Internal Server Error Unable to Upload at This Time Cpa Site Solutions

Skip to main content

Troubleshooting Common IIS Errors

• Article
• 06/16/2017
• 16 minutes to read

In this commodity

Many of the design changes in Net Information Services (IIS) 6.0 directly accost the demand to secure the World Wide Web Publishing Service (Www service) every bit a whole, and Web and FTP sites in detail. Y'all might experience errors if you have not enabled sure features or services that are locked, or disabled, past default. This topic describes some of the symptoms of these errors and the processes to remedy them (or a link to a topic that describes how to remedy the error).

Dynamic or Static Content Errors

• Applications are denied access to resources

• Requests for dynamic content return 404 fault

• Requests for static files render 404 fault

• Worker process recycling drops application session land

• Server-side include directives (#include) render 404 error (for .stm files) or 0131 error (for .asp files)

• ASP generates Permission Denied errors in event log for global.asa

• CGI processes volition not commencement

• ASP.Cyberspace pages are returned every bit static files

• Collaboration Data Objects for Windows NT Server fail

Connectedness Errors

• Customer requests receive 503 mistake

• Anonymous accounts (IUSR_ computername) attempting sub-authentication logon receive 401 error

• Clients cannot connect to server

• UNC connections are denied access

• Access denied to console applications in System32 directory

• Customer requests fault-out or time-out

Miscellaneous Errors

• File requests to UNIX or Linux server return wrong file or error

• Cannot locate /Scripts or /Msadc directory

• ISAPI filter does not show upwardly as "loaded" in UI

Dynamic or Static Content Errors

Applications Are Denied Access to Resources

Afterwards a clean install, IIS 6.0 runs in worker procedure isolation mode. Applications running in this mode use the Network Service identity, by default. Network Service is an account with few user rights and therefore provides better security past restricting admission to resource on the Web server. If you migrate applications to IIS 6.0 while the server is in worker process isolation way, and if your applications previously ran in-process (in Inetinfo.exe) as LocalSystem, the applications may fail to access resources considering of the restrictions prepare along past the Network Service identity. The LocalSystem account has access to near all resources on the operating system, and therefore creates serious security implications. You lot should avoid using the LocalSystem account when possible. If it is absolutely necessary to employ the LocalSystem account on an application, run that application in a new awarding pool in its own virtual directory so y'all can reduce the attack surface by isolating the application. Equally an alternative, and if your application needs permission to use the Trusted Computing Base of operations (TCB), run the awarding as a configurable identity and assign the TCB permission to the configurable identity. This alternative, however, still presents a security risk because the TCB permission is very powerful.

For more data, see Configuring Worker Process Identities and IIS and Congenital-in Accounts in the Help that comes with IIS Director.

Requests for Dynamic Content Return 404 Fault

In order to take a more than proactive stance against malicious users and attackers, IIS is installed in a highly secure and locked mode. By default, IIS serves only static content - pregnant features like ASP, ASP.Internet, server-side includes, WebDAV publishing, FrontPage ? Server Extensions, and Common Gateway Interfaces - do not work unless enabled. If y'all do not enable this functionality subsequently installing IIS, by default on this deprival, IIS returns a generic 404 custom fault page to prevent disclosure of configuration information. IIS also writes the 404 mistake with the substatus code of 2 (404.2) in the W3C Extended log files, by default.

Important Notation:

You must be a fellow member of the Administrators grouping on the local calculator to perform the post-obit procedure (or procedures), or y'all must take been delegated the advisable authority. As a security all-time exercise, log on to your computer using an account that is non in the Administrators group, and then utilise Runas to open a control window from which y'all can run other programs like IIS Manager.

To open a command window under secure credentials, from a command prompt, type the following:

              Runas /user:domain_or_machine_name\administrative_account_name "cmd /k"                          

To open IIS Managing director from the secure command window, type the following:

              mmc %systemroot%\system32\inetsrv\iis.msc                          

To enable or disable a Web service extension

1. In IIS Manager, aggrandize the local computer, and then click Spider web Service Extensions.

2. In the details pane, click the Web service extension that you want to enable or disable.

3. To enable a disabled Spider web service extension, click Allow.

4. To disable an enabled Web service extension, click Prohibit.

5. Click OK.

To enable or disable Web service extensions programmatically, meet WebSvcExtRestrictionList.

