Troubleshooting Common IIS Errors
Many of the design changes in Internet Information Services (IIS) 6.0 directly address the need to secure the World Wide Web Publishing Service (WWW service) as a whole, and Web and FTP sites in particular. You might experience errors if you have not enabled certain features or services that are locked, or disabled, by default. This topic describes some of the symptoms of these errors and the processes to remedy them (or a link to a topic that describes how to remedy the error).
Dynamic or Static Content Errors
Applications are denied access to resources
Requests for dynamic content return 404 error
Requests for static files return 404 error
Worker process recycling drops application session state
Server-side include directives (#include) return 404 error (for .stm files) or 0131 error (for .asp files)
ASP generates Permission Denied errors in event log for global.asa
CGI processes will not start
ASP.NET pages are returned as static files
Collaboration Data Objects for Windows NT Server fail
Connection Errors
Client requests receive 503 error
Anonymous accounts (IUSR_ computername) attempting sub-authentication logon receive 401 error
Clients cannot connect to server
UNC connections are denied access
Access denied to console applications in System32 directory
Client requests error-out or time-out
Miscellaneous Errors
File requests to UNIX or Linux server return wrong file or error
Cannot locate /Scripts or /Msadc directory
ISAPI filter does not show up as "loaded" in UI
Dynamic or Static Content Errors
Applications Are Denied Access to Resources
After a clean install, IIS 6.0 runs in worker process isolation mode. Applications running in this mode use the Network Service identity, by default. Network Service is an account with few user rights and therefore provides better security by restricting access to resources on the Web server. If you migrate applications to IIS 6.0 while the server is in worker process isolation mode, and if your applications previously ran in-process (in Inetinfo.exe) as LocalSystem, the applications may fail to access resources because of the restrictions set forth by the Network Service identity. The LocalSystem account has access to almost all resources on the operating system, and therefore creates serious security implications. You should avoid using the LocalSystem account when possible. If it is absolutely necessary to use the LocalSystem account on an application, run that application in a new application pool in its own virtual directory so you can reduce the attack surface by isolating the application. As an alternative, and if your application needs permission to use the Trusted Computing Base (TCB), run the application as a configurable identity and assign the TCB permission to the configurable identity. This alternative, however, still presents a security risk because the TCB permission is very powerful.
For more information, see Configuring Worker Process Identities and IIS and Built-in Accounts in the Help that comes with IIS Manager.
Requests for Dynamic Content Return 404 Error
In order to take a more proactive stance against malicious users and attackers, IIS is installed in a highly secure and locked mode. By default, IIS serves only static content - meaning features like ASP, ASP.NET, server-side includes, WebDAV publishing, FrontPage ? Server Extensions, and Common Gateway Interfaces - do not work unless enabled. If you do not enable this functionality after installing IIS, by default on this denial, IIS returns a generic 404 custom error page to prevent disclosure of configuration information. IIS also writes the 404 error with the substatus code of 2 (404.2) in the W3C Extended log files, by default.
Important Note: |
---|
You must be a member of the Administrators group on the local computer to perform the following procedure (or procedures), or you must have been delegated the appropriate authority. As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use Runas to open a command window from which you can run other programs like IIS Manager. |
To open a command window under secure credentials, from a command prompt, type the following:
Runas /user:domain_or_machine_name\administrative_account_name "cmd /k"
To open IIS Manager from the secure command window, type the following:
mmc %systemroot%\system32\inetsrv\iis.msc
To enable or disable a Web service extension
In IIS Manager, expand the local computer, and then click Web Service Extensions.
In the details pane, click the Web service extension that you want to enable or disable.
To enable a disabled Web service extension, click Allow.
To disable an enabled Web service extension, click Prohibit.
Click OK.
To enable or disable Web service extensions programmatically, see WebSvcExtRestrictionList.
Requests for Static Files Return 404 Error
For requests to static content, this version of IIS serves requests for files with known file name extensions only, a feature called Known Extensions. If a request is made for a resource whose file name extension is not mapped to a known extension in the MimeMap property, IIS denies the request and logs a 404 error with the substatus code of 3 (404.3) in the W3C Extended log files (by default). To prevent disclosure of configuration information, IIS is configured to return the generic 404 custom error page by default on this denial. You can add or edit the Multipurpose Internet Mail Exchange (MIME) map using IIS Manager. To turn off the Known Extensions feature and allow IIS to serve files with any extension, add the *,application/octet-stream value to the list of MIME maps. If you update the global MIME map, you must wait until the worker process has recycled or restart the World Wide Web Publishing Service (WWW service) before changes take effect. If you update an individual Web site MIME map, the change is reflected instantly.
For more information on adding or editing the MIME map, see Working with MIME Types in the Help that comes with IIS Manager.
Tools like URLScan can be configured to block processing of certain file name extensions.
Note
Check your URLScan settings.
Worker Process Recycling Drops Application Session State
By default, worker processes recycle after 120 minutes. If your ASP applications are not designed to store session state while a worker process is recycled, then session state in that ASP application can be lost. To remedy this problem, you can either store session state in a database or disable worker process recycling.
To disable worker process recycling
In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool, and then click Properties.
On the Recycling tab, clear the Recycle worker processes (in minutes) check box.
Click OK.
Server-Side Include Directives (#include) Return 404 Error (for .stm Files) or 0131 Error (for .asp Files)
If your ASP page uses the #include server-side include directive and the ".." notation to refer to a parent directory, the directive will return an error unless you have reconfigured the AspEnableParentPaths metabase property. This property is set to false by default. If set to true, this property constitutes a potential security risk because an include path may access critical or sensitive data files outside the application root directory.
To enable parent paths through IIS Manager
In IIS Manager, expand the local computer, right-click the starting-point directory of the application you want to configure, and then click Properties.
Click the Directory tab, and then click Configuration.
Click the Options tab.
In the Application configuration section, select the Enable parent paths check box.
Click OK.
ASP Generates Permission Denied Errors in Event Log for Global.asa
Earlier versions of ASP executed events in the security context (or user identity) of the host process because there is no user context during these events. This caused problems, such as access denied errors when writing to a file in the Session_OnEnd event. ASP, by default, now runs the global.asa events, Application_OnEnd and Session_OnEnd, anonymously (the default value is true).
To change this setting programmatically, see AspRunOnEndAnonymously.
CGI Processes Will Not Start
If your CGI processes do not run, ensure that the CGI Web service extension has been enabled. See Requests for Dynamic Content Return 404 Error in this topic. Also, CGIs will not start unless the account on which the CGI processes run are assigned certain user rights. You can add the account as a member of the IIS_WPG group and assign the account the following two user rights:
Adjust memory quotas for a process.
Replace a process level token.
To assign user rights to an account on the local computer
From the Start menu, point to Administrative Tools, and then click Local Security Policy.
Expand Security Settings, double-click Local Policies, and then double-click User Rights Assignment.
In the details pane, double-click the policy you want to change.
Click Add User or Group.
In the Enter the object names to select box, type the user or group name.
Click OK.
ASP.NET Pages are Returned as Static Files
If you installed IIS 6.0 without installing ASP.NET, ASP.NET files can be returned as static files. This error can also occur if you reinstalled IIS 6.0 without reregistering ASP.NET. To learn how to remedy this error, see ASP.NET IIS Registration Tool in the Help that comes with IIS Manager and use the i option.
Collaboration Data Objects for Windows NT Server Fail
Collaboration Data Objects for Microsoft ? Windows NT ? Server (CDONTS) has been removed from the Windows Server 2003 family. If your Web applications use CDONTS, you can convert them to Microsoft Collaboration Data Objects (CDO). Most methods in CDONTS have matching methods in CDO, but might be named differently.
For reference material for CDO in the Platform Software Developer Kit, see Overview of CDO at MSDN Online.
Connection Errors
Client Requests Receive 503 Error
Check the error event log to determine if the 503 error was detected in HTTP.sys or in the World Wide Web Publishing Service (WWW service). If the error was detected in HTTP.sys, there may be too many queued requests so that HTTP.sys has exceeded its application pool queue length limit. To remedy this problem, increase the application pool queue length limit. (See Configuring Application Pool Queue Length Limits in the Help that comes with IIS Manager.)
To change an application pool queue length limit
In IIS Manager, expand the local computer, expand the Application Pools folder, right-click the application, and then click Properties.
Click the Performance tab.
In the Request queue limit section, select the Limit the kernel request queue to check box, and type the maximum number of queued requests.
