Cannot read configuration file due to insufficient permissions

Question

I've recently encountered an error trying to host my asp.net site with IIS. I have found a solution that many swear by.

Solution:

1. Add IIS_IUSRS with Read permission on files in the folder
2. Change IIS authentication method to BasicAuthentication
3. refresh the website. It will work

(http://vivekthangaswamy.blogspot.com/2009/07/aspnet-website-cannot-read.html)

What do I add to my web.config file though? I've never had to edit it before. Here is its current contents:

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
    <connectionStrings>
  <add name="DefaultConnection" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True;User Instance=True"
   providerName="System.Data.SqlClient" />
 </connectionStrings>
 <system.web>
  <compilation debug="true" strict="false" explicit="true" targetFramework="4.0"/>
    </system.web>
</configuration>

My error is:

Config Error: Cannot read configuration file due to insufficient permissions
Config File: \?\C:\Users*****\Documents\Visual Studio2010\WebSites\PointsForTime\web.config

Answer 1

There is no problem with your web.config. Your web site runs under a process. In iis you can define the identity of that process. The identity that your web site's application pool runs as (Network Services, Local System, etc.), should have permission to access and read web.config file.

Update:

This updated answer is same as above, but a little longer and simpler and improved.

First of all: you don't have to change anything in your config file. It's OK. The problem is with windows file permissions.

This problems occurs because your application can not access and read web.config file.

Make the file accessible to IIS_IUSRS group. Just right click web.config and click properties, under security tab, add IIS_IUSRS.

So what is this IIS_IUSRS thing?

Your web site is like an exe file. Just like any exe file, it should be started by a user and it runs according to permissions assigned to that user.

When your site is started in IIS, Application Pool of your web site is associated with a user (Network Services, Local System, Etc. ...) (and can be changed in IIS)

So when you say IIS_IUSRS, it means any user (Network Services, Local System, Etc. ...) that your site is running as.

And as @Seph mentioned in comment below: If your computer is on a domain, remember that IIS_IUSRS group is a local group. Also make sure that when you're trying to find this user check the location it should be set to local computer and not a corporate domain.

Answer 2

I had what appeared to be the same permissions issue on the web.config file.
However, my problem was caused by IIS failing to load the config file because it contained URL rewrite rules and I hadn't installed the IIS URL rewrite module on the new server.

Solution: Install the rewrite module.
Hope that saves somebody a few hours.

Answer 3

Editor's note: Doing what this answer says is DANGEROUS! The LocalSystem account is a ...

Completely trusted account, more so than the administrator account. There is nothing on a single box that this account cannot do, and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something)

---

Changing the Identity from ApplicationPoolIdentity to LocalSystem did the work ;).

I am using win7 64 with IIS 7.5

more about Application Pool Identity in IIS 7.5 and win 7

Answer 4

I had the same problem when I tried to share the site root folder with another user. Some folder lost the permission. So I followed the steps to add permission to IIS_IUSRS group as suggested by Afshin Gh. The problem is this group was not available for me. I am using windows 7.

What I did I just changed some steps:

1. Right click on the parent folder (who lost the permission),
2. Properties => Security =>In "Group or user names:",
3. Click Edit...
4. Window "Permission for your folder" will be opened.
5. In "Group or user names:" press ADD... btn,
6. Type Authen and press Check Names,
7. You will see the complete group name "Authenticated Users"
8. Press ok => apply.
9. This should enable privileges again.

That worked for me.

Answer 5

You don't have to change anything in your web.config.

The problem is file system permissions. Your file permissions do not allow the IIS_IUSRS user to access web.config (or probably any of the files). Change their file permissions in windows to allow the IIS_IUSRS account to access it.

Answer 6

Make the file accessible to the IIS_IUSRS group. Right click your web.config, expand properties, and under security tab, add IIS_IUSRS. Give the group read/write access.

When the group is NOT available, replace IIS_IUSRS by ComputerName\IIS_IUSRS

Answer 7

When you grant permissions to IIS_IUSRS you should check that in the IIS/Authentication section of your Web Application, the Anonymous Authentication Credentials uses Application Pool Identity and not IUSR.

Answer 8

Go to the parent folder, right-click and select Properties. Select the Security tab, edit the permissions and Add. Click on Advanced and the Find Now. Select IIS_IUSRS and click OK and OK again. Make sure you have check Write. Click OK and OK again.

Job done!