Requests for Static Files Return 404 Error

For requests to static content, this version of IIS serves requests for files with known file name extensions only, a feature chosen Known Extensions. If a request is made for a resource whose file proper noun extension is not mapped to a known extension in the MimeMap belongings, IIS denies the request and logs a 404 fault with the substatus code of 3 (404.3) in the W3C Extended log files (by default). To prevent disclosure of configuration information, IIS is configured to return the generic 404 custom fault page by default on this deprival. You can add or edit the Multipurpose Internet Mail Substitution (MIME) map using IIS Managing director. To plow off the Known Extensions feature and allow IIS to serve files with any extension, add the *,application/octet-stream value to the list of MIME maps. If you update the global MIME map, you must wait until the worker process has recycled or restart the Www Publishing Service (WWW service) before changes have event. If y'all update an private Web site MIME map, the alter is reflected instantly.

For more information on calculation or editing the MIME map, come across Working with MIME Types in the Assist that comes with IIS Director.

Tools like URLScan can exist configured to block processing of sure file proper name extensions.

Notation

Check your URLScan settings.

Worker Procedure Recycling Drops Application Session State

By default, worker processes recycle after 120 minutes. If your ASP applications are non designed to shop session land while a worker process is recycled, then session land in that ASP application can exist lost. To remedy this problem, you can either store session state in a database or disable worker process recycling.

To disable worker process recycling

1. In IIS Director, expand the local computer, expand Awarding Pools, correct-click the application pool, then click Properties.

2. On the Recycling tab, articulate the Recycle worker processes (in minutes) check box.

3. Click OK.

Server-Side Include Directives (#include) Return 404 Error (for .stm Files) or 0131 Error (for .asp Files)

If your ASP page uses the #include server-side include directive and the ".." annotation to refer to a parent directory, the directive will return an error unless you have reconfigured the AspEnableParentPaths metabase property. This property is gear up to imitation by default. If fix to truthful, this property constitutes a potential security risk because an include path may access critical or sensitive data files outside the application root directory.

To enable parent paths through IIS Manager

1. In IIS Managing director, aggrandize the local calculator, right-click the starting-point directory of the awarding you lot want to configure, and and then click Properties.

2. Click the Directory tab, and then click Configuration.

3. Click the Options tab.

4. In the Application configuration department, select the Enable parent paths check box.

5. Click OK.

ASP Generates Permission Denied Errors in Event Log for Global.asa

Earlier versions of ASP executed events in the security context (or user identity) of the host process because there is no user context during these events. This acquired problems, such as access denied errors when writing to a file in the Session_OnEnd upshot. ASP, by default, now runs the global.asa events, Application_OnEnd and Session_OnEnd, anonymously (the default value is true).

To change this setting programmatically, see AspRunOnEndAnonymously.

CGI Processes Will Non Start

If your CGI processes practise not run, ensure that the CGI Spider web service extension has been enabled. See Requests for Dynamic Content Return 404 Fault in this topic. Besides, CGIs will not start unless the business relationship on which the CGI processes run are assigned certain user rights. You can add the business relationship every bit a member of the IIS_WPG grouping and assign the account the following 2 user rights:

• Conform memory quotas for a process.

• Replace a process level token.

To assign user rights to an business relationship on the local reckoner

1. From the Start carte, point to Administrative Tools, and then click Local Security Policy.

2. Aggrandize Security Settings, double-click Local Policies, and then double-click User Rights Assignment.

3. In the details pane, double-click the policy you want to change.

4. Click Add User or Grouping.

5. In the Enter the object names to select box, type the user or group proper name.

6. Click OK.

ASP.NET Pages are Returned as Static Files

If you installed IIS 6.0 without installing ASP.Cyberspace, ASP.NET files can be returned as static files. This error can also occur if you reinstalled IIS 6.0 without reregistering ASP.Internet. To learn how to remedy this mistake, see ASP.NET IIS Registration Tool in the Assist that comes with IIS Manager and use the i pick.

Collaboration Data Objects for Windows NT Server Fail

Collaboration Data Objects for Microsoft ? Windows NT ? Server (CDONTS) has been removed from the Windows Server 2003 family. If your Web applications use CDONTS, you can catechumen them to Microsoft Collaboration Data Objects (CDO). Virtually methods in CDONTS have matching methods in CDO, but might be named differently.

For reference textile for CDO in the Platform Software Programmer Kit, see Overview of CDO at MSDN Online.

Connexion Errors

Client Requests Receive 503 Fault

Check the error consequence log to make up one's mind if the 503 error was detected in HTTP.sys or in the World Wide Web Publishing Service (WWW service). If the error was detected in HTTP.sys, there may be besides many queued requests so that HTTP.sys has exceeded its awarding pool queue length limit. To remedy this problem, increase the awarding pool queue length limit. (See Configuring Awarding Pool Queue Length Limits in the Help that comes with IIS Manager.)

To change an application pool queue length limit

1. In IIS Manager, expand the local reckoner, expand the Application Pools folder, correct-click the awarding, and then click Properties.

