HTTP Error 403.2 - Forbidden: Read access is denied.
Bob
I notice when I attempt to access the default page from a machine other than
were IIS is installed, IE will display "HTTP Error 403.2 - Forbidden: Read
access is denied". But when I attempt to access the default page from the
same machine where IIS is installed, it get an expected "Under Construction"
page.
In both cases, I am logged onto the same domain using the same UserID. I
have no firewalls installed and everyone is on the same LAN.
Any idea on where to look for a resolution to this?
Thanks!
---
Bob
David Wang
Did you set up IP Restriction within IIS to only display content to
certain IP addresses (such as local-only).
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
WenJun Zhang[msft]
Please also check if Read permission isn't enabled in the site's
property->Home Directory tab. This is the general cause of a '403.2 -
Forbidden: Read access is denied.' error.
Please update here if problem still persists.
Thanks.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Bob
I have no restrictions based upon IP address. However, when I do, the error
changes to:
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Bob.
Bob
The read permission is enabled on the Home Directory tab. However,
disabling it results in error
HTTP Error 403.2 - Forbidden: Read access is denied.
on both the http://localhost/ and all remote machines as well.
Re-enabling the read permission results in the 403.2 error only on the
remote machines attempting access; not the localhost.
Thanks,
Bob.
David Wang
Can you clarify which IIS version you are running (or Windows OS is
sufficient).
Can you also report the actual IIS log entry lines corresponding to
your 403.2 response.
Please also verify that you mean what I think you mean by the
following:
> But when I attempt to access the default page from the
> same machine where IIS is installed, it get an expected
> "Under Construction" page.
When you say "access the default page from the same machine", I assume
you are using a web browser, which is using the http:// protocol, and
the URL used in the wbrowser is either http://localhost/page.ext or
http://servername/page.ext. And that those requests actually come to
this web server -- validate by checking the IIS server's website log
files for the specific request log entries corresponding to your
successful requests. You should also validate that the 403.2 are in
this log file.
If those assumptions are all true, or if all requests are not showing
up in the log file, then I am inclined to think that your issue is
outside of IIS because I cannot think of any other built-in IIS
feature which distinguishes access based on local/remote.
If you are running ASP.Net page, perhaps there is configuration in
ASP.Net to deny access from remote machines.
If you have custom ISAPI Filter/Extension installed, perhaps they are
denying access from remote machines.
Perhaps you have some other networking device configured for the IIS
server that is rejecting external access.
Perhaps you have a DNS misconfiguration where the external name/IP
does not actually route to this specific IIS webserver.
WenJun Zhang[msft]
The new 403.6 error should be caused by IP and domain restriction setting
in IIS. Please follow the steps below to check it.
1. Open Internet Information Services (IIS) Manager.
2. Expand the Web server, and then expand Web sites.
3. Right-click Default Web Site, and then click Properties.
4. Click the Directory Security tab, and then click Edit in the IP address
and domain name restrictions area.
5. Select Granted access and make sure the client machine's IP isn't in
denied list.
WenJun Zhang[msft]
Any update of this issue?
Have a good weekend.
Bob
I've a half dozen servers. All of them are at the same level (Windows
Server 2003 R2 SP2 and all of them have IIS v6.0).
I have two servers that are having the problem - the others are fine. What
is unique about these two machines is:
1. They are both virtual guests
2. Neither is a DC
3. MS Data Protection Manager 2007 Beta2 installed (DPM uses IIS)
ERROR INFORMATION:
--------------------------------------------------------------
OH-SERVER-4 has ipadder of 192.168.12.114 and is one of the two failing IIS
servers under Windows 2003.