Answer 9

For some reason your web.config is set as read only. Uncheck the readonly option of web.config file.

Answer 10

I needed to add permissions to IUSR (in addition to ISS-IUSRS, as others have suggested). (See also: http://codeasp.net/blogs/raghav_khunger/microsoft-net/2099/iis-7-5-windows-7-http-error-401-3-unauthorized)

Answer 11

I used subst to create a mapping from D: to C: in order to keep the same setup as other developers in the team. This also gave me same errors as described. Removing this fixed it for me.

Answer 12

The accepted solution didn't for me. I use a Git repo and it cloned to the following folder

c:\users\myusername\source\repos\myWebSite

I made new IIS website and pointed it at the path. Which didn't have the iis_iusrs permissions suggested in the accepted solution. When I added the permissions it still didn't work.

It only started working when I gave the following permissions to the 'Users' group and inheritance cascaded the permissions to web.config. Probably should have applied it just to the web.config to reduce attack surface area.

Answer 13

All answers given are valid and working under different circumstances.

For me, restarting Visual Studio worked.

Answer 14

Instead of giving access to all IIS users like IIS_IUSRS you can also give access only to the Application Pool Identity using the site. This is the recommended approach by Microsoft and more information can be found here:

https://support.microsoft.com/en-za/help/4466942/understanding-identities-in-iis

https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

Fix:

Start by looking at Config File parameter above to determine the location that needs access. The entire publish folder in this case needs access. Right click on the folder and select properties and then the Security tab.

Click on Edit... and then Add....

Now look at Internet Information Services (IIS) Manager and Application Pools:

In my case my site runs under LocalTest Application Pool and then I enter the name IIS AppPool\LocalTest

Press Check Names and the user should be found.

Give the user the needed access (Default: Read & Execute, List folder contents and Read) and everything should work.

Answer 15

We had a website running with a specific identity in the apppool, only after giving that user read access to the folder containing the web.config would it work. We tracked this down after adding the 'everyone' user with read and everything worked fine.

Answer 16

For me the error turned up during Debugging on my local machine and turned out to be related to the base web.config, which is initiated by the .NET Framework when compiling the website. My C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config file had an unrecognized element (folderLevelBuildProviders). Fixing this fixed the 500.19 error.

See this: IIS Manager can't configure .NET Compilation on .NET 4 Applications

Answer 17

Changing the Process Model Identity to LocalSystem fixed this issue for me. You can find this setting if you right click on the application pool and chose "Advanced Settings". I'm running IIS 7.5.

Answer 18

Right click Web.Config => Tab Security => Button Edit => Button Add => Button Advanced => Button Find Now = > In Search results select your group(in our case " IIS_IUSRS") => Ok => Ok=> Ok

Answer 19

This happened to us when the IIS application has a Virtual Directory with a Physical Path that contains forward-slashes / instead of backslashes \. This was accidentally done using a powershell management API for IIS during our continuous delivery process.

Bad Config Example - applicationHost.config

<application path="/MySite/MyService" applicationPool="MyAppPool" enabledProtocols="http">
    <virtualDirectory path="/" physicalPath="C:\inetpub\MySite/MyService" />
</application>

Make sure the physicalPath attribute does not contain forward-slashes /, only backslashes \

Corrected Config Example - applicationHost.config

<application path="/MySite/MyService" applicationPool="MyAppPool" enabledProtocols="http">
    <virtualDirectory path="/" physicalPath="C:\inetpub\MySite\MyService" />
</application>

Answer 20

I have solved this by adding read permission to folder for application pool user (WIN SERVER 2008 R2): C:\Windows\System32\inetsrv\config

A little background: Our server has been hacked using classical error where app user had more permissions that it should (local admin).

To fix it we created new domain user that had only permissions on application folder, with min needed rights and assigned it as application pool user. than we hit in the issue and this was solution to our problems.

Answer 21

Shift your project to some drive other than C: Worked for me with the same error.

Answer 22

This can happen if your application is in a virtual directory and the path to the files is a mapped drive.

If you change the path to the files to a local drive, this will solve it, if that indeed is your problem.

Answer 23

I was receiving the "Cannot read configuration file due to insufficient permissions" as well. Turns out the ISAPI and CGI Restrictions in IIS for both ASP.NET 4.0 32bit and 64bit was set to deny. Marking them both to Allowed fixed my problem.