2. Click the Performance tab.

3. In the Request queue limit section, select the Limit the kernel request queue to check box, and blazon the maximum number of queued requests.

4. Click OK.

If the 503 fault was detected in the Www service, and so the trouble may be that IIS has initiated rapid-fail protection considering also many worker processes assigned to an application pool have go unhealthy in a given period of time. To remedy this trouble, increase the number of failures or the time catamenia earlier rapid-fail protection initiates. You should test your application for retentivity leaks or other problems that may be the source of the unhealthy worker processes. (See Configuring Rapid-Fail Protection in the Assistance that comes with IIS Director.)

To configure rapid-fail protection

1. In IIS Manager, expand the local computer, aggrandize Application Pools, right-click the application puddle, then click Properties.

2. Click the Health tab.

3. In the Failures box, type the number of worker procedure failures to be detected before disabling the worker procedure.

4. In the Time period box, type the number of minutes during which failure totals are accumulated.

5. Click OK.

Anonymous Accounts (IUSR_ computername) Attempting Sub-Authentication Logon Receive 401 Error

The sub-authentication component, Iissuba.dll, is non enabled by default in IIS 6.0. In before versions, Iissuba.dll immune IIS to manage passwords on anonymous accounts, which created a potential security risk. In IIS vi.0, you can utilise sub-authentication to manage passwords for anonymous accounts past meeting the following requirements:

• For applications which y'all assign anonymous access, the worker process runs as LocalSystem.

• The sub-authentication component, Iissuba.dll, is registered.

• The AnonymousPasswordSynch metabase property is enabled (ready to truthful).

The actions taken to come across the above requirements differ between clean installs of IIS 6.0 and upgrades to IIS six.0 from installations of IIS with sub-hallmark configured.

For information on the procedures to configure sub-authentication, run into Anonymous Authentication in the Help that comes with IIS Director.

Clients Cannot Connect to Server

The Windows Server 2003 family unit provides a software-based firewall to preclude unauthorized connections to your server from remote computers. The Internet Connectedness Firewall (ICF) is disabled by default. Notwithstanding, if y'all have enabled the firewall in its default configuration after installing a member of the Windows Server 2003 family and earlier installing IIS, clients volition not be able to connect to your server. The post-obit procedure configures ICF to allow clients to initiate Web and other IIS-related connections to your server.

To configure Internet Connectedness Firewall for IIS

1. From the Start menu, click Control Panel.

2. Double-click Network Connections.

3. Right-click Local Area Connectedness, and click Backdrop.

4. Click the Advanced tab.

5. If you lot do not want to use the ICF, brand sure the Protect my computer and network by limiting or preventing admission to this computer from the Internet check box isn't available, and click OK.

6. If y'all do want to apply the ICF, brand certain the Protect my estimator and network past limiting or preventing access to this figurer from the Net check box is enabled, and click Settings.

7. On the Services tab, enable a service to which you desire to allow admission to clients.

8. In the Service Settings dialog box that appears after enabling a service, exercise one of the following:

   • If yous are enabling a service on the same computer you are working, the correct computer proper name is already filled in. Click OK.

   • If you are enabling a service on a different reckoner on your network, type the proper name or IP address of the figurer hosting the service you lot are enabling, and click OK.

9. Repeat steps vii and 8 until all the services y'all desire accessible to clients are enabled.

UNC Connections Are Denied Admission

The Universal Naming Convention (UNC) authentication method, also called UNC Passthrough authentication, determines the credentials to be used for gaining access to a UNC share on a remote reckoner. Beginning with IIS half-dozen.0, the UNC authentication looks at the request user and the credentials stored in the UNCUserName and UNCPassword properties of the metabase to determine the credentials to laissez passer through to the estimator with the UNC share, in the following way:

• If UNCUserName is specified (not empty) and UNCPassword is valid, the metabase user credentials are sent every bit the user identity for admission to the remote share. If UNCUserName is specified (not empty) and UNCPassword is non valid, a 500 Internal Server Fault: Invalid Username or Password bulletin is sent to the client.

• If UNCUserName is empty, then the credentials of the request user (either an authenticated set of credentials for authenticated requests or IUSR_ computername credentials for anonymous requests) are sent as the user identity for access to the remote share.

Note

The UNCAuthenticationPassthrough metabase key is no longer used for UNC hallmark.

Access Denied to Panel Applications in System32 Directory

Requests that apply console applications in the Windows System32 directory, such equally Cmd.exe, are denied access unless the remote user making the request is an authenticated member of the Administrators group. The denial is the result of special access control lists (ACLs) on all console application programs in the Windows System32 directory to restrict access to only administrators, LocalSystem, interactive users, and services. The ACL restriction does not impact local logon users that should have access, nor does the restriction affect your ain custom CGI executable programs.

