Share via

403 - Forbidden: Access is denied

Salam ELIAS 112 Reputation points
2022-10-24T15:19:54.333+00:00

Hi, I have an IIS web site was working fine for years. All of a sudden, 1 week back, I tried to browse it and started to get

253509-image.png

What is strange is that when I open a session on the server itself, it works fine. IIS_USR and IUSR have Read&Execute privileges on the inetpub and subdirectories, even I enabled "browsing Directorie" to check but it did not help.

In the log I see

2022-10-24 14:52:24 192.168.1.30 GET /favicon.ico - 443 - 82.65.38.149 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/106.0.0.0+Safari/537.36+Edg/106.0.1370.47 https://mysite.hd.free.fr/sierac 403 16 2148204809 53
2022-10-24 14:58:01 192.168.1.30 GET /sierac - 443 - 82.65.38.149 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/106.0.0.0+Safari/537.36+Edg/106.0.1370.47 - 403 16 2148204809 34

Here are some text from older los where it was working fine

2022-06-29 19:04:57 192.168.1.30 GET /sierac - 443 - 194.38.20.161 ALittle+Client - 301 0 0 1766
2022-06-29 19:05:29 192.168.1.30 GET /sierac/ - 443 - 194.38.20.161 ALittle+Client - 200 0 0 752

Here is the config of the machine
253520-image.png

Internet Information Services
0 comments

14 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Salam ELIAS 112 Reputation points
    2022-10-26T08:42:13.83+00:00

    A very quick reponse for step 1. In an admin powershell console I get

    $.Issuer : The term '$.Issuer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path
    is correct and try again.
    At line:1 char:64

    • ... tem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.S ... 
    •                                                      \~\~\~\~\~\~\~\~
      • CategoryInfo : ObjectNotFound: ($.Issuer:String) [], CommandNotFoundException
      • FullyQualifiedErrorId : CommandNotFoundException

    However, when I do 

    Get-Childitem cert:\LocalMachine\root -Recurse | Select Subject, Issuer

    I get correct results where I dont find any self-hosted certificate apart from the 1st one which I think created by windows

    Subject Issuer

    CN=WMSvc-SHA2-SALAMPROD CN=WMSvc-SHA2-SALAMPROD
    CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
    CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,...
    CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp. CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Cop...
    CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, C=US CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec ...
    CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft Root Certificate Authority 2011, O=Microsoft Cor...
    CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
    CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft Root Certificate Authority 2010, O=Microsoft Cor...
    CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft ECC TS Root Certificate Authority 2018, O=Micros...
    OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stam...
    OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign...
    CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft ECC Product Root Certificate Authority 2018, O=M...
    CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert I...
    CN=DST Root CA X3, O=Digital Signature Trust Co. CN=DST Root CA X3, O=Digital Signature Trust Co.
    CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
    CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US
    CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
    OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US OU=Starfield Class 2 Certification Authority, O="Starfield Te...
    CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert I...
    OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US OU=Class 3 Public Primary Certification Authority, O="VeriSig...
    CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O...
    CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US CN=USERTrust RSA Certification Authority, O=The USERTRUST Net...

    0 comments
  2. Salam ELIAS 112 Reputation points
    2022-10-26T08:59:01.62+00:00

    step 2 nor step 3 helped, I get the same exact error

    0 comments
  3. Salam ELIAS 112 Reputation points
    2022-10-26T09:00:02.883+00:00

    Regarding step 1, I responded but it is not showing here I saw a message a message indicating "Awaiting moderator"

    0 comments
  4. Salam ELIAS 112 Reputation points
    2022-10-28T11:00:27.233+00:00

    After updating registry as indicated in step 1,
    255094-image.png

    rebooting, I get the same thing

    255103-image.png

    Then updated registry as step 2, rebooted, I get the same exatresult
    255025-image.png

    255038-image.png

  5. Salam ELIAS 112 Reputation points
    2022-10-26T09:04:24.353+00:00

    I will repeat again for step 1, Powershell is generatiog an error for $.Issuer as follows

    $.Issuer : The term '$.Issuer' is not recognized as the name of a cmdlet, function, script file,

    Here is the list of

    Get-Childitem cert:\LocalMachine\root -Recurse | Select Subject, Issuer

    Subject

    CN=WMSvc-SHA2-SALAMPROD
    CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
    CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA
    CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.
    CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, C=US
    CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
    CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network
    OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network
    CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
    CN=DST Root CA X3, O=Digital Signature Trust Co.
    CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
    CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    CN=ISRG Root X1, O=Internet Security Research Group, C=US
    CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
    OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
    CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US

    Issuer

    CN=WMSvc-SHA2-SALAMPROD
    CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
    CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,...
    CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Cop...
    CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec ...
    CN=Microsoft Root Certificate Authority 2011, O=Microsoft Cor...
    CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
    CN=Microsoft Root Certificate Authority 2010, O=Microsoft Cor...
    CN=Microsoft ECC TS Root Certificate Authority 2018, O=Micros...
    OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stam...
    OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign...
    CN=Microsoft ECC Product Root Certificate Authority 2018, O=M...
    CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert I...
    CN=DST Root CA X3, O=Digital Signature Trust Co.
    CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
    CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
    CN=ISRG Root X1, O=Internet Security Research Group, C=US
    CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
    OU=Starfield Class 2 Certification Authority, O="Starfield Te...
    CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert I...
    OU=Class 3 Public Primary Certification Authority, O="VeriSig...
    CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O...
    CN=USERTrust RSA Certification Authority, O=The USERTRUST Net...