When you try to access a web page that doesn’t exist, browser shows 404 HTTP status code. However, you may see 200 instead of 404 status code in IIS logs.
Here is the line from my IIS logs. This is actually a failed request that displayed “404 Page not Found” error to the user.
Looking for a way to determine user browsers from IIS logs? Check this post out.
What to do if you see 200 instead of 404 status code
The root cause -in my case- is the custom error configuration in the web.config file. I have the configuration below that redirects users to a custom page when there is a 404 error.
Incorrect (first line) and correct (second line) status codes
Background
As mentioned in this blog post, responseMode=”ExecuteURL” executes the URL in the custom error configuration sends the response to the user Therefore, IIS logs 200 instead of 404 status code. However, responseMode="Redirect” send 302 response with the custom error page URL to the user. User’s browser makes another request to the given URL.
responseMode=”ExecuteURL” – path is treated as URL to execute. Response returned by executing the URL is returned to client as response. On successful child execute, client will see a 200 response. Child request will enter the pipeline in the same worker process. If this request is supposed to be executed by some other application pool, IIS core will generate 403.14. When child execute produce some other error, that error code along with child execute response is returned. – If path starts with “http://”, exact URL specified by path is executed. Hostname has to be current hostname. Else server will produce 404. – When path starts with “/”, it is assumed as URL for the current site and do a child execute on that. – If path doesn’t start with “/” or “http://”, server will produce 404 when trying to execute the URL.
responseMode=”Redirect” – Custom error module blindly uses the path as location header value and send a 302 response. If path is set to “/otherpath/otherpage.htm”, this will be used as the destination and most browsers send this request back to the same host. If you set path to www.iis.net, browsers do the right thing and send the new request to www.iis.net instead. – IIS doesn’t handle application relative paths both for “Redirect” and “ExecuteURL” as handled by Asp.Net (e.g. ~/error/404.htm).
As a generic solution, adding the line below into the custom error page should solve the issue. Make sure to change the file extension to aspx (For example: 404.aspx).
IBM’s Cognos Business Intelligence software relies on IIS for front-end publishing and authentication. If you are prompted to enter your credentials to access Cognos website or administrator console, it means Windows Authentication is failing for IBM Cognos. Here is what to do in this case.
Windows Authentication prompt
Background
One of the ways to host Cognos BI is to use IIS. By configuring Windows Authentication in IIS, you can allow users to access Cognos without typing any credentials. This SSO (Single Sign-on) access requires certain steps to be followed as explained here and here.
If any of the settings are missing, you may come across an annoying prompt to enter your credentials. It quickly becomes cumbersome to enter your information every time you access to Cognos website.
Are you receiving Secure Channel (schannel) errors? Check these posts out.
Steps to follow when Windows Authentication is failing for IBM Cognos
Make sure that you review the steps in the IBM documentation to configure IIS (Links are above). In addition to the instructions, there are a few more things to check to solve this issue.
Solution 1
A common solution to this issue is that adding website’s domain name into the Intranet Zone of Internet Explorer as pointed out in a Microsoft support document:
Internet Explorer must consider the requested URL to be on the intranet (local). If the computer name portion of the requested URL contains periods (such as http://www.microsoft.com and http://10.0.0.1), Internet Explorer assumes that the requested address exists on the Internet and does not pass any credentials automatically.
Windows Authentication is performed by using either NTLM or Kerberos (preferred). Kerberos relies on SPNs (Service Principal Names) to operate. If there are no SPNs or there are duplicate SPNs for your domain, this might be the reason why Windows Authentication is failing for IBM Cognos. as explained in this article.
Follow the steps below to find and remove duplicate SPNs:
Check current SPNs
Run this at Command Prompt: setspn -F -q /cognosdev If it doesn’t bring any records or if it brings duplicate records, Kerberos authentication may not work with Cognos. In this case, continue with the following steps. Otherwise, do not perform the steps below.
For example: The command may bring a result like the one below. There are duplicate records (in bold) which should be fixed.
After installing updates or making changes in your server, your application pools may stop working and throw “HTTP 503 The service is unavailable” error with this description: “Trying to read configuration data from file ‘\\?\<EMPTY>’, line number ‘0’“.
