403 - Forbidden: Access is denied

Question

Hi, I have an IIS web site was working fine for years. All of a sudden, 1 week back, I tried to browse it and started to get

What is strange is that when I open a session on the server itself, it works fine. IIS_USR and IUSR have Read&Execute privileges on the inetpub and subdirectories, even I enabled "browsing Directorie" to check but it did not help.

In the log I see

2022-10-24 14:52:24 192.168.1.30 GET /favicon.ico - 443 - 82.65.38.149 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/106.0.0.0+Safari/537.36+Edg/106.0.1370.47 https://mysite.hd.free.fr/sierac 403 16 2148204809 53
2022-10-24 14:58:01 192.168.1.30 GET /sierac - 443 - 82.65.38.149 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/106.0.0.0+Safari/537.36+Edg/106.0.1370.47 - 403 16 2148204809 34

Here are some text from older los where it was working fine

2022-06-29 19:04:57 192.168.1.30 GET /sierac - 443 - 194.38.20.161 ALittle+Client - 301 0 0 1766
2022-06-29 19:05:29 192.168.1.30 GET /sierac/ - 443 - 194.38.20.161 ALittle+Client - 200 0 0 752

Here is the config of the machine

Answer 1

A very quick reponse for step 1. In an admin powershell console I get

$.Issuer : The term '$.Issuer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path
is correct and try again.
At line:1 char:64

• ... tem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.S ...

•                                                      \~\~\~\~\~\~\~\~    
  

  • CategoryInfo : ObjectNotFound: ($.Issuer:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

However, when I do

Get-Childitem cert:\LocalMachine\root -Recurse | Select Subject, Issuer  

I get correct results where I dont find any self-hosted certificate apart from the 1st one which I think created by windows

Subject Issuer

---

CN=WMSvc-SHA2-SALAMPROD CN=WMSvc-SHA2-SALAMPROD
CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,...
CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp. CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Cop...
CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, C=US CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec ...
CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft Root Certificate Authority 2011, O=Microsoft Cor...
CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft Root Certificate Authority 2010, O=Microsoft Cor...
CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft ECC TS Root Certificate Authority 2018, O=Micros...
OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stam...
OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign...
CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft ECC Product Root Certificate Authority 2018, O=M...
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert I...
CN=DST Root CA X3, O=Digital Signature Trust Co. CN=DST Root CA X3, O=Digital Signature Trust Co.
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US
CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US OU=Starfield Class 2 Certification Authority, O="Starfield Te...
CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert I...
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US OU=Class 3 Public Primary Certification Authority, O="VeriSig...
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O...
CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US CN=USERTrust RSA Certification Authority, O=The USERTRUST Net...

Answer 2

step 2 nor step 3 helped, I get the same exact error

Answer 3

Regarding step 1, I responded but it is not showing here I saw a message a message indicating "Awaiting moderator"

Answer 4

After updating registry as indicated in step 1,

rebooting, I get the same thing

Then updated registry as step 2, rebooted, I get the same exatresult

Answer 5

I will repeat again for step 1, Powershell is generatiog an error for $.Issuer as follows

$.Issuer : The term '$.Issuer' is not recognized as the name of a cmdlet, function, script file,

Here is the list of

Get-Childitem cert:\LocalMachine\root -Recurse | Select Subject, Issuer

Subject

---

CN=WMSvc-SHA2-SALAMPROD
CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA
CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.
CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, C=US
CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network
OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network
CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DST Root CA X3, O=Digital Signature Trust Co.
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
CN=ISRG Root X1, O=Internet Security Research Group, C=US
CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US

Issuer

---

CN=WMSvc-SHA2-SALAMPROD
CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,...
CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Cop...
CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec ...
CN=Microsoft Root Certificate Authority 2011, O=Microsoft Cor...
CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
CN=Microsoft Root Certificate Authority 2010, O=Microsoft Cor...
CN=Microsoft ECC TS Root Certificate Authority 2018, O=Micros...
OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stam...
OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign...
CN=Microsoft ECC Product Root Certificate Authority 2018, O=M...
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert I...
CN=DST Root CA X3, O=Digital Signature Trust Co.
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
CN=ISRG Root X1, O=Internet Security Research Group, C=US
CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
OU=Starfield Class 2 Certification Authority, O="Starfield Te...
CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert I...
OU=Class 3 Public Primary Certification Authority, O="VeriSig...
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O...
CN=USERTrust RSA Certification Authority, O=The USERTRUST Net...