| Groups | Blog | Home |
iis security : Getting access 403 access error from one computer but not from ano
Hello,
If I access the same page located on the same server from localbox and accross network I see different behaviour. Access from local computer ends up in HTTP 200 result and across network (same subnet) ends up in 403 error. Both requiests are below. They are identical. I'm puzzled what could potentially cause it? Bad request started....WWWConnect::Connect("www.unixsucks.com","80")\n IP = "10.0.1.3:80"\n source port: 30393\r\n REQUEST: **************\n GET / HTTP/1.1\r\n Host: www.unixsucks.com\r\n Accept: */*\r\n \r\n RESPONSE: **************\n HTTP/1.1 403 Forbidden\r\n Content-Length: 1529\r\n Content-Type: text/html\r\n Server: Microsoft-IIS/6.0\r\n Date: Fri, 30 Sep 2005 20:33:48 GMT\r\n \r\n Good request started....resolve hostname "www.unixsucks.com"WWWConnect::Connect("10.0.1.3","80")\n source port: 1566\r\n REQUEST: **************\n GET / HTTP/1.1\r\n Host: www.unixsucks.com\r\n Accept: */*\r\n \r\n RESPONSE: **************\n HTTP/1.1 200 OK\r\n Date: Fri, 30 Sep 2005 20:31:03 GMT\r\n Server: Microsoft-IIS/6.0\r\n X-AspNet-Version: 1.1.4322\r\n Transfer-Encoding: chunked\r\n Set-Cookie: UNIX_Sucks=on; expires=Sat, 28-Jan-2006 21:31:03 GMT; path=/\r\n Cache-Control: private\r\n Content-Type: text/html\r\n \r\n \r\n
Please report the IIS Log entry corresponding to your 403 response. It
should contain the HTTP sub-status code, which should help you diagnose why you are getting a 403. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "ChanKaiShi" <ChanKaiShi@discussions.microsoft.com> wrote in message Hello,news:2CF410C5-19F7-439E-BD4B-6B652A8717E4@microsoft.com... If I access the same page located on the same server from localbox and accross network I see different behaviour. Access from local computer ends up in HTTP 200 result and across network (same subnet) ends up in 403 error. Both requiests are below. They are identical. I'm puzzled what could potentially cause it? Bad request started....WWWConnect::Connect("www.unixsucks.com","80")\n IP = "10.0.1.3:80"\n source port: 30393\r\n REQUEST: **************\n GET / HTTP/1.1\r\n Host: www.unixsucks.com\r\n Accept: */*\r\n \r\n RESPONSE: **************\n HTTP/1.1 403 Forbidden\r\n Content-Length: 1529\r\n Content-Type: text/html\r\n Server: Microsoft-IIS/6.0\r\n Date: Fri, 30 Sep 2005 20:33:48 GMT\r\n \r\n Good request started....resolve hostname "www.unixsucks.com"WWWConnect::Connect("10.0.1.3","80")\n source port: 1566\r\n REQUEST: **************\n GET / HTTP/1.1\r\n Host: www.unixsucks.com\r\n Accept: */*\r\n \r\n RESPONSE: **************\n HTTP/1.1 200 OK\r\n Date: Fri, 30 Sep 2005 20:31:03 GMT\r\n Server: Microsoft-IIS/6.0\r\n X-AspNet-Version: 1.1.4322\r\n Transfer-Encoding: chunked\r\n Set-Cookie: UNIX_Sucks=on; expires=Sat, 28-Jan-2006 21:31:03 GMT; path=/\r\n Cache-Control: private\r\n Content-Type: text/html\r\n \r\n \r\n
Here is it.
