Cannot read configuration file due to insufficient permissions
I've recently encountered an error trying to host my asp.net site with IIS. I have found a solution that many swear by.
Solution: Add IIS_IUSRS with Read permission on files in the folder Change IIS authentication method to BasicAuthentication refresh the website. It will work
(http://vivekthangaswamy.blogspot.com/2009/07/aspnet-website-cannot-read.html)
What do I add to my web.config file though? I've never had to edit it before. Here is its current contents:
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True;User Instance=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0"/>
</system.web>
</configuration>
My error is:
Config Error: Cannot read configuration file due to insufficient permissions Config File: \?\C:\Users*****\Documents\Visual Studio2010\WebSites\PointsForTime\web.config
There is no problem with your web.config. Your web site runs under a process. In iis you can define the identity of that process. The identity that your web site's application pool runs as (Network Services, Local System, etc.), should have permission to access and read web.config file.
Update:
This updated answer is same as above, but a little longer and simpler and improved.
First of all: you don't have to change anything in your config file. It's OK. The problem is with windows file permissions.
This problems occurs because your application can not access and read web.config file.
Make the file accessible to IIS_IUSRS group. Just right click web.config and click properties, under security tab, add IIS_IUSRS.
So what is this IIS_IUSRS thing?
Your web site is like an exe file. Just like any exe file, it should be started by a user and it runs according to permissions assigned to that user.
When your site is started in IIS, Application Pool of your web site is associated with a user (Network Services, Local System, Etc. ...) (and can be changed in IIS)
So when you say IIS_IUSRS, it means any user (Network Services, Local System, Etc. ...) that your site is running as.
And as @Seph mentioned in comment below: If your computer is on a domain, remember that IIS_IUSRS group is a local group. Also make sure that when you're trying to find this user check the location it should be set to local computer and not a corporate domain.
I had what appeared to be the same permissions issue on the web.config file.
However, my problem was caused by IIS failing to load the config file because it contained URL rewrite rules and I hadn't installed the IIS URL rewrite module on the new server.
The solution was to install the rewrite module.
error: :) +1 Because of instead of requiring SSL, I rewrote the URL to HTTPS incase someobody linked without https. What a conundrum.
I had the same problem when I tried to share the site root folder with another user. Some folder lost the permission. So I followed the steps to add permission to IIS_IUSRS group as suggested by Afshin Gh. The problem is this group was not available for me. I am using windows 7.
What I did I just changed some steps:
Right click on the parent folder (who lost the permission), Properties => Security =>In "Group or user names:", Click Edit... Window "Permission for your folder" will be opened. In "Group or user names:" press ADD... btn, Type Authen and press Check Names, You will see the complete group name "Authenticated Users" Press ok => apply. This should enable privileges again.
That worked for me.
C:\ i.e. C:\Dev or C:\Code, etc. The security group Authenticated Users is granted on the C:\ and propagated to child folders. However, at the C:\Users folder, this propagation stops. So devs like myself who host their code inside the home folder have to grant access to Authenticated Users to those IIS root folders in order for IIS to work.
Editor's note: Doing what this answer suggests: "changing Identity to LocalSystem" is DANGEROUS! The LocalSystem account is a ... Completely trusted account, more so than the administrator account. There is nothing on a single box that this account cannot do, and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something)
Changing the Identity from ApplicationPoolIdentity to LocalSystem did the work ;).
I am using win7 64 with IIS 7.5
more about Application Pool Identity in IIS 7.5 and win 7
https://i.stack.imgur.com/yeImw.png
Make the file accessible to the IIS_IUSRS group. Right click your web.config, expand properties, and under security tab, add IIS_IUSRS. Give the group read/write access.
When the group is NOT available, replace IIS_IUSRS by ComputerName\IIS_IUSRS
You don't have to change anything in your web.config.
The problem is file system permissions. Your file permissions do not allow the IIS_IUSRS user to access web.config (or probably any of the files). Change their file permissions in windows to allow the IIS_IUSRS account to access it.
When you grant permissions to IIS_IUSRS you should check that in the IIS/Authentication section of your Web Application, the Anonymous Authentication Credentials uses Application Pool Identity and not IUSR.
https://i.stack.imgur.com/BWPzU.png
Go to the parent folder, right-click and select Properties. Select the Security tab, edit the permissions and Add. Click on Advanced and the Find Now. Select IIS_IUSRS and click OK and OK again. Make sure you have check Write. Click OK and OK again.
Job done!
For some reason your web.config is set as read only. Uncheck the readonly option of web.config file.
I needed to add permissions to IUSR (in addition to ISS-IUSRS, as others have suggested). (See also: http://codeasp.net/blogs/raghav_khunger/microsoft-net/2099/iis-7-5-windows-7-http-error-401-3-unauthorized)
Instead of giving access to all IIS users like IIS_IUSRS you can also give access only to the Application Pool Identity using the site. This is the recommended approach by Microsoft and more information can be found here:
https://support.microsoft.com/en-za/help/4466942/understanding-identities-in-iis
https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
Fix:
https://i.stack.imgur.com/zAHfY.png
Start by looking at Config File parameter above to determine the location that needs access. The entire publish folder in this case needs access. Right click on the folder and select properties and then the Security tab.
https://i.stack.imgur.com/UzSJh.png
Click on Edit... and then Add....