Entering http://oh-server-4 in IE7 on this oh-server-4 results in an
expected "Under Construction" page which I imagine comes from
"c:\inetpub\wwwroot\iisstart.htm"
The corresponding log entry found at
C:\WINDOWS\system32\LogFiles\W3SVC1\ex070728.log is as follows:
2007-07-28 14:58:23 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
2007-07-28 14:58:23 W3SVC1 192.168.12.114 GET /pagerror.gif - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
--------------------------------------------------------------
HOWEVER, when RC-CLIENT-2 which has ipadder of 192.168.21.12 and is Win XP
SP2 attempts to go to http://oh-server-4, the resulting entry in IIS (found
on oh-server-4) is as follows:
2007-07-28 15:04:30 W3SVC1 192.168.12.114 GET / - 80 - 192.168.21.12
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322)
403 2 5
The above log also corresonds to the web page displayed "HTTP Error 403.2 -
Forbidden: Read access is denied".
--------------------------------------------------------------
The log also post the following every 20 seconds:
2007-07-28 15:19:15 W3SVC1 192.168.12.114 POST /Reporting/admin/upload.php -
80 - 192.168.12.114 libwww-perl/5.803 200 0 0
Thanks for your efforts!
Bob.
WenJun Zhang[msft]
Some clues I found according to your description:
Directly accessing to http://oh-server-4/ shouldn't result in a log entry
like the following
2007-07-28 14:58:23 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+C
LR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
When we access a web site/vdir's default page without the file name in url,
IIS will not log the default page in its log file as well. So an expected
log entry of http://oh-server-4/ should be: ... GET / - 80 - ...
The log you got looks like something explicitly redirected the request to
iisstart.htm page (just guess).
So what I'd suggest to test further: try browsing to the full url:
http://oh-server-4/iisstart.htm from the XP machine. See if it also returns
the under consturction page expectedly. If it does, means both local and
remote access to the iisstart.htm page is fine. You'd check the default
page setting of the site. Also please note the Read permission can be set
at single file level.
Look forward to your test result.
Thanks.
Bob
I checked the ACL's of C:\Inetpub\wwwroot\iisstart.htm and they look fine.
They are:
---------------------------------------------------------
Administrators & SYSTEM = Full
IIS_WPG & Users = Read & Execute + Read
Internet Guest Account = Deny Write, Deny Special
---------------------------------------------------------
Also, I find I can open: \\oh-server-4\C$\Inetpub\wwwroot\iisstart.htm
from any machine.
I ran the url http://oh-server-4/iisstart.htm on the following three
machines:
OH-SERVER-4 (where IIS is).
---------------------------------------------------------
2007-07-30 17:30:04 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
2007-07-30 17:30:04 W3SVC1 192.168.12.114 GET /pagerror.gif - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
2007-07-30 17:30:05 W3SVC1 192.168.12.114 GET /favicon.ico - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
404 0 2
---------------------------------------------------------
RC-CLIENT-2 (different forest)
---------------------------------------------------------
2007-07-30 17:27:06 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.21.12
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322)
403 2 5
---------------------------------------------------------
OH-SERVER-3 (the DC to oh-server-4)
---------------------------------------------------------
2007-07-30 17:31:22 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.113
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Win64;+x64;+.NET+CLR+2.0.50727)
403 2 5
---------------------------------------------------------
And as before, I get the same error on all machines except OH-SERVER-4
(where IIS is):
HTTP Error 403.2 - Forbidden: Read access is denied.
One thing that is interesting is I swapped
\\oh-server-4\C$\Inetpub\wwwroot\iisstart.htm with a different html document
and I find that the failing machines are still bring up the original html.
So I guess the html document that discribers the 404.2 error is not coming
from the C:\Inetpub\wwwroot\iisstart.htm found on oh-server-4 ??
Also, I don't know the first thing about IIS and I'm just assuming all these
HTML displays in the various IE instances are coming from the OH-SERVER-4's
IIS server. For all I know, IIS could simply be sending back an error to
IE - and IE in turn displays HTML sourced from the local machine that did
the url request. If this is how it works, I guess that would explain the
swapping of the iistart.htm file with a different one not changing the
display.
p.s. As I wrote before, just to test the IP deny thing, I explicitly denied
all three machines and they now get an expected:
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
(as one would expect - as I'm now denying it for a test).