Click OK.
If the 503 error was detected in the WWW service, then the problem may be that IIS has initiated rapid-fail protection because too many worker processes assigned to an application pool have become unhealthy in a given period of time. To remedy this problem, increase the number of failures or the time period before rapid-fail protection initiates. You should test your application for memory leaks or other problems that may be the source of the unhealthy worker processes. (See Configuring Rapid-Fail Protection in the Help that comes with IIS Manager.)
To configure rapid-fail protection
In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool, and then click Properties.
Click the Health tab.
In the Failures box, type the number of worker process failures to be detected before disabling the worker process.
In the Time period box, type the number of minutes during which failure totals are accumulated.
Click OK.
Anonymous Accounts (IUSR_ computername) Attempting Sub-Authentication Logon Receive 401 Error
The sub-authentication component, Iissuba.dll, is not enabled by default in IIS 6.0. In earlier versions, Iissuba.dll allowed IIS to manage passwords on anonymous accounts, which created a potential security risk. In IIS 6.0, you can use sub-authentication to manage passwords for anonymous accounts by meeting the following requirements:
For applications which you assign anonymous access, the worker process runs as LocalSystem.
The sub-authentication component, Iissuba.dll, is registered.
The AnonymousPasswordSynch metabase property is enabled (set to true).
The actions taken to meet the above requirements differ between clean installs of IIS 6.0 and upgrades to IIS 6.0 from installations of IIS with sub-authentication configured.
For information on the procedures to configure sub-authentication, see Anonymous Authentication in the Help that comes with IIS Manager.
Clients Cannot Connect to Server
The Windows Server 2003 family provides a software-based firewall to prevent unauthorized connections to your server from remote computers. The Internet Connection Firewall (ICF) is disabled by default. However, if you have enabled the firewall in its default configuration after installing a member of the Windows Server 2003 family and before installing IIS, clients will not be able to connect to your server. The following procedure configures ICF to allow clients to initiate Web and other IIS-related connections to your server.
To configure Internet Connection Firewall for IIS
From the Start menu, click Control Panel.
Double-click Network Connections.
Right-click Local Area Connection, and click Properties.
Click the Advanced tab.
If you do not want to use the ICF, make sure the Protect my computer and network by limiting or preventing access to this computer from the Internet check box isn't available, and click OK.
If you do want to use the ICF, make sure the Protect my computer and network by limiting or preventing access to this computer from the Internet check box is enabled, and click Settings.
On the Services tab, enable a service to which you want to allow access to clients.
In the Service Settings dialog box that appears after enabling a service, do one of the following:
If you are enabling a service on the same computer you are working, the correct computer name is already filled in. Click OK.
If you are enabling a service on a different computer on your network, type the name or IP address of the computer hosting the service you are enabling, and click OK.
Repeat steps 7 and 8 until all the services you want accessible to clients are enabled.
UNC Connections Are Denied Access
The Universal Naming Convention (UNC) authentication method, also called UNC Passthrough authentication, determines the credentials to be used for gaining access to a UNC share on a remote computer. Beginning with IIS 6.0, the UNC authentication looks at the request user and the credentials stored in the UNCUserName and UNCPassword properties of the metabase to determine the credentials to pass through to the computer with the UNC share, in the following way:
If UNCUserName is specified (not empty) and UNCPassword is valid, the metabase user credentials are sent as the user identity for access to the remote share. If UNCUserName is specified (not empty) and UNCPassword is not valid, a 500 Internal Server Error: Invalid Username or Password message is sent to the client.
If UNCUserName is empty, then the credentials of the request user (either an authenticated set of credentials for authenticated requests or IUSR_ computername credentials for anonymous requests) are sent as the user identity for access to the remote share.
Note
The UNCAuthenticationPassthrough metabase key is no longer used for UNC authentication.
Access Denied to Console Applications in System32 Directory
Requests that use console applications in the Windows System32 directory, such as Cmd.exe, are denied access unless the remote user making the request is an authenticated member of the Administrators group. The denial is the result of special access control lists (ACLs) on all console application programs in the Windows System32 directory to restrict access to only administrators, LocalSystem, interactive users, and services. The ACL restriction does not affect local logon users that should have access, nor does the restriction affect your own custom CGI executable programs.
Client Requests Error-out or Time-out
In IIS 6.0, settings are set to aggressive and secure defaults to minimize attacks due to time-outs and limits that were previously too generous. IIS enforces the following time-outs at the connection level:
Limits on Response Buffering: The default value for the ASPBufferingLimit metabase property is 4 MB. If ASP scripts buffer more than this, they error-out. There was no limit to buffering prior to IIS 6.0.
Limits on posts: The AspMaxRequestEntityAllowed metabase property enforces a maximum ASP post size of 204,800 bytes, with each individual field limited to 100 KB. There was no limit to posts prior to IIS 6.0.
The ServerListenTimeout metabase property no longer exists:ServerListenTimeout has been replaced by the following metabase properties:
ConnectionTimeout: This property specifies the amount of time, in seconds, the server waits before disconnecting an inactive connection.
MinFileBytesPerSec: When IIS responds to a client request, the MinFileBytesPerSec property determines the length of time the client has to receive the entire response. If the client machine takes too long to receive the entire response, the kernel-mode driver, HTTP.sys, terminates the connection according to the time-out value.
HeaderWaitTimeout: When a client connects to the Web server, the client computer is given a time limit to send in all headers for the request (demarked by a final double \r\n). If the complete header set for the request is not received within the time period indicated by HeaderWaitTimeout, HTTP.sys resets the connection. You can configure the value of HeaderWaitTimeout.
Header size limitation: By default, HTTP.sys only accepts requests where the request header is less than 16 KB. This means that if HTTP.sys does not receive the terminating <CRLF><CRLF> sequence within 16 KB, HTTP.sys considers the request malicious and terminates the connection. You can change the header size limitation by adjusting the value in the MaxRequestBytes registry key.
Miscellaneous Errors
File Requests to UNIX or Linux Server Return Wrong File or Error
If IIS must access files on a UNIX or Linux system, file name case sensitivity can be an issue unless Network File System (NFS) support is enabled in IIS.
UNIX and Linux both support mixed-case file names, and IIS fully supports requesting static files in a case-sensitive manner. An issue arises, however, when IIS makes a subsequent request for a file from its static file cache. Because all file names are converted to uppercase letters in the IIS cache, any request after the first request from the IIS static file cache might fail or return the wrong file.
To remedy this problem, disable the IIS static file cache so that all file requests are issued fresh, thereby retaining correct file name case. The static file cache can be disabled for individual virtual directories on Web sites, or globally for all sites.
Note
Changing this setting has no effect on how ASP files and templates are cached.
To disable the static file cache for a particular Web site virtual directory
- Edit the metabase and set the MD_VR_NO_CACHE property to 1.
To disable the static file cache for all sites
- Edit the registry and add the binary value DisableStaticFileCache=1 to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters key.
Cannot Locate /Scripts or /Msadc Directory
By default, the /scripts and /msadc directories in IIS 5.0 allowed scripts and executables to run. These directories were removed from IIS 6.0 because, if a malicious user gained access to one of these directories, the user could run a script or executable and potentially gain control of the Web server. If your server configuration requires a directory of this nature, you will need to create the directory and establish the appropriate NTFS permissions.
ISAPI Filter Does Not Show Up as "Loaded" in UI
In an effort to optimize resources in IIS 6.0, an ISAPI filter is not loaded until a request is made to a Web site that requires the ISAPI filter. Until this request is made, IIS Manager does not display the status of the ISAPI filter. Also, if the ISAPI filter requires the SF_NOTIFY_READ_RAW_DATA filter notification, the filter will not load while IIS is running in worker process isolation mode. Review the Application Event Log for events from W3SVC-WP to verify that the filter did not load. To remedy this problem, run IIS in IIS 5.0 isolation mode or contact the vendor of the ISAPI filter for compatibility updates.
Important Note: |
---|
If the ISAPI filter is restricted by an access control list (ACL) in such a way that the IIS worker process identity cannot load it, requests receive a 503 error. To remedy this, set the ACLs on the ISAPI filter DLL to allow access for the IIS_WPG group. |
To configure IIS for IIS 5.0 isolation mode
In IIS Manager, expand the local computer, right-click Web Sites, and then click Properties.
Click the Service tab, select the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.
To start the WWW service, click Yes.