Access is denied due to invalid credentials - see also permissions in inetpub directory you may need to grant
Go to the ApplicationPool associated with the site you're having problems with and check basic settings to find out which directory you're trying to get to
Look at advanced settings, look for the Identity. Chances are it's: ApplicationPoolIdentity
Go to the web site you're having problems with and check basic settings to find out which directory you're trying to get to
Go to that directory and look to see who has permissions.
Can you find the ID you found for the ApplicationPool among the users who have permissions on this directory? If not, try to add it. Make sure you choose the server you're looking for from the locations. I've never got this to work. It simply doesn't recognize that user and can't find it. That is, it doesn't recognize DefaultAppPool. Or IIS APPPOOL\DefaultAppPool (which some sites said to try).
I was able to add the IIS_IUSRS ID for the domain - which some sites thought might get things working in IIS 7.5. But that didn't work either. Well, it recognized the user. But adding that user didn't make the error go away when I tried going to a page in the browser.
None of the above worked. Or maybe it helped. But what finally actually got it to work was by double-clicking on the Authentication icon in the site I was trying to get to work. There was only one choice in the window that came up: Anonymous Authentication. Edit that. It came up with a specific user. Changed to Application Pool Identity and that seemed to fix.
binding, remove for a site
Get-WebBinding -Port 443 -Name SiteName | Remove-WebBinding
cache
Sometimes you make changes to the web site but they don’t show up right away. Log into WEB0, go to IIS, find the app pool associated with the web site and “recycle” it.
certificates, add self-signed
In the GUI, click to highlight the server all the way at the top. Then double-click on “Server Certificates”. Then in the right “Actions” pane click “Create Self-signed Certificates”. In the window that pops up, put in a friendly name and select “Personal” for the certificate store
Once you create the self-signed certificates, you need to assign them. Go to the site and click on “Bindings”. And select your “https” and click “Edit”. On the pop up that comes up, select the certificate you stored earlier
configuration file location - C:\Windows\System32\inetsrv\config\applicationHost.config
Note: If, when you edit this file and then try to save it, you might get a message, Please check if this file is opened in another program. You might think you have to shut down IIS or something. But it might also be because you're editing in Notepad++. Try Notepad instead.
Database, publishing
GenericDB, GenericDB.Net User Control
Dynamic web pages
GenericDB, GenericDB.Net User Control
normally in: C:\inetpub\logs\LogFiles\W3SVC2
export all web sites - see also list web sites
%windir%\system32\inetsrv\appcmd list site /config /xml > %USERPROFILE%\Documents\sites.xml
Or, in PowerShell:
Import-Module Webadministration Get-ChildItem -Path IIS:\Sites
Or, to get the list sorted by IP:
Import-Module WebAdministration
$sites =
Get-ChildItem IIS:\sites
$bindings =
$sites |
foreach-object { $_.Bindings} | foreach-object {$_.Collection} |
foreach-object {$_.BindingInformation}
$bindings |
Sort-Object
The following will export all the websites on your webserver, therefore you need to edit the sites.xml and remove the websites that you do not need to import for example: Default Website. To import:
%windir%\system32\inetsrv\appcmd add site /in < %USERPROFILE%\Documents\sites.xml
export all Application Pools
%windir%\system32\inetsrv\appcmd list apppool /config /xml > %USERPROFILE%\Documents\apppools.xml
This will export all the application pools on your webserver, therefore you need to edit the apppools.xml and remove the application that you do not need to import for example:
- DefaultAppPool
- Classic .NET AppPool
- SecurityTokenServiceApplicationPool
And other apppools that already exist on the second webserver, appcmd doesn’t skip already existing apppools, it just quits and doesn’t import any.
to import:
%windir%\system32\inetsrv\appcmd add apppool /in < %USERPROFILE%\Documents\apppools.xml
Global.asa file – short explanation and sample 1, sessions
IIS Manager, open – see open IIS Manager
IIS, restart – see restart IIS
IP addresses, list all associated with IIS. From a command line:
C:\Windows\System32\inetsrv>appcmd list site > C:\Users\user\Documents\IP.txt
Note: you might have to go to C:\Windows\System32\inetsrv directory for this command to be recognized
On other occasions, you might be confronted with "Cannot read configuration file due to insufficient permissions" with regard to the redirection.config file. This file is located in: C:\Windows\System32\inetsrv\config
Or, in PowerShell:
Import-Module Webadministration Get-ChildItem -Path IIS:\Sites
Or, to get the list sorted by IP:
Import-Module WebAdministration
$sites =
Get-ChildItem IIS:\sites
$bindings =
$sites |
foreach-object { $_.Bindings} | foreach-object {$_.Collection} |
foreach-object {$_.BindingInformation}
$bindings |
Sort-Object
list web sites - see also export web sites
get-website
| select
name,id,state,physicalpath,
@{n="Bindings"; e= { ($_.bindings |
select -expa
collection)
-join ';'
}} ,
@{n="LogFile";e={ $_.logfile
| select
-expa directory}},
@{n="attributes"; e={($_.attributes
| % { $_.name
+ "="
+ $_.value })
-join ';'
}} |
Export-Csv
-NoTypeInformation
-Path C:\my_list.csv
or a script to list sites with associated app pools:
[Void][Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration")
$sm = New-Object Microsoft.Web.Administration.ServerManager
foreach($site
in $sm.Sites)
{
$root = $site.Applications |
where { $_.Path -eq "/" }
Write-Output ("Site: " +
$site.Name
+ " |
Pool: " + $root.ApplicationPoolName)
}
Log files – log files reside in 4 places (from here)
c:\inetpub\logs\LogFiles\W3SVC
. Usually pretty worthless. These files have the naming convention ex*.logc:\windows\system32\LogFiles\HTTPERR
- still pretty worthless- ASP.NET exceptions: the Application EventLog If the request is to an ASP.NET application, and the error was a 500.0, its most likely an unhandled ASP.NET exception. To find it, go to the Application EventLog and look for Warning events from ASP.NET.
