Search code examples
asp.netweb-configfile-permissionsinternal-server-errorconfiguration-files

Why is my file supposedly unable to be read due to insufficient permissions (HTTP Error 500.19), when it has no restrictions on it?


I'm getting this error when I try to run a ASP.NET site (my first time trying to get it to run):

enter image description here

Yet looking at the file implicated (\C:\EnhancedSalesReporting\customerreportingnet\customerreportingnet\web.config), it doesn't seem to have any restrictions / insufficient permissons:

enter image description here

enter image description here

What is really the problem here, or what must I do to get beyond this frustrating block?

asp.net web.config 500.19 internalservererror configfile insufficientpermissions permissions

UPDATE

When I approached it differently by creating a Virtual Directory in IIS, pointing it to the location of these files, and then in VS selecting File > Open Website..., I fared no better, really. The err pages are different, but I'm stuck either way. That roadblock is described here.

UPDATE 2

When I attempt to follow the steps in the accepted answer in the link provided in the comment by Ken White, by trying to add "IIS_IUSRS" to Web.Config's Group or user names in the Security tab, I get "Name Not Found - An object named "IIS_IUSRS" cannot be found..."

enter image description here

Am I going about this the wrong way? I get the same results whether I try to edit Web.Config via Windows Explorer or from the Content View pane in IIS7.5 - is something else meant?

UPDATE 3

Another hint from that post referenced above is, "You should also check for the read-only attribute in the applicationhost.config file"

That's worth a try, but which one? I have 9 applicationhost.config files on my hard drive, and four of them look like likely prospects, those in the following locations:

C:\Program Files (x86)\IIS Express
C:\Program Files\IIS Express
C:\Users\cshannon\MyDocuments\IIS Express
C:\Windows\System32\inetsrv

Which, if any, of these, would it be advantageous to set readonly to false?

UPDATE 4

This is in response to Michael Liu's answer:

Thanks, Michael;

I followed your steps, but still get the same err page. I had expected it to work, and so I was a little surprised (abashed, even) that I ended up with the same old err page.

BTW, I saw no "Details" tab in Task Manager, but there is a "Show processes from all users" in the "Processes" tab.

Maybe this is the problem - there are three w3wp.exe entries in Task Manager:

Image Name      User Name
----------      ---------
w3wp.exe *32    DefaultAppPool
w3wp.exe        classicEservice 
w3wp.exe        NETWORK SERVICE

Should there be only one?

UPDATE 5

After restarting IIS7.5, I've got "just" two w3wp.exe entries in Task Manager:

w3wp.exe *32 (DefaultAppPool)
w3wp.exe (NETWORK SERVICE)

So is 2 one too many?

UPATE 6

In answer to Michael's updated steps:

Application Pool == classicEservice

In "Application Pools" the vals for classicEservice are:

Status == Started
.NET Framework Version == v2.0
Managed Pipeline Mode == Classic
Identity == ApplicationPoolIdentity
Applications == 5

Following the steps again, but replacing "DefaultAppPool" with "classicEservice" definitely gets me on the righ track, for I no longer get the 500.19 err page. Now it is "hourglassing" on http://localhost/CustomerReportingNET/pages/custmaint_entry.aspx.

I think maybe the "/pages/custmaint_entry.aspx" should get stripped off of that; I'll see what I need to do to accomplish that...

UPDATE 7

The first time it "hourglassed" until the cows came home, the second (and third) times it showed me this:

enter image description here

UPDATE 8

I tried "Start without Debugging" and stripped off the back end of the URL so that it is just "http://localhost/CustomerReportingNET/" but it still hourglasses (or "blue spinning donuts" I guess) like a whirling dervish that has overdosed on energy drinks.


Solution

  • The error “Cannot read configuration file due to insufficient permissions” means that the IIS worker process w3wp.exe is running under an account that doesn’t have permission to access Web.config. Indeed, your screenshot of Web.config’s file permissions shows a very restrictive set of accounts.

    First, determine which account w3wp.exe is running as:

    1. In IIS Manager, find and select your virtual directory in the left tree.
    2. In the Actions pane on the right, click Basic Settings.
    3. Make a note of the configured Application pool, and then click Cancel.
    4. Select Application Pools in the left tree (it should be near the top of the list).
    5. In the list of application pools, find the one you noted in Step 3, and look at the value in the Identity column.

    IIS 7.5 and up (Windows 7, Windows Server 2008 R2)

    I’m going to assume that the configured application pool is DefaultAppPool and that its identity is ApplicationPoolIdentity, which means a virtual account is created by IIS for the application pool. (Let me know if they're something else.)

    You need to allow this virtual account to access your application folder:

    1. In Windows Explorer, open the Properties dialog box for the folder containing Web.config (C:\EnhancedSalesReporting\customerreportingnet\customerreportingnet).
    2. On the Security tab, click the Edit button to open the Permissions dialog box, and then click Add.
    3. In the Select Users dialog box, click the Locations button, select your computer (likely the first item in the list, and IBM-JBAKER from your screenshot), and then click OK.
    4. In the Enter the object names to select text box, type IIS APPPOOL\DefaultAppPool (without any trailing spaces), and then click OK.
      • Alternatively, you can grant access to all IIS virtual accounts by typing IIS_IUSRS instead.
    5. Back in the Permissions dialog box, the Read & execute and Read checkboxes in the Allow column should already be checked, so just click OK.

    IIS 6.0/7.0 (Windows Vista, Windows Server 2003/2008)

    On these operating systems, w3wp.exe runs as a "real" account (such as NETWORK SERVICE) instead of a virtual account. Follow the steps in the previous section, but in step 4, substitute the actual account shown in Task Manager (or IIS_WPG) for IIS APPPOOL\DefaultAppPool (or IIS_IUSRS).