Now look at Internet Information Services (IIS) Manager and Application Pools:
https://i.stack.imgur.com/0bUx3.png
In my case my site runs under LocalTest Application Pool and then I enter the name IIS AppPool\LocalTest
https://i.stack.imgur.com/V6QPw.png
Press Check Names and the user should be found.
https://i.stack.imgur.com/xrRBE.png
Give the user the needed access (Default: Read & Execute, List folder contents and Read) and everything should work.
I used subst to create a mapping from D: to C: in order to keep the same setup as other developers in the team. This also gave me same errors as described. Removing this fixed it for me.
This happened to us when the IIS application has a Virtual Directory with a Physical Path that contains forward-slashes / instead of backslashes \. This was accidentally done using a powershell management API for IIS during our continuous delivery process.
Bad Config Example - applicationHost.config
<application path="/MySite/MyService" applicationPool="MyAppPool" enabledProtocols="http">
<virtualDirectory path="/" physicalPath="C:\inetpub\MySite/MyService" />
</application>
Make sure the physicalPath attribute does not contain forward-slashes /, only backslashes \
Corrected Config Example - applicationHost.config
<application path="/MySite/MyService" applicationPool="MyAppPool" enabledProtocols="http">
<virtualDirectory path="/" physicalPath="C:\inetpub\MySite\MyService" />
</application>
C:\inetpub\MySite\\MyService. Changing it to a single back slash worked
Changing the Process Model Identity to LocalSystem fixed this issue for me. You can find this setting if you right click on the application pool and chose "Advanced Settings". I'm running IIS 7.5.
Shift your project to some drive other than C: Worked for me with the same error.
The accepted solution didn't for me. I use a Git repo and it cloned to the following folder
c:\users\myusername\source\repos\myWebSite
I made new IIS website and pointed it at the path. Which didn't have the iis_iusrs permissions suggested in the accepted solution. When I added the permissions it still didn't work.
It only started working when I gave the following permissions to the 'Users' group and inheritance cascaded the permissions to web.config. Probably should have applied it just to the web.config to reduce attack surface area.
https://i.stack.imgur.com/sM3l8.png
All answers given are valid and working under different circumstances.
For me, restarting Visual Studio worked.
We had a website running with a specific identity in the apppool, only after giving that user read access to the folder containing the web.config would it work. We tracked this down after adding the 'everyone' user with read and everything worked fine.
For me the error turned up during Debugging on my local machine and turned out to be related to the base web.config, which is initiated by the .NET Framework when compiling the website. My C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config file had an unrecognized element (folderLevelBuildProviders). Fixing this fixed the 500.19 error.
See this: IIS Manager can't configure .NET Compilation on .NET 4 Applications
Right click Web.Config => Tab Security => Button Edit => Button Add => Button Advanced => Button Find Now = > In Search results select your group(in our case " IIS_IUSRS") => Ok => Ok=> Ok
I have solved this by adding read permission to folder for application pool user (WIN SERVER 2008 R2): C:\Windows\System32\inetsrv\config
A little background: Our server has been hacked using classical error where app user had more permissions that it should (local admin).
To fix it we created new domain user that had only permissions on application folder, with min needed rights and assigned it as application pool user. than we hit in the issue and this was solution to our problems.
This can happen if your application is in a virtual directory and the path to the files is a mapped drive.
If you change the path to the files to a local drive, this will solve it, if that indeed is your problem.
The above answers were helpful, but in case this helps anyone - I had this exact problem, and it turned out that I was (windows networking) sharing the root folder that the site was being hosted from. We killed the share, and added the Users permission to read/execute and it worked again just fine.
I suspect the share messed it up.
I was receiving the "Cannot read configuration file due to insufficient permissions" as well. Turns out the ISAPI and CGI Restrictions in IIS for both ASP.NET 4.0 32bit and 64bit was set to deny. Marking them both to Allowed fixed my problem.
Had this issue with a Virtual Application. All the permissions were set. IIS_IUSRS, AppPoolIdentity and then gave full access to Everyone. Nothing worked. Restarted apppool, site and IIS but No go.
Deleted the virtual application and added it again from scratch and it started working.
Wish I knew what solved it.
check if the file is not marked as read-only, despite of the IIS_IUSRS permission it will display the same message.
I had this error message that turned out to be due to my physical folder being located on a network drive as opposed to the local drive. It seems the permissions on such drives by default can be different. For example, while the local drive location gave permission to the users of the local computer, the network location did not.
Further, the accepted answer does not work for such a case. The local users or IIS users were not an available to assign permissions to. The solution was to move the physical folder to the local drive.
I had the same issue and after doing all the stuff written here as answers, it still reproduced. The second half of the issue was the fact that .NET was turned off under "Turn Windows features on or off"
Sometimes if it is a new server you need to configure or install ASP.NET feature on IIS for it to be able to read your web.config file.
In my case this was the reason.
In my case, I was trying to host pages from a mapped drive (subst). The issue is that the subst was run under my account and the IIS user is not able to see the same drive
Follow WeChat
Success story sharing
IIS_IUSRSand to make sure that when you're trying to find this user check the location it should be set to local computer and not a corporate domain.