Thanks!
Bob.
David Wang
> Hi WenJun,
>
> I checked the ACL's of C:\Inetpub\wwwroot\iisstart.htm and they look fine.
> They are:
> ---------------------------------------------------------
> Administrators & SYSTEM = Full
> IIS_WPG & Users = Read & Execute + Read
> Internet Guest Account = Deny Write, Deny Special
> ---------------------------------------------------------
> Also, I find I can open: \\oh-server-4\C$\Inetpub\wwwroot\iisstart.htm
> from any machine.
>
> I ran the url http://oh-server-4/iisstart.htm on the following three
> machines:
>
> OH-SERVER-4 (where IIS is).
> ---------------------------------------------------------
> 2007-07-30 17:30:04 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
> 192.168.12.114
> 200 0 0
>
> 2007-07-30 17:30:04 W3SVC1 192.168.12.114 GET /pagerror.gif - 80 -
> 192.168.12.114
> 200 0 0
>
> 2007-07-30 17:30:05 W3SVC1 192.168.12.114 GET /favicon.ico - 80 -
> 192.168.12.114
> 404 0 2
> ---------------------------------------------------------
>
> RC-CLIENT-2 (different forest)
> ---------------------------------------------------------
> 2007-07-30 17:27:06 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
> 192.168.21.12
> 403 2 5
> ---------------------------------------------------------
>
> OH-SERVER-3 (the DC to oh-server-4)
> ---------------------------------------------------------
> 2007-07-30 17:31:22 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
> 192.168.12.113
> 403 2 5
> ---------------------------------------------------------
>
> And as before, I get the same error on all machines except OH-SERVER-4
> (where IIS is):
> HTTP Error 403.2 - Forbidden: Read access is denied.
>
> One thing that is interesting is I swapped
> \\oh-server-4\C$\Inetpub\wwwroot\iisstart.htm with a different html document
> and I find that the failing machines are still bring up the original html.
> So I guess the html document that discribers the 404.2 error is not coming
> from the C:\Inetpub\wwwroot\iisstart.htm found on oh-server-4 ??
>
> Also, I don't know the first thing about IIS and I'm just assuming all these
> HTML displays in the various IE instances are coming from the OH-SERVER-4's
> IIS server. For all I know, IIS could simply be sending back an error to
> IE - and IE in turn displays HTML sourced from the local machine that did
> the url request. If this is how it works, I guess that would explain the
> swapping of the iistart.htm file with a different one not changing the
> display.
>
> p.s. As I wrote before, just to test the IP deny thing, I explicitly denied
> all three machines and they now get an expected:
> HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
> (as one would expect - as I'm now denying it for a test).
>
> Thanks!
>
> Bob.
Your new observation when changing iisstart.htm is about caching,
which is complelety separate from your original question about
authorization to read a resource. Let's look at things one at a time.
Also, there is no 404.2 error -- it is a 404.0.2, which is a 404.0
"file not found" with Win32 error code of 2 "File not found" -- people
frequently overlook the log file fields.
Your log file entries indicate a 403.2 (Read access is denied) on
accessing /iisstart.htm by a non-local client-ip address. There are no
built-in IIS features to return 403.2 for remote yet allow local
access, and there is no way for software/hardware outside of IIS to
log an 403.2 in the IIS log, so I am inclined to believe that the
behavior comes from an ISAPI Filter or ISAPI Extension installed on
your webserver.
Can you enumerate:
1. all ISAPI Filters installed at Global level
2. all ISAPI Filters installed at Website level
3. Applicaton Mapping of .htm resource at /
4. Wildcard application mappings at /
I am suspecting non-default setting for #4 because ISAPI Filter cannot
change the substatus field of the log entry (unlikely, but maybe it
was some *other* error with substatus 2 that the ISAPI Filter rewrote
-- I'm keeping the option open), but Wildcard application mapping can
both log a 403.2 as well as perform the read-forbidden access.