- Hard-to-catch errors: the Failed Request Trace (FRT) log Can't seem to catch the error? It it gone from the log before you can get to it? Then you need the IIS Failed Request Trace feature. This will let you configure a rule to capture a detailed request trace for a specific URL, status code, or time elapsed.
Error logs, on the other hand, who knows where the actual file is? But the errors are lumped in with the normal Windows event viewer (“eventvwr” from the command line) in the “Applications” tab along with all the other applications.
There also seems to be a Custom Views → Server Roles → Web Server IIS) log as well
machine.config location -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
-
where the Framework number might be different
Mapped drives – drives – better to use UNC
Using the UI
- Click Start, and then click All Programs.
- Click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Using a command
- Click Start, and then click Run.
- On the Run dialog, in the Open box, type %windir%\system32\inetsrv\inetmgr.exe.
- Click OK or press Enter.
Parent directory, “the Include file '../<filename.ext>' cannot contain '..' to indicate the parent directory.”
An alternative to using absolute virtual paths is to enable parent paths; however, this is not the preferred methodThis is accomplished for your default Web site by using the following steps:
- Open the Internet Services Manager in the Microsoft Management Console (MMC).
- Right-click on your Default Web Site and select Properties.
- Click the Home Directory tab.
- Click the Configuration button.
- Click the App Options tab.
- Click to select the Enable Parent Paths checkbox.
- Click the OK button until you return to the MMC.
permissions in inetpub directory you may need to grant:
ICACLS D:\Inetpub /grant:r IIS AppPool\DefaultAppPool:(OI)(CI)RX /T
ICACLS D:\Inetpub /grant:r NT AUTHORITY\NETWORKSERVICE:(OI)(CI)RXMW /T
ICACLS D:\Inetpub /grant:r NT AUTHORITY\IUSR:(OI)(CI)RXMW /T
can usually also do this though UI.
process cannot access the file because it is being used by another process. ( Exception from HRESULT: 0x80070020) - see 0x80070020
redirection.config - located in C:\Windows\System32\inetsrv\config
To restart IIS using IIS Manager (see open IIS Manager)
- In IIS Manager, right click the local computer, point to All Tasks, then click Restart IIS.
- In the What do you want IIS to do list, click Restart Internet Services on computername.
- IIS attempts to stop all services before restarting. IIS waits up to five minutes for all services to stop. If the services cannot be stopped within five minutes, all IIS services are terminated, and IIS restarts. In addition, clicking End now forces all IIS services to stop immediately, and IIS is restarted.
If IIS is terminated before its services have stopped normally, data loss can result. If possible, back up your IIS configuration before restarting IIS. See Backing Up and Restoring the Metabase for information on backing up your IIS configuration.
To restart IIS using the IISReset command-line utility
- From the Start menu, click Run.
- In the Open box, type cmd, and click OK.
- At the command prompt, type iisreset /noforce computername, and press ENTER.
- IIS attempts to stop all services before restarting. The IISReset command-line utility waits up to one minute for all services to stop. If the services cannot be stopped within one minute, all IIS services are terminated, and IIS restarts.
Session Timeout – change default of 20 minutes - more
If one doesn’t exist, create a “global.asa” file in your root directory that looks like this:
<SCRIPT LANGUAGE=VBScript RUNAT=Server>
Sub Application_OnStart
'Session will timeout in 60 minutes
Session.Timeout = 60
End Sub
</SCRIPT>
<SCRIPT LANGUAGE=VBScript RUNAT=Server>
Sub Application_OnEnd
'Add your Application_OnEnd code here
End Sub
</SCRIPT>
<SCRIPT LANGUAGE=VBScript RUNAT=Server>
Sub Session_OnStart
'Add your Session_OnStart code here
End Sub
</SCRIPT>
<SCRIPT LANGUAGE=VBScript RUNAT=Server>
Sub Session_OnEnd
'Add your Session_OnEnd code here
End Sub
</SCRIPT>
stop IIS
- Open an elevated command-line window.
- At the command prompt, type net stop WAS and press ENTER; type Y and then press ENTER to also stop W3SVC.
- To restart the Web server, type net start W3SVC and press ENTER to start both WAS and W3SVC.
troubleshoot
For the site you would like to troubleshoot open web.config and make sure custom errors are off
<customErrors mode=Off>
Go to the site in the IIS Manager and double click the “Error Pages” icon. Then click “Edit Feature Settings” in the actions sidebar. Click “Detailed Errors” and press “Ok”. Detailed errors should be displayed for that site including a message and stack trace.
Unauthorized: Access is denied due to invalid credentials. - see Access is denied due to invalid credentials
web.config
turn debug on or off
in the line <customErrors defaultRedirect=~/CMSMessages/error.aspx mode="On">
,
turn mode to "On" (which means you won’t get debug messages and instead will be directed to
the page specified) or "Off" (which means you will get debug messages).
0x8007000d - If you look this up, you’ll find that it’s complaining about “malformed” code in your web.config file. But, of course, it won’t give you a clue as to why! You might want to check to see whether you have any <rewrites>. If you only installed the plain vanilla IIS, then you'll probably have to download and install URL Rewrite.
0x80070020 - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
netstat -aon | find :80
You will see an output similar to the following. Remember the actual PID will vary from case to case.
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2880
Now using Task Manager you can easily find out to which process the above PID (2880) belongs and take appropriate action. Skype is a likely culprit