Client Requests Mistake-out or Fourth dimension-out

In IIS half-dozen.0, settings are set to ambitious and secure defaults to minimize attacks due to time-outs and limits that were previously as well generous. IIS enforces the following fourth dimension-outs at the connection level:

• Limits on Response Buffering: The default value for the ASPBufferingLimit metabase property is 4 MB. If ASP scripts buffer more than than this, they mistake-out. In that location was no limit to buffering prior to IIS six.0.

• Limits on posts: The AspMaxRequestEntityAllowed metabase belongings enforces a maximum ASP mail service size of 204,800 bytes, with each individual field limited to 100 KB. There was no limit to posts prior to IIS half dozen.0.

• The ServerListenTimeout metabase property no longer exists:ServerListenTimeout has been replaced by the following metabase properties:

  • ConnectionTimeout: This property specifies the amount of fourth dimension, in seconds, the server waits earlier disconnecting an inactive connection.

  • MinFileBytesPerSec: When IIS responds to a client asking, the MinFileBytesPerSec holding determines the length of time the client has to receive the unabridged response. If the client machine takes likewise long to receive the entire response, the kernel-mode driver, HTTP.sys, terminates the connection according to the fourth dimension-out value.

  • HeaderWaitTimeout: When a customer connects to the Spider web server, the client computer is given a time limit to send in all headers for the request (demarked by a concluding double \r\n). If the consummate header prepare for the request is non received inside the time period indicated by HeaderWaitTimeout, HTTP.sys resets the connection. You can configure the value of HeaderWaitTimeout.

• Header size limitation: By default, HTTP.sys only accepts requests where the request header is less than 16 KB. This means that if HTTP.sys does not receive the terminating <CRLF><CRLF> sequence within 16 KB, HTTP.sys considers the request malicious and terminates the connectedness. You can change the header size limitation past adjusting the value in the MaxRequestBytes registry key.

Miscellaneous Errors

File Requests to UNIX or Linux Server Return Incorrect File or Error

If IIS must access files on a UNIX or Linux system, file name case sensitivity tin be an issue unless Network File Arrangement (NFS) back up is enabled in IIS.

UNIX and Linux both support mixed-case file names, and IIS fully supports requesting static files in a case-sensitive way. An outcome arises, however, when IIS makes a subsequent asking for a file from its static file cache. Because all file names are converted to uppercase letters in the IIS enshroud, any asking after the first asking from the IIS static file cache might fail or return the incorrect file.

To remedy this problem, disable the IIS static file cache so that all file requests are issued fresh, thereby retaining correct file proper name instance. The static file enshroud can exist disabled for individual virtual directories on Spider web sites, or globally for all sites.

Notation

Irresolute this setting has no consequence on how ASP files and templates are buried.

To disable the static file cache for a particular Web site virtual directory

• Edit the metabase and set the MD_VR_NO_CACHE property to one.

To disable the static file cache for all sites

• Edit the registry and add together the binary value DisableStaticFileCache=1 to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters fundamental.

Cannot Locate /Scripts or /Msadc Directory

By default, the /scripts and /msadc directories in IIS 5.0 allowed scripts and executables to run. These directories were removed from IIS 6.0 because, if a malicious user gained access to 1 of these directories, the user could run a script or executable and potentially gain control of the Web server. If your server configuration requires a directory of this nature, you lot volition demand to create the directory and institute the appropriate NTFS permissions.

ISAPI Filter Does Not Show Upward as "Loaded" in UI

In an effort to optimize resources in IIS half-dozen.0, an ISAPI filter is not loaded until a asking is made to a Web site that requires the ISAPI filter. Until this request is made, IIS Manager does non display the status of the ISAPI filter. Also, if the ISAPI filter requires the SF_NOTIFY_READ_RAW_DATA filter notification, the filter will not load while IIS is running in worker process isolation mode. Review the Application Outcome Log for events from W3SVC-WP to verify that the filter did not load. To remedy this problem, run IIS in IIS five.0 isolation mode or contact the vendor of the ISAPI filter for compatibility updates.

Important Note:
If the ISAPI filter is restricted by an access control list (ACL) in such a way that the IIS worker process identity cannot load it, requests receive a 503 error. To remedy this, set the ACLs on the ISAPI filter DLL to let access for the IIS_WPG group.

To configure IIS for IIS 5.0 isolation mode

1. In IIS Managing director, expand the local computer, right-click Web Sites, and then click Properties.

2. Click the Service tab, select the Run World wide web service in IIS five.0 isolation fashion check box, and then click OK.

3. To showtime the WWW service, click Yes.

dowlingrewhe1974.blogspot.com

Source: https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524996(v=vs.90)