If so, your question is really about the behavior of the non-default
Wildcard application mapping since that is no longer IIS software
WenJun Zhang[msft]
I have the same thought of David. Let's check if there is any specific
ISAPI installed which may cause the unexpected behavior.
You can export your metabase config and send it to me via email for a
thorough reviewing. To export your metabase configuration, please install
IIS6 resource kit tools and use the Metabase Explorer utility. Export the
data under LM root node in to a mbk file.
Internet Information Services (IIS) 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=56fc
92ee-a71a-4c73-b628-ade629c89499
My email address: wjz...@online.microsoft.com (please remove online.)
Look forward to your message.
Have a great day.
WenJun Zhang[msft]
I'm still waiting for your update on this issue.
Thanks.
Bob
Sorry for the delay, that was rude of me. Just a bit too much on my plate I
guess.
I have just sent you the file you have so graciously accepted to examine.
Thanks!
Bob.
WenJun Zhang[msft]
I think the root cause has been turned out. Please open metabase with
MBExplorer again. Expand to /LM/W3SVC/1/ROOT/. You will see the AccessFlags
property value is 30209. This means both AccessNoRemoteRead and
AccessNoRemoteScript bit flags are set to true(please refer to the below
link.
AccessFlags Metabase Property (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e
9b6d626-9583-4d59-b7f7-a079ec47461c.mspx?mfr=true
I'm very curious on who set these 2 flags since the settings are not
available in IIS UI(site Properties->Home Directory tab). Please reset the
property to a normal value 513(with only AccessScript and AccessRead On) in
MBExplorer. Then please test access the site from a remote computer again.
Please let me know if any problem still persists. Thanks and have a nice
weekend.
Bob
I guess that is it. I changed it to 513 (which I found on a working IIS
server). I don't know if that was the right thing to do or not, but it now
works!
As to who changed this, my guess is "System Center Data Protection Manager
2007 Beta 2" as this was installed on two of my servers and they both have
the same problem.
Should I pursue this with that forum, or would you like to ask those folks,
or what?
Thanks!
Bob.
Bob
I placed an inquiry on the DPM forum asking if anyone else has the same
symptom we ran in to. I'll let you know what comes back.
Forum: microsoft.public.dataprotectionmanager
Subject: HTTP Error 403.2 - Forbidden: Read access is denied.
Bob.
Bob
to 30215 (not 30209 as you found in the other). I changed this to 513 and
now this server is fine also.
Note, this whole this started when I was trying to access the Reporting
folder (found in the file I sent you). I can see that is set for 30213 and
on a working machine it is set for 5. I changed to to 5 and now that is
fixed too.
btw: The 30213 on Reporting resulted in >> HTTP Error 403.1 - Forbidden:
Execute access is denied.
Bob.
WenJun Zhang[msft]
Do worry, manually setting AccessFlags is the same as modifying
configurations in a site's Home directory tab. The only thing difference
here is we removed the invisible flags like AccessNoRemoteScript in
metabase. Definitely there will not be any harmful effect and no doubt this
is necessary if your server need allow remote access.
DPM isn't the specialty of mine. However if you need any further assistance
on it, just let me know. I may help forward your request to our internal
DPM group for consultation.
Have a great week.
Bob
I never did get a reply back on the DPM forum, so maybe this was just unique
to my installation.
Thanks!
Bob.
WenJun Zhang[msft]
Glad to see the problem has been resolved and the post is ready to be
closed.
Please don't hesitate to post in the group again whenever you met any
problem on IIS.
Have a great day.
Bob
jochenpuls
with the posted method i resolved the discribed problem and an additional 401.2 error on a Windows 2003 Enterprise Server. I installed DPM 2007 on the machine and could not enter sites installed on this server from outside the server. Affected were html, asp (ISAPI) and Outlook Web Access, because there is an Exchange Server 2003 running on the machine. After editing the metabase in the descriped way it looks fine. Now i have still a problem with the running ActiveSync. Is there another flag in the metabase that i can change?
