Internet Information Server (IIS) – Error – HTTP Error 500.19 – The requested page cannot be accessed because the related configuration data for the page is invalid – Error Code 0x80070005 – Config Error – Cannot read configuration file due to insufficient permissions

Background

We had an IIS outage a couple of weeks ago, and tried quite a few things.  Part of what we tried is to tighten NTFS permission on our NTFS folders.

I am not sure why we start get errors more recently.  The web site stopped working again, and the error we are now getting is pasted below.

 

Environment

Our OS is MS Windows 2012 and IIS version 8.  Earlier OS will be a bit different as the IIS Accounts and groups follow a slight different name convention.

 

Error – HTTP 500.19 – Cannot read configuration file due to insufficient permissions

The error message is “Error – HTTP 500.19 – Cannot read configuration file due to insufficient permissions”.

 

Error tabulated data:

Item Value
Error Code 0x80070005
Config Error Cannot read configuration file due to insufficient permissions
Config File    \\?\E:\DanielAdeniji\Website\hrdb\web.config

 

Error Image:

HTTP Error  500

Diagnosis – IIS Configuration

Here are some steps we took to list the web sites, get their Application Pool Identity Account.

List websites

Syntax:

%systemroot%\system32\inetsrv\APPCMD list apps

 

Sample:

%systemroot%\system32\inetsrv\APPCMD list apps

 

List SharePoint web sites

i.e. if we cant to list SharePoint web sites:

Sample:

%systemroot%\system32\inetsrv\APPCMD list apps | find /I "sharepoint"

Output:

Listvdirs

 

Find Web Sites – Physical Folder

As we will be reviewing the web site folders NTFS permissions, let us go get that folder’s name.

Syntax:

c:\windows\system32\inetsrv\appcmd list apps "website/virtualdir" /text:* 

Sample:

c:\windows\system32\inetsrv\appcmd list apps "Default Web Site/mylovelyapp" /text:* 

Output:

listapps--virtualdir-text

The entry that we are concerned with is the PhysicalPath.

 

Find AppPool – User Name

We need to determine the Application Pool’s Identity Account.  To get to that point, we can list all application pools by issuing “appcmd list apppool“.

Once we have the list of Application Pools, we can dig deeper into a specific Application Pool by issuing a command syntax like the one below.

Syntax:

c:\windows\system32\inetsrv\appcmd list apppool "<application-pool-name>" /text:* 

Sample:

c:\windows\system32\inetsrv\appcmd list apppool "App Pool - Daniel" /text:* 

Output:

AppPool - ProcessModel

Explanation:

In our case, we have defined a specific account to be used by our Application Pool.  That App User is listed in the “username” entry above.

 

Diagnosis – IIS_IUSRS Group Membership

List accounts that are currently included in IIS_IUSRS

Syntax:


net localgroup <group-name>

Sample:


net localgroup IIS_IUSRS

 

Output:

LocalGroupPermissions

 

Explanation:

We do not have our Application Pool included in IIS_IUSRS.

 

Add Application Pool Account to Local IIS_WPG group

Let us add our IIS Application Pool account to the machine’s IIS_WPG Group.

Syntax:

net localgroup <group-name> /add <Account>

Command:


net localgroup IIS_IUSRS /add "labdomain\appiisacct"

 

Output:

LocalGroupPermissions-AddIISGroup

 

Diagnosis – Web Site Folder – NTFS Permissions

Review NTFS Permissions on web site

Let us go review NTFS permissions on our web site folder.

Syntax:

icacls <web-site-folder> 

Sample:

icacls e:\DanielAdeniji\website\

 

Output:

icacls-ntfs permissions

Explanation:

From the screenshot above, the IIS_IUSRS obviously does not have permission to our web site folder.