Answer 24

The above answers were helpful, but in case this helps anyone - I had this exact problem, and it turned out that I was (windows networking) sharing the root folder that the site was being hosted from. We killed the share, and added the Users permission to read/execute and it worked again just fine.

I suspect the share messed it up.

Answer 25

Had this issue with a Virtual Application. All the permissions were set. IIS_IUSRS, AppPoolIdentity and then gave full access to Everyone. Nothing worked. Restarted apppool, site and IIS but No go.

Deleted the virtual application and added it again from scratch and it started working.

Wish I knew what solved it.

Answer 26

check if the file is not marked as read-only, despite of the IIS_IUSRS permission it will display the same message.

Answer 27

I had this error message that turned out to be due to my physical folder being located on a network drive as opposed to the local drive. It seems the permissions on such drives by default can be different. For example, while the local drive location gave permission to the users of the local computer, the network location did not.

Further, the accepted answer does not work for such a case. The local users or IIS users were not an available to assign permissions to. The solution was to move the physical folder to the local drive.

Answer 28

I had the same issue and after doing all the stuff written here as answers, it still reproduced. The second half of the issue was the fact that .NET was turned off under "Turn Windows features on or off"

Answer 29

In my case, I was trying to host pages from a mapped drive (subst). The issue is that the subst was run under my account and the IIS user is not able to see the same drive

Answer 30

Sometimes if it is a new server you need to configure or install ASP.NET feature on IIS for it to be able to read your web.config file.

In my case this was the reason.

Answer 31

I gave permission and used ICACLS.exe but didn't work. Then I changed the physical path and it worked successfully.

(IIS 8.5 windows 2012 R2)

Answer 32

Certainly, this is an issue with permissions. I took following steps and it worked for me.

1. select your website or application in left corner. In most cases it would be under Default web site.
2. click on Basic settings on right corner in IIS Manager 7 or above.
3. click connect as button.
4. Use "Specific User", Click on set button.
5. Enter your username and password. like Domain\username. for me it was like ABC\rrajkumar, enter password.
6. restart IIS, browse your website. It should work now.

Answer 33

1. Go to IIS, (sites)
2. Right click on project inside the sites.enter image description here

and click on edit permission.

3. Go to security.

4. click on edit button.

5. click add button. type COMPUTER_NAME\IIS_USERS

   or

6. click advance.

7. click find now button.

   and there is option to choose. choose IIS_USERS and click ok...ok....ok .

Answer 34

I had this same issue and none of these solutions worked for me. I kept getting the same error and one about "Failed to start monitoring changes" in the event viewer.

The only thing that worked was to copy the folder and rename it back. It must have been a corrupted folder in Windows that IIS/ASP.NET could not access.

Answer 35

Make sure your web.config file is not marked Read-only

Answer 36

I had this issue running on Windows 10 with the App Pool using a microsoftaccount\email@contosa.com account (e.g., signing in to the PC with a Microsoft Account instead of local account).

Apparently on my computer something got corrupted; removing IIS and re-adding it did nothing (because it seems the IIS metabase was not removed). Deleting and recreating the app pool didn't help either.

My solution was just to create a new App Pool with the same settings but a different name. This fixed the issue for me; apparently something got corrupted with the apppool which even deleting it and re-adding it with the same name would not fix.

Answer 37

I was running a website at localhost/MyApp built and run through Visual Studio - via a Virtual Directory created by Visual Studio itself.

The "solution" for me was to delete the Virtual Directory and let Visual Studio recreate it.

Answer 38

I tried most of the previous suggestions but in vain. I can't reload the website, so I edited the .csproj file and changed the port number and it worked immediately:

 <WebProjectProperties>
      <UseIIS>True</UseIIS>
      <AutoAssignPort>True</AutoAssignPort>
      <DevelopmentServerPort>**4000**</DevelopmentServerPort>
      <DevelopmentServerVPath>/</DevelopmentServerVPath>
      <IISUrl>http://localhost:**4000**/</IISUrl>
      <NTLMAuthentication>False</NTLMAuthentication>
      <UseCustomServer>False</UseCustomServer>
      <CustomServerUrl>
      </CustomServerUrl>
      <SaveServerSettingsInUserFile>False</SaveServerSettingsInUserFile>
    </WebProjectProperties>

Editing .csproj file

Answer 39

If you are the one like me who cannot find IIS_USR to give access to the config file, just give permissions to ‘Everyone’ at the root folder

Answer 40

I set the .NET CLR version to No Managed Code and everything started to work fine.