIS_IUSRS in the list; open, “Add..”

6. In the box at the very bottom, “Enter the object names to select (examples):” enter IIS_IUSRS

7. Click OK and make sure in the Permissions window, you have allowed, Read & execute, List folder contents and Read

In a nutshell; Right click -> Properties/Edit Permissions -> Security (TAB) -> Edit (under Group or user names) -> Add (IIS_IUSRS) -> OK (make sure the right permissions described in steps 7 are there)

Other Solution

Another solution is to edit the following registry keys from Registry Editor. You can access the Register Editor in multiple ways. Type regedit on Window Search or open run and type regedit and enter will open the editor. Make sure you access the Registry Editor with Administrator privileges.

1. Once you open the Registry Editor, navigate to the location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

2. Create a new DWORD (32-bit Value) entry name “ClientAuthTrustMode

3. Enter “2” in the Value data field (no revocation check).

IIS Regedit addition

IIS Regedit addition

Standing on the shoulders of giants

I use cookies to optimize site functionality and improve your experience. By continuing to use this site, you accept the use of cookies stated under Privacy Policy and Terms of Use. Read More ACCEPT

Symptoms

You can load the page just fine, but after going through the pages quickly or by opening several tabs at once, you see a 403 error:

IIS 403 Error Forbidden Access is denied

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

This is a bit misleading since you might right away think that the you do not have permission to access the web page or the folder. But you know you’re authenticated because you could see the page a few seconds ago and the problem is intermittent. So why do you get 403 Forbidden: Access is denied?

What to Check

The first thing you want to check is the IIS log and look for the specific error code (403) with the timestamp when you see the 403 error. You might see something similar to the following:

2022-02-02 22:33:58 10.20.128.70 POST /ResultPage.asp - 80 - 192.168.1.25 Mozilla/4.0... https://www.itnota.com/CheckPage.asp 403 501 0 0

Open up the IIS log in a text editor and search for ” 403″ (without quotes). A leading whitespace is added to narrow down the search. You can also use regular expression to be precise but for this exercise, I think it’s an overkill.

IIS Log Search for 403 501 error in a text editor

One key thing we need to pay attention to is to check the whole error code by looking the one next to the 403 → 501. So to be exact, the error code is actually 403.501.

If you check the definition of this error here, you’ll soon find out this error has nothing to do with permission in the traditional sense of how we understand it:

403.501 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction Concurrent request rate limit reached.

This is the real issue and it’s easier to fix once we’ve figured out that we need to look at the Dynamic IP Restriction.

So now we have three options:

  1. Disable Dynamic IP Restriction.
  2. Increase the Maximum number of concurrent requests.
  3. If your connection comes from the same IP address (i.e. F5), then you can create a whitelist based on its IP address.
  4. Maybe four, as you can combine option 2 and 3 if needed.

Whether you choose option 1, 2, or 3, all the settings are in the same location in IIS.

Steps

  1. Launch IIS Manager and on the left pane window, select the site that you want to modify.

  2. In the middle window, double-click on the IP Address and Domain Restrictions.

    IIS Settings IP Address and Domain Restrictions

  3. If you want to do either option 1 or 2, click on Edit Dynamic Restriction Settings… on the right window pane.

    IIS Edit Dynamic Restriction Settings Maximum Concurrent Requests

  4. Option 1: To disable the Dynamic IP Restrction, uncheck all the checkboxes and click OK.

  5. Option 2: Modify the number in the Maximum number of concurrent requests: and still leave the Deny IP Address based on the number of concurrent requests checked. Then click OK.

  6. Option 3: You can either leave the Dynamic Restriction Settings alone, or you may combine that setting with the whitelist as well.

  7. In IP Address and Domain Restrictions window, click on Add Allow Entry… on the right window pane.

    IIS Add Allow Entry window on IP Address and Domain Restrictions settings

    Note: All your modification is saved in applicationHost.config file in the server as indicated on the bottom of the IP Address and Domain Restrictions window.

  8. Add the IP Address you want to allow entry that’s not limited by the Dynamic Restriction Settings in the Specific IP address: textbox. Or you can enter a range of IP addresses under the IP address range: textbox. Then click OK.

    IIS IP Address and Domain Restrictions - Add Allow Entry

Additional Note

As mentioned earlier, all the settings we did above is saved applicationHost.config file. The file can be found in the following directory:

%windir%\system32\inetsrv\config

And all the steps above can be skipped if you edit the file using a text editor. I personally like to use GUI to prevent typos so just be aware of the risk of editing this file by hand.

  <location path="##Your-website-name-in-IIS##">
    <system.webServer>
      <asp appAllowClientDebug="true" appAllowDebugging="true" />
      <security>
        <ipSecurity>
          <add ipAddress="192.168.1.25" allowed="true" />
        </ipSecurity>
        <dynamicIpSecurity>
          <denyByConcurrentRequests maxConcurrentRequests="1" />
          <denyByRequestRate maxRequests="20" />
        </dynamicIpSecurity>
      </security>
    </system.webServer>
  </location>

That’s it.

Once you saved all the settings, the new change should take effect immediately.

Further Reading

The HTTP status code in IIS 7.0 and later versions
IIS 8.0 Dynamic IP Address Restrictions
Using Dynamic IP Restrictions
IIS Dynamic IP Restrictions whitelist

Ok, I have scoured online resources and applied all the suggested solutions.

I am setting up a simple website on Windows Server 2008 R2 under IIS 7.5 using the «ASP.NET v4.0» pool. I am setting this up as an application under Default Web Site with a different root. I keep getting the 403 Forbidden error.

I have:

  1. Installed asp.net using aspnet_regiis.exe -i (many times)
  2. Made sure my root directory (physical path) has permissions for
    «IIS_IUSR» and «IUSR» users.
  3. Made sure «Anonymous Authentication» is enabled and set to «Application Pool Identity»
  4. I have restarted IIS numerous times
  5. I have checked and double-checked every other configuration.

What’s strange is that I have another application under Default Web Site and it works just fine.

Any suggestions will help. This shouldn’t be so hard unless I am missing something obvious.

asked Jun 20, 2012 at 2:05

dotnetster's user avatar

dotnetsterdotnetster

1,6011 gold badge16 silver badges19 bronze badges

2

Ok, I am quite embarrassed but the over sight was that «Require SSL» was checked by default and that is the place I did not check. I guess it is because an SSL is bound to the Default Web Site. Removing that check made it work.

Hopefully this will help someone else.

answered Jun 20, 2012 at 13:18

dotnetster's user avatar

dotnetsterdotnetster

1,6011 gold badge16 silver badges19 bronze badges

3

Haha you think that is embarrasing! This is probably the 1000th webserver I’ve installed… 30mins of 403s!! I can’t figure it out. There is a stub default.asp in there.. permissions all correct… everything!

I turned on «directory» browsing in desparation of flicking around.

default.asp.txt is sitting there….. DOH.

Need to turn OFF «known file types»… why is that setting like that anyway?

answered Jun 4, 2015 at 8:57

bendecko's user avatar

bendeckobendecko

2,6431 gold badge23 silver badges33 bronze badges

8

Another possible issue which leads to a 403 error:

The Global.asax file is missing.

answered Nov 16, 2016 at 11:52

Raidri's user avatar

RaidriRaidri

17.3k9 gold badges62 silver badges65 bronze badges

For me the answer was in handler mappings section of IIS 7.5

Adding the following to web.config enabled all the aspx pages to work correctly

<configuration>
...
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
    <handlers accessPolicy="Read, Script" />
    ... 
  </system.webServer>
</configuration>

answered Nov 10, 2015 at 20:17

Michael Smale's user avatar

Grant permission to the Network Service user in the NTFS folder

Also check the .Net authorization rules:

enter image description here

enter image description here

answered Jun 20, 2012 at 2:09

Jupaol's user avatar

JupaolJupaol

21.1k8 gold badges68 silver badges100 bronze badges

2

Check that IP address restrictions are not blocking the request. Can check this in the logs.

(This was my embarrassing reason!)

answered Sep 21, 2016 at 11:06

GlennG's user avatar

GlennGGlennG

2,9822 gold badges20 silver badges25 bronze badges

Mine was even more embarrassing.

Right Click on folder,Remove READ only attribute.

answered Aug 31, 2018 at 5:06

KumarHarsh's user avatar

KumarHarshKumarHarsh

5,0461 gold badge18 silver badges22 bronze badges

For me, there was a vestigial Web.config in C:\inetpub\wwwroot with rewrite rules. Deleting it solved the problem.

answered Feb 26, 2019 at 18:29

Eric Eskildsen's user avatar

Eric EskildsenEric Eskildsen

4,2792 gold badges38 silver badges55 bronze badges

I was facing issue on windows 7 and surprisingly it was fixed after installing service pack 1

answered Mar 27, 2019 at 15:43

Naveed Yousaf's user avatar

You might also get this if setting up FTP for a website and you try and change the default directory for FTP on the website.

From what I can tell:

Manage FTP Site -> Advanced Settings -> Physical Path

is the same

Manage Website -> Advanced Settings -> Physical Path

Changing one will change the other and possibly cause a 403 on a working site.

answered May 13, 2019 at 4:32

Ryan Buddicom's user avatar

I have installed a renewed SSL certificate on my web server running IIS7.

After installation, I applied website binding to port 443.

My application uses client certificates too, so I have changed the SSL setting to Require ‘client certificate’.

Both client and SSL server certificates are valid but still I am not able to access my application. The error I get is:

403 — Forbidden: Access is denied.

I have enabled client certificate mapping in IIS role settings also but still not getting rid of this 403 error.

I guess client certificate is not able to handshake with server certificate. Please help!

asked Jan 31, 2014 at 6:16

user3254237's user avatar

0

In certificate Store verified all server certificate and client cert with its authority hierarchy are available.

also cross check below settings

Application Authentication: Anonymous
Application SSL Setting: Require SSL/ Accept
ApplicationHost.config: enabled OnetoOneMapping under iisClientCertificateMappingAuthentication also added base64 certificate mapped with service accounts

Also based on my past experience we need to ensure we have SChannel registry setting as mentioned in below post.
https://support.microsoft.com/en-us/kb/2464556

answered Sep 8, 2016 at 18:41

bijayk's user avatar

bijaykbijayk

5563 silver badges18 bronze badges

Simplest workaround just discovered this today. In IIS for your application, Go to Edit Bindings and change your port number. 443 to 4431 or 44301. Any variation you want. In your client computer, type in the new URL using new port number and you will establish a fresh connection to application. Make sure you SSL Settings for IIS Application is set to «Accept» instead of «Require». This means you can click «Cancel» when the pop up asks you to select a certificate you can simply hit «Cancel» and still hit the site. No 403 Error.

Do not spend hours trying to mess with your certificate store, just simply change the port on IIS Server and you’ll be fine.

answered Mar 18, 2019 at 15:28

EnterTheBlackDragon's user avatar

1

Понравилась статья? Поделить с друзьями:
  • Ошибка 403 html шаблон
  • Ошибка 403 google аккаунт
  • Ошибка 4020 куосера
  • Ошибка 4020 киосера
  • Ошибка 402 что это значит