In the Event Viewer, you will see the event ID 2307:
The worker process for application pool X encountered an error ‘Cannot read configuration file due to insufficient permissions’ trying to read configuration data from file ‘\\?\EMPTY’, line number ‘0’. The data field contains the error code.
Getting HTTP 503 Service Unavailable (Application pool has been disabled) error? Check this post out.
Solve “Trying to read configuration data from file ‘\\?\EMPTY'” error
This issue may happen because of the problems occurred during virtual directory and application pool creation. Other possible cause could be the missing config files that might have been removed somehow (possible suspect: Antivirus).
Here are a few things to try to solve this issue:
Remove everything in C:\inetpub\temp\apppools. Restart the machine
Antivirus software may be removing the config files in the temp\apppools folder. Therefore, check antivirus software’s logs and define an exception for this folder if needed
Make sure IIS_IUSRS has Read access on application folders that are referenced by virtual folders
Check if IIS_IUSRS has access on C:\inetpub\temp folder
Check that you have enough disk space in the server
Run chkdsk in Command Prompt in the server. Afterwards, make sure fix the issues found
IIS asks for a port range for its FTP server when working in passive mode. The question comes up at this point: Is it possible to use a single port for IIS FTP in passive mode?
The short answer is “Yes”. You can use a single port instead of a port range in your FTP configuration.
Looking for a way to upload files to FTP programmatically by using C#? Check this post out.
How to use single port for IIS FTP?
In order to configure IIS to use a specific port, enter the port number twice with a dash (-) between into “Data Channel Port Range” field. This field is in the “FTP Firewall Support” feature. Example: 6001-6001 for using port 6001. After making this change, restart “Microsoft FTP Service” (Start > Run > services.msc).
In other words, it is technically possible to use single port for IIS FTP. However, it is not recommended. Using single port will limit the number of “Client IP – Client Port – Server Port” combinations (Source 1, Source 2).This combination uniquely identifies the FTP session. Therefore, using a single server port will result in having one combination which means the concurrent FTP requests may be rejected.
Note: If you see the “Data Channel Port Range” field grayed out, make sure to go to server-level settings to change the port range (Source).
Confirmation
To confirm that the FTP service uses only the assigned port, connect to your FTP host via an FTP client (FileZilla, SmartFTP etc.). Then check the IIS logs in c:\inetpub\logs\LogFiles\FTPSVC2.
If you are using unsecure FTP service, you may see that IIS doesn’t use the port you assigned. Instead, it uses a random port number in the range from 1025 through 65535.
IIS uses the port you assigned in “Data Channel Port Range” field only if you are using secure FTP service. Use an SSL/TLS certificate to secure the connection.
We use hostnames such as port135.com or microsoft.com to access websites. If not specifically blocked, they can be accessed via IP addresses as well. However, there might be a time that your website is not accessible via hostname. It serves only through the IP address. In this post, we will figure out how to fix this issue.
Background
If you configure IIS binding as “IP address: All Unassigned – Port: 8080”, it should be listening the port 0.0.0.0:8080. If it listens 127.0.0.1:8080 which is the localhost, then your website will not be accessible via hostname.
Curios about how HTTP redirection works in IIS? Check this post out.
Solution for the issue (Website is not accessible via hostname)
Follow the steps below to solve this issue.
Check the “listening” ports Run netstat -a in Command Prompt. Also run netsh http show iplisten. In the output of both commands, you shouldn’t see 127.0.0.1:8080 as a LISTENING address. The screenshot below shows the ideal situation.
Remove 127.0.0.1 If you see the IP address 127.0.0.1 in the output, you will need to remove it to solve this issue. Simply run this command: netsh http delete iplisten ipaddress=127.0.0.1
Ideal output
You may need to add the IP address 0.0.0.0 manually if it doesn’t already exist as a LISTENING port (Source).
The web browser may throw 401 Unauthorized errors if the application can’t access to a path that is trying to read or write. Therefore, you may see “Access to the path is denied” error.
Here is the full error message:
Access to the path ‘C:\Windows\SysWOW64\inetsrv’ is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path ‘C:\Windows\SysWOW64\inetsrv’ is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose “Properties” and select the Security tab. Click “Add” to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Trying to configure HTTP Redirection in IIS? Check this post out.