Greetings
Jochen Puls
darylsirota
To fix Sharepoint, I manually overrode that AccessFlag=513 at the SharePoint IIS root, _layouts and _layouts/images.
Whew! Lesson of the day, don't install DPM on top of SharePoint!
Jochen Puls wrote:
Error 4032 and additional 4012, Active Sync
09-Jul-08
Hello,
Greetings
Jochen Puls
Previous Posts In This Thread:
On Monday, July 23, 2007 8:45 AM
Bob wrote:
HTTP Error 403.2 - Forbidden: Read access is denied.
Hi,
I notice when I attempt to access the default page from a machine other than
were IIS is installed, IE will display "HTTP Error 403.2 - Forbidden: Read
access is denied". But when I attempt to access the default page from the
same machine where IIS is installed, it get an expected "Under Construction"
page.
In both cases, I am logged onto the same domain using the same UserID. I
have no firewalls installed and everyone is on the same LAN.
Any idea on where to look for a resolution to this?
Thanks!
---
Bob
On Monday, July 23, 2007 10:50 PM
David Wang wrote:
Re: HTTP Error 403.2 - Forbidden: Read access is denied.
Did you set up IP Restriction within IIS to only display content to
certain IP addresses (such as local-only).
On Monday, July 23, 2007 11:34 PM
wjzhan wrote:
Hi Bob,Please also check if Read permission isn't enabled in the site's
Hi Bob,
Please also check if Read permission isn't enabled in the site's
property->Home Directory tab. This is the general cause of a '403.2 -
Forbidden: Read access is denied.' error.
Please update here if problem still persists.
Thanks.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Tuesday, July 24, 2007 7:52 AM
Bob wrote:
Hi David,I have no restrictions based upon IP address.
Hi David,
I have no restrictions based upon IP address. However, when I do, the error
changes to:
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Bob.
On Tuesday, July 24, 2007 8:22 AM
Bob wrote:
Hi WenJunThe read permission is enabled on the Home Directory tab.
Hi WenJun
The read permission is enabled on the Home Directory tab. However,
disabling it results in error
HTTP Error 403.2 - Forbidden: Read access is denied.
on both the http://localhost/ and all remote machines as well.
Re-enabling the read permission results in the 403.2 error only on the
remote machines attempting access; not the localhost.
Thanks,
Bob.
On Wednesday, July 25, 2007 12:13 AM
David Wang wrote:
Re: HTTP Error 403.2 - Forbidden: Read access is denied.
On Jul 24, 4:52 am, "Bob" <86c6c2e6-2146512...@news.postalias> wrote:
Can you clarify which IIS version you are running (or Windows OS is
sufficient).
Can you also report the actual IIS log entry lines corresponding to
your 403.2 response.
Please also verify that you mean what I think you mean by the
following:
When you say "access the default page from the same machine", I assume
you are using a web browser, which is using the http:// protocol, and
the URL used in the wbrowser is either http://localhost/page.ext or
http://servername/page.ext. And that those requests actually come to
this web server -- validate by checking the IIS server's website log
files for the specific request log entries corresponding to your
successful requests. You should also validate that the 403.2 are in
this log file.
If those assumptions are all true, or if all requests are not showing
up in the log file, then I am inclined to think that your issue is
outside of IIS because I cannot think of any other built-in IIS
feature which distinguishes access based on local/remote.
If you are running ASP.Net page, perhaps there is configuration in
ASP.Net to deny access from remote machines.
If you have custom ISAPI Filter/Extension installed, perhaps they are
denying access from remote machines.
Perhaps you have some other networking device configured for the IIS
server that is rejecting external access.
Perhaps you have a DNS misconfiguration where the external name/IP
does not actually route to this specific IIS webserver.
On Wednesday, July 25, 2007 5:39 AM
wjzhan wrote:
Bob,The new 403.
Bob,
The new 403.6 error should be caused by IP and domain restriction setting
in IIS. Please follow the steps below to check it.