The only way I was able to fix it is to actually manually recreate website (I was importing XML file before). 2005-09-30 23:55:12 W3SVC1037388655 DUALMONSTER 10.0.1.3 GET / - 80 - 10.0.1.16 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) UNIX_Sucks=on - www.unixsucks.com 403 2 5 1689 256 15 [quoted text, click to view] "David Wang [Msft]" wrote:
> Please report the IIS Log entry corresponding to your 403 response. It > should contain the HTTP sub-status code, which should help you diagnose why > you are getting a 403. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "ChanKaiShi" <ChanKaiShi@discussions.microsoft.com> wrote in message > news:2CF410C5-19F7-439E-BD4B-6B652A8717E4@microsoft.com... > Hello, > > If I access the same page located on the same server from localbox and > accross network I see different behaviour. Access from local computer ends > up > in HTTP 200 result and across network (same subnet) ends up in 403 error. > Both requiests are below. They are identical. I'm puzzled what could > potentially cause it? > > > Bad request > started....WWWConnect::Connect("www.unixsucks.com","80")\n > IP = "10.0.1.3:80"\n > source port: 30393\r\n > REQUEST: **************\n > GET / HTTP/1.1\r\n > Host: www.unixsucks.com\r\n > Accept: */*\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 403 Forbidden\r\n > Content-Length: 1529\r\n > Content-Type: text/html\r\n > Server: Microsoft-IIS/6.0\r\n > Date: Fri, 30 Sep 2005 20:33:48 GMT\r\n > \r\n > > > Good request > started....resolve hostname > "www.unixsucks.com"WWWConnect::Connect("10.0.1.3","80")\n > source port: 1566\r\n > REQUEST: **************\n > GET / HTTP/1.1\r\n > Host: www.unixsucks.com\r\n > Accept: */*\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 200 OK\r\n > Date: Fri, 30 Sep 2005 20:31:03 GMT\r\n > Server: Microsoft-IIS/6.0\r\n > X-AspNet-Version: 1.1.4322\r\n > Transfer-Encoding: chunked\r\n > Set-Cookie: UNIX_Sucks=on; expires=Sat, 28-Jan-2006 21:31:03 GMT; path=/\r\n > Cache-Control: private\r\n > Content-Type: text/html\r\n > \r\n > \r\n > >
Then your problem is most likely with your configuration.
403 with sub-status 2 means "read access denied", which happens when the resource is a static file that requires read access but you did not set it. To have it happen on GET / means that you had a default document that resolved to a static file but failed to have "Read" access flag enabled. In your example, the successful case shows theGET / response uses Transfer-Encoding: chunked . When IIS sends a static file it uses Content-Length, so this means that the default document in the successful case resolved to a Scriptmapped resource, which does NOT need the "Read" access flag enabled (it just needs the "Script" Execution permission). There is no way for GET / to resolve differently when accessed internally vs externally unless we are talking about two different website bindings in IIS, so I'm guessing that is what you have. Thus, it is not surprising to me to see different behaviors for supposedly the same page -- different configurations are involved -- so this means that you do not have the configuration of one of the websites setup correctly. You have confirmed it by saying that you "fixed" it by manually recreating the website. There is no apparent problem with importing from XML file since that just brings in configuration values. You're still responsible for setting the right configuration values to bring over... -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "ChanKaiShi" <ChanKaiShi@discussions.microsoft.com> wrote in message Here is it.news:09F43509-E3D8-4F2A-A6DF-029E823AEACB@microsoft.com... The only way I was able to fix it is to actually manually recreate website (I was importing XML file before). 2005-09-30 23:55:12 W3SVC1037388655 DUALMONSTER 10.0.1.3 GET / - 80 - 10.0.1.16 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) UNIX_Sucks=on - www.unixsucks.com 403 2 5 1689 256 15 [quoted text, click to view] "David Wang [Msft]" wrote: > Please report the IIS Log entry corresponding to your 403 response. It > should contain the HTTP sub-status code, which should help you diagnose why > you are getting a 403. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "ChanKaiShi" <ChanKaiShi@discussions.microsoft.com> wrote in message > news:2CF410C5-19F7-439E-BD4B-6B652A8717E4@microsoft.com... > Hello, > > If I access the same page located on the same server from localbox and > accross network I see different behaviour. Access from local computer ends > up > in HTTP 200 result and across network (same subnet) ends up in 403 error. > Both requiests are below. They are identical. I'm puzzled what could > potentially cause it? > > > Bad request > started....WWWConnect::Connect("www.unixsucks.com","80")\n > IP = "10.0.1.3:80"\n > source port: 30393\r\n > REQUEST: **************\n > GET / HTTP/1.1\r\n > Host: www.unixsucks.com\r\n > Accept: */*\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 403 Forbidden\r\n > Content-Length: 1529\r\n > Content-Type: text/html\r\n > Server: Microsoft-IIS/6.0\r\n > Date: Fri, 30 Sep 2005 20:33:48 GMT\r\n > \r\n > > > Good request > started....resolve hostname > "www.unixsucks.com"WWWConnect::Connect("10.0.1.3","80")\n > source port: 1566\r\n > REQUEST: **************\n > GET / HTTP/1.1\r\n > Host: www.unixsucks.com\r\n > Accept: */*\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 200 OK\r\n > Date: Fri, 30 Sep 2005 20:31:03 GMT\r\n > Server: Microsoft-IIS/6.0\r\n > X-AspNet-Version: 1.1.4322\r\n > Transfer-Encoding: chunked\r\n > Set-Cookie: UNIX_Sucks=on; expires=Sat, 28-Jan-2006 21:31:03 GMT; path=/\r\n > Cache-Control: private\r\n > Content-Type: text/html\r\n > \r\n > \r\n > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |