3

We've created a windows authenticated sub directory on our web server, however, intermittently when we go there (once logged in as an authenticated user - member of a authenticated group) we get the following error:

Module IIS Web Core
Notification BeginRequest
Handler Not yet determined 
Error Code 0x80070005 
Config Error Cannot read configuration file due to insufficient permissions  
Config File \\?\C:\Inetpub\wwwroot\admin\web.config 
Requested URL http://testsite.dev:80/admin
Physical Path C:\Inetpub\wwwroot\testsite\admin 
Logon Method Not yet determined 
Logon User Not yet determined

The odd thing is once we see this error, hit F5 or refresh and the error goes away, only to reappear a short time later. Very frustrating!!

I have done extensive searches online, but can find nothing. We may also create other sub dirs allowing the same "group" to have access, so this needs to work across all these subs without having to relog in.

We are using IIS7. I've found guides that state for IIS7 ( http://kenno.wordpress.com/2008/10/23/iis7-cannot-read-configuration-file-due-to-insufficient-permissions/ ) but when I do this it seems to then make the directory accessible to all which is clearly not required.

Stuart Palmer
  • 191
  • 1
  • 1
  • 11
  • Try this: Using [Process Monitor](http://technet.microsoft.com/en-us/sysinternals/bb896645) see which user is trying to access that config file and grant required rights to that file ONLY. – LazyOne Sep 06 '11 at 09:26
  • Thx LazyOne, I tried this from something else I found, however I couldn't pinpoint when the error occured and can't seem to find any useful resource on how to filter the processes, it just scrolls down the screen at a rate of knots! Any tips? – Stuart Palmer Sep 06 '11 at 10:50
  • Use filtering to only display activity related to that file/path. Exclude unneeded events (e.g. registry access). – LazyOne Sep 06 '11 at 10:54
  • Thanks, this has been quite helpful, however I'm not sure what I'm looking for. I can see to that path I'm getting an "Operation - CreateFile" with the result of "Access Denied" but can't seem to find out any information about the user who's attempting to access the directory. I'm also unsure why it's trying to create a file and how this relates to the config file in the error message that isn't even supposed to reside in that directory. In short, I'm not sure how I can use the information in Process monitor to help resovle the issue. – Stuart Palmer Sep 06 '11 at 18:43
  • Just try granting IIS_IUSRS (or whatever ID your App Pool uses) access to the web.config file in case it has no access. That's all what I can suggest right now. – LazyOne Sep 06 '11 at 19:03
  • Thanks again LazyOne for your suggestion, however a few points on this: 1) By setting IIS_IUSRS or the same ID the AppPool uses seems to open the directory to everyone without them needing to log in. 2) The reason I have granted the permission to the folder (not the web.config file) is because there is no web.config file in that sub directory. I have done the IIS_IUSRS suggestion as a short term fix, but the directory needs to be password protected. There must be a way of doing this. Thanks once more. – Stuart Palmer Sep 07 '11 at 05:56
  • The App Pool ID should have access to a folder **in any case**. Configure access in IIS Manager | Your Site | Authentication. Make sure you have disabled "Anonymous Auth" for that folder -- this should close it for everyone. If you now enable another Auth method for that folder (I've personally only used Basic Auth so far) then user should only access it if he provides proper login details. http://learn.iis.net/page.aspx/88/configuring-security/ – LazyOne Sep 07 '11 at 08:46
  • You have solved my problem! Thanks you so much! 1)Set IIS_IUSRS to have read access on your windows authenticated dir. 2) Disable Anonymous authenitcation. It certainly seems to work at the moment. Brilliant. – Stuart Palmer Sep 07 '11 at 16:37
  • I'm not sure how to set this as "answered" for other users. Many thx again. – Stuart Palmer Sep 07 '11 at 19:23
  • Post your solution as an answer and accept it (you may need to wait a day or so before you will be able to mark it as accepted though as you have low rep). – LazyOne Sep 07 '11 at 19:40

1 Answers1

7

Following my own advice and knowing nothing about the problem, I give you an answer to be accepted or improved upon:

  1. Set IIS_IUSRS to have read access on your windows authenticated directory.—user901820

  2. Configure access in IIS Manager | Your Site | Authentication. Make sure you have disabled "Anonymous Auth" for that folder—this should close it for everyone. If you now enable another Auth method for that folder ... then user should only access it if he provides proper login details.—LazyOne

See Configuring Security at IIS.net.

Community
  • 1
  • 1
Jon 'links in bio' Ericson
  • 20,880
  • 12
  • 98
  • 148
  • Following your answer I am unable to access the website using *Specific User:* `IUSR` but it is accessible using *Application pool identity*. Why is that? And how should I be able to access the website using `IUSR`? – phougatv Jun 11 '16 at 11:25
  • 1
    I was able to do it by adding `IUSR` to the list. Thanks for the help. – phougatv Jun 11 '16 at 11:31