1. Open Internet Information Services (IIS) Manager.
2. Expand the Web server, and then expand Web sites.
3. Right-click Default Web Site, and then click Properties.
4. Click the Directory Security tab, and then click Edit in the IP address
and domain name restrictions area.
5. Select Granted access and make sure the client machine's IP isn't in
denied list.
Thanks.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Friday, July 27, 2007 7:03 AM
wjzhan wrote:
Hi Bob,Any update of this issue?
Hi Bob,
Any update of this issue?
Have a good weekend.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Saturday, July 28, 2007 11:27 AM
Bob wrote:
Hi David,I've a half dozen servers.
Hi David,
I've a half dozen servers. All of them are at the same level (Windows
Server 2003 R2 SP2 and all of them have IIS v6.0).
I have two servers that are having the problem - the others are fine. What
is unique about these two machines is:
1. They are both virtual guests
2. Neither is a DC
3. MS Data Protection Manager 2007 Beta2 installed (DPM uses IIS)
ERROR INFORMATION:
--------------------------------------------------------------
OH-SERVER-4 has ipadder of 192.168.12.114 and is one of the two failing IIS
servers under Windows 2003.
Entering http://oh-server-4 in IE7 on this oh-server-4 results in an
expected "Under Construction" page which I imagine comes from
"c:\inetpub\wwwroot\iisstart.htm"
The corresponding log entry found at
C:\WINDOWS\system32\LogFiles\W3SVC1\ex070728.log is as follows:
2007-07-28 14:58:23 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
2007-07-28 14:58:23 W3SVC1 192.168.12.114 GET /pagerror.gif - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
--------------------------------------------------------------
HOWEVER, when RC-CLIENT-2 which has ipadder of 192.168.21.12 and is Win XP
SP2 attempts to go to http://oh-server-4, the resulting entry in IIS (found
on oh-server-4) is as follows:
2007-07-28 15:04:30 W3SVC1 192.168.12.114 GET / - 80 - 192.168.21.12
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322)
403 2 5
The above log also corresonds to the web page displayed "HTTP Error 403.2 -
Forbidden: Read access is denied".
--------------------------------------------------------------
The log also post the following every 20 seconds:
2007-07-28 15:19:15 W3SVC1 192.168.12.114 POST /Reporting/admin/upload.php -
80 - 192.168.12.114 libwww-perl/5.803 200 0 0
Thanks for your efforts!
Bob.
On Monday, July 30, 2007 2:34 AM
wjzhan wrote:
Re: HTTP Error 403.2 - Forbidden: Read access is denied.
Hi Bob,
Some clues I found according to your description:
Directly accessing to http://oh-server-4/ shouldn't result in a log entry
like the following
2007-07-28 14:58:23 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+C
LR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
When we access a web site/vdir's default page without the file name in url,
IIS will not log the default page in its log file as well. So an expected
log entry of http://oh-server-4/ should be: ... GET / - 80 - ...
The log you got looks like something explicitly redirected the request to
iisstart.htm page (just guess).
So what I'd suggest to test further: try browsing to the full url:
http://oh-server-4/iisstart.htm from the XP machine. See if it also returns
the under consturction page expectedly. If it does, means both local and
remote access to the iisstart.htm page is fine. You'd check the default
page setting of the site. Also please note the Read permission can be set
at single file level.
Look forward to your test result.
Thanks.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Monday, July 30, 2007 2:23 PM
Bob wrote:
Re: HTTP Error 403.2 - Forbidden: Read access is denied.
Hi WenJun,
I checked the ACL's of C:\Inetpub\wwwroot\iisstart.htm and they look fine.
They are:
---------------------------------------------------------
Administrators & SYSTEM = Full
IIS_WPG & Users = Read & Execute + Read
Internet Guest Account = Deny Write, Deny Special
---------------------------------------------------------
Also, I find I can open: \\oh-server-4\C$\Inetpub\wwwroot\iisstart.htm
from any machine.