Grant NTFS Permissions on web site folder

Syntax:


icacls <web-site-folder> /grant:r <userOrGroup>:(OI)(CI)M

Sample:


rem E:\WebSite\DanielAdeniji -- folder
rem /grant:r -- grant read permissions
rem IIS_IUSRS -- user/group we are targeting
rem (OI) object inherit
rem (CI) container inherit
rem M modify -- that is keep existing permissions

rem grant permission to user IIS_IUSRS
Icacls E:\DanielAdeniji\WebSite /grant:r "IIS_IUSRS":(OI)(CI)M

Output:

icacls-ntfs permissions--IIS_IUSRS

 

Please keep in mind that there are no spaces the command must be entered ending with “:(OI)(CI)M“.

If spaces are entered, you might get “Invalid parameter” errors:

  • Invalid parameter “(CI)”
  • Invalid parameter “M”

 

Error – HTTP Error 401.3 – Unauthorized

Once the earlier error was fixed things started working.

But, then we noticed that when we changed from targeting “http://localhost/mylovelyapp”, and started targeting “http://<webserver>/mylovelyapp”, we started getting a new error.

This new error was appearing in Google Chrome,  but not in Microsoft Internet Explorer.

Error Image:

errorMessage

 

Error Table:

 

Item Value
Error Code 0x80070005
Login Method Anonymous
Login User Anonymous
Handler Static File

 

SysInternals – Process Monitor:

Launched SysInternals – Process Monitor and filtered on our web site folder and we captured on an interesting error message.

Image:

processmonitor-accessdenied-genericread

 

Table:

Item Value
Class File System
Operation CreateFile
Result Access Denied
Desired Access Generic Read
Disposition Open
Options Sequential Access, No Buffering
Attributes R
SharedMode Read, Write, Delete
Impersonating NT AUTHORITY\IUSR

 

In the screenshot above, we have two accounts.  Our IIS Application Pool account and the “Impersonating Account”.

The short of that is that we have defined :


How to implement impersonation in an ASP.NET application
http://support.microsoft.com/kb/306158

To impersonate the Microsoft Internet Information Services (IIS) authenticating user on every request for every page in an ASP.NET application, you must include an identity tag tag in the Web.config file of this application and set the impersonate attribute to true.

For example:

<identity impersonate="true" />

 

Web Site Folder – NTFS Permissions – Handler – Static File

 

Grant NTFS Permissions on web site folder

Static files are covered by “NT AUTHORITY\IUSR”

Syntax:

icacls <web-site-folder> /grant:r "NT AUTHORITY\IUSR":(OI)(CI)M

Sample:


rem E:\WebSite\DanielAdeniji -- folder
rem /grant:r -- grant read permissions
rem (OI) object inherit
rem (CI) container inherit
rem M modify -- that is keep existing permissions

rem grant permission to user NT AUTHORITY\IUSR
Icacls E:\DanielAdeniji\WebSite /grant:r "NT AUTHORITY\IUSR":(OI)(CI)M

 

 

Review NTFS Permissions on web site folder (Post Changes)

Syntax:

icacls <web-site-folder> 

Sample:


Icacls E:\DanielAdeniji\WebSite

 

Output:

icalcs_group_user

AccessEnum:

Again AccessEnum lets us quickly detect permission differences between a base folder and subsequent folders.

AccessEnum_Group_User

 

Explanation:

In the screenshot above, we have granted read permissions to IIS_IUSRS and NT AUTHORITY\IUSR.

 

Summary

Thank goodness for SysInternals Process Monitor.  It was a life saver.  Though, we tried using the OS Local Policy and enabling Object Policy Auditing and enabling auditing on our web site folder via Windows Explorer, nothing got as far as the Event Viewer.

Also, I actually got to like icacls though it initially appeared difficult.  But, via good write-ups available on the Net, was able to pick it up and understand it a bit better.

Those using earlier OSes, will have to use cacls and xcalcs.  But, as icacls is built into MS Windows 2012, I wanted to try it out.

SysInternal’s AccessEnum is also a nice, well thought out and valuable tool.

 

References

References – Application Pool – Identity

 

References – Application Pool – Identity

 

References – Application Pool – Identity

 

References – Setting permissions

 

References – SysInternals – AccessEnum

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s