I ran the url http://oh-server-4/iisstart.htm on the following three
machines:
OH-SERVER-4 (where IIS is).
---------------------------------------------------------
2007-07-30 17:30:04 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
2007-07-30 17:30:04 W3SVC1 192.168.12.114 GET /pagerror.gif - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
200 0 0
2007-07-30 17:30:05 W3SVC1 192.168.12.114 GET /favicon.ico - 80 -
192.168.12.114
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
404 0 2
---------------------------------------------------------
RC-CLIENT-2 (different forest)
---------------------------------------------------------
2007-07-30 17:27:06 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.21.12
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322)
403 2 5
---------------------------------------------------------
OH-SERVER-3 (the DC to oh-server-4)
---------------------------------------------------------
2007-07-30 17:31:22 W3SVC1 192.168.12.114 GET /iisstart.htm - 80 -
192.168.12.113
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Win64;+x64;+.NET+CLR+2.0.50727)
403 2 5
---------------------------------------------------------
And as before, I get the same error on all machines except OH-SERVER-4
(where IIS is):
HTTP Error 403.2 - Forbidden: Read access is denied.
One thing that is interesting is I swapped
\\oh-server-4\C$\Inetpub\wwwroot\iisstart.htm with a different html document
and I find that the failing machines are still bring up the original html.
So I guess the html document that discribers the 404.2 error is not coming
from the C:\Inetpub\wwwroot\iisstart.htm found on oh-server-4 ??
Also, I don't know the first thing about IIS and I'm just assuming all these
HTML displays in the various IE instances are coming from the OH-SERVER-4's
IIS server. For all I know, IIS could simply be sending back an error to
IE - and IE in turn displays HTML sourced from the local machine that did
the url request. If this is how it works, I guess that would explain the
swapping of the iistart.htm file with a different one not changing the
display.
p.s. As I wrote before, just to test the IP deny thing, I explicitly denied
all three machines and they now get an expected:
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
(as one would expect - as I'm now denying it for a test).
Thanks!
Bob.
On Monday, July 30, 2007 9:41 PM
David Wang wrote:
Re: HTTP Error 403.2 - Forbidden: Read access is denied.
On Jul 30, 11:23 am, "Bob" <86c6c2e6-2146512...@news.postalias> wrote:
ne.
T+=ADCLR+2.0.50727;+.NET+CLR+3.0.04506.30)
T+=ADCLR+2.0.50727;+.NET+CLR+3.0.04506.30)
T+=ADCLR+2.0.50727;+.NET+CLR+3.0.04506.30)
..0=AD.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322)
..0=AD.50727)
ent
ese
's
ied
Your new observation when changing iisstart.htm is about caching,
which is complelety separate from your original question about
authorization to read a resource. Let's look at things one at a time.
Also, there is no 404.2 error -- it is a 404.0.2, which is a 404.0
"file not found" with Win32 error code of 2 "File not found" -- people
frequently overlook the log file fields.
Your log file entries indicate a 403.2 (Read access is denied) on
accessing /iisstart.htm by a non-local client-ip address. There are no
built-in IIS features to return 403.2 for remote yet allow local
access, and there is no way for software/hardware outside of IIS to
log an 403.2 in the IIS log, so I am inclined to believe that the
behavior comes from an ISAPI Filter or ISAPI Extension installed on
your webserver.
Can you enumerate:
1=2E all ISAPI Filters installed at Global level
2=2E all ISAPI Filters installed at Website level
3=2E Applicaton Mapping of .htm resource at /
4=2E Wildcard application mappings at /
I am suspecting non-default setting for #4 because ISAPI Filter cannot
change the substatus field of the log entry (unlikely, but maybe it
was some *other* error with substatus 2 that the ISAPI Filter rewrote
-- I'm keeping the option open), but Wildcard application mapping can
both log a 403.2 as well as perform the read-forbidden access.
If so, your question is really about the behavior of the non-default
Wildcard application mapping since that is no longer IIS software
On Tuesday, July 31, 2007 7:12 AM
wjzhan wrote:
Hi Bob,I have the same thought of David.
Hi Bob,
I have the same thought of David. Let's check if there is any specific
ISAPI installed which may cause the unexpected behavior.
You can export your metabase config and send it to me via email for a
thorough reviewing. To export your metabase configuration, please install
IIS6 resource kit tools and use the Metabase Explorer utility. Export the
data under LM root node in to a mbk file.
Internet Information Services (IIS) 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=56fc
92ee-a71a-4c73-b628-ade629c89499
My email address: wjz...@online.microsoft.com (please remove online.)
Look forward to your message.
Have a great day.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Thursday, August 02, 2007 10:31 AM
wjzhan wrote:
Hi Bob,I'm still waiting for your update on this issue.Thanks.
Hi Bob,
I'm still waiting for your update on this issue.
Thanks.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Thursday, August 02, 2007 11:40 AM
Bob wrote:
Hi WenJun,Sorry for the delay, that was rude of me.
Hi WenJun,
Bob.
On Friday, August 03, 2007 3:39 AM
wjzhan wrote:
Hi Robert,I think the root cause has been turned out.
Hi Robert,
I think the root cause has been turned out. Please open metabase with
MBExplorer again. Expand to /LM/W3SVC/1/ROOT/. You will see the AccessFlags
property value is 30209. This means both AccessNoRemoteRead and
AccessNoRemoteScript bit flags are set to true(please refer to the below
link.
AccessFlags Metabase Property (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e
9b6d626-9583-4d59-b7f7-a079ec47461c.mspx?mfr=true
I'm very curious on who set these 2 flags since the settings are not
available in IIS UI(site Properties->Home Directory tab). Please reset the
property to a normal value 513(with only AccessScript and AccessRead On) in
MBExplorer. Then please test access the site from a remote computer again.
Please let me know if any problem still persists. Thanks and have a nice
weekend.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Friday, August 03, 2007 10:47 AM
Bob wrote:
Hi WenJun,I guess that is it.
Hi WenJun,
Thanks!
Bob.
On Friday, August 03, 2007 11:59 AM
Bob wrote:
Hi WenJun,I placed an inquiry on the DPM forum asking if anyone else has the
Hi WenJun,
Bob.
On Friday, August 03, 2007 12:36 PM
Bob wrote:
Bob.
On Monday, August 06, 2007 9:54 AM
wjzhan wrote:
Bob,Do worry, manually setting AccessFlags is the same as modifying
Bob,
Do worry, manually setting AccessFlags is the same as modifying
configurations in a site's Home directory tab. The only thing difference
here is we removed the invisible flags like AccessNoRemoteScript in
metabase. Definitely there will not be any harmful effect and no doubt this
is necessary if your server need allow remote access.
DPM isn't the specialty of mine. However if you need any further assistance
on it, just let me know. I may help forward your request to our internal
DPM group for consultation.
Have a great week.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
On Tuesday, August 07, 2007 1:59 PM
Bob wrote:
Okay, Thanks.
Okay, Thanks.
Thanks!
Bob.
On Wednesday, August 08, 2007 9:48 AM
wjzhan wrote:
Hi Bob,Glad to see the problem has been resolved and the post is ready to be
Hi Bob,
Have a great day.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
On Friday, August 10, 2007 6:50 AM
Bob wrote:
Yes, please close. Thanks!
Yes, please close. Thanks!
On Wednesday, July 09, 2008 11:48 AM
Jochen Puls wrote:
Error 4032 and additional 4012, Active Sync
Hello,
Greetings
Jochen Puls
EggHeadCafe - Software Developer Portal of Choice
BOOK REVIEW: Professional Silverlight 2 for ASP.NET Developers [WROX]
http://www.eggheadcafe.com/tutorials/aspnet/3573070a-b0b0-49e5-99c8-cddc274ec7f8/book-review-professional.aspx
Jeffrey Ingalls
handy!
All the best,
Jeffrey Ingalls