Root cause
As the error message states, there is an access issue to a folder. The first thing to check is that Security permissions for the folder mentioned in the error message. The application pool identity of your web application should have permission on this folder.
In my case, the error message referred to C:\Windows\SysWOW64\inetsrv folder. This is the folder IIS uses for configuration and executables. Web applications shouldn’t make any changes to this folder. Therefore, you may want to check your application code to figure out the root cause (An example scenario).
You may ask what SysWOW64 folder is for. This is a folder to handle 32-bit applications in 64-bit systems. More information: WoW64.
How to solve “Access to the path is denied” errors
Open IIS Manager
Go to “Server > Application pools”
Check the value in “Identity” column for the application pool you are using
Go to the folder above the path specified in the error message (C:\Windows\SysWOW64)
Right click and select “Properties” for the folder specified in the error message (inetsrv)
Give “Full Control” permission to the application pool identity you saw in the Step 3 (In my case, I gave permission to “Network Service”)
If assigning permissions doesn’t help, I would recommend trying to enable “32-bit Applications” for the application pool. Additionally, disabling Impersonation may lead you to the solution as well.
w3wp.exe is the executable file of IIS worker process. It’s basically a Windows process that handles requests coming to your web server. Each worker process specifically serves for an application pool. Each application pool creates at least one instance of w3wp.exe. In some cases, w3wp.exe may crash with the error code 0xc0000374 in Event Viewer.
What to do when w3wp.exe crashes with the exception code 0xc0000374
I would recommend getting running DebugDiag tool to collect crash dump. After collecting and analyzing the crash dump, I noticed that the root cause of the issue was a heap corruption.
If this is the issue in your case, here are a few things to try:
One of the major cause of heap corruptions is that access violation error. An Antivirus software may cause this. I recommend temporarily disabling any antivirus software and monitoring the system
Another major cause of heap corruptions is memory leaks. A logical issue in the application itself may cause memory leaks. It’s a good idea to do a health check in your application. If you have recently upgraded it, it is possible that the new version is causing this issue. It’s very common that third-party applications cause this issue
Make sure to keep your Windows and third-party software up-to-date
DebugDiag logs provides a valuable information so you can narrow down the issue. However, a heap corruption may need a deeper level of debugging for further analysis. You can use WinDbg to troubleshoot heap corruption issues.
AppFabric Caching Service is crashing too? Check this post out.
If you have a website traffic that is more than one web server can handle, it’s a good idea to scale you environment up by adding new servers. IIS supports sharing the configuration and data across multiple servers. However, you may come across “Configuration file is not well-formed XML” error in certain situations.
This error message is one of the indicators that IIS shared config environment is having difficulties obtaining and syncing the data. Another indicator is the Access to the path is denied error. The main symptom is that application pools stop after making a change to IIS configuration.
“Configuration file is not well-formed XML” message and other related errors show up in the Event Viewer within different IDs. Make sure to check both System and Application containers to have a bigger picture of the issue.
Here are the a few examples of this error message (event ID: error description):
15000: Unable to create log files on shared file server.
5053: The Windows Process Activation Service received a change notification, but was unable to process it correctly. The data field contains the error number.
5172: The Windows Process Activation Service encountered an error trying to read configuration data from file applicationHost.config line number 0. The error message is: ‘Cannot read configuration file’. The data field contains the error number.
30: The FTP Service encountered an error trying to read configuration data from file applicationHost.config, line number 0. The error message is: Cannot read configuration file. The problem occurred at least 1 times in the last 5 minutes. The data field contains the error number.
9006: The Application Host Helper Service encountered an error trying to process the configuration data for config history. The feature will be disabled. To resolve this issue, please confirm that the configuration file is correct, has correct attribute values for config history and recommit the changes. The feature will be enabled again if the configuration is correct. The data field contains the error number.
2307: The worker process for application pool abc.com encountered an error ‘Configuration file is not well-formed XML’ trying to read configuration data from file abc.config, line number 3. The data field contains the error code.
2297: The worker process for application pool abc.com encountered an error ‘Configuration file is not well-formed XML’ trying to read global module configuration data from file abc.config, line number 3. Worker process startup aborted.
“Cannot read configuration file” error“Configuration file is not well-formed XML” error
Solution for “Configuration file is not well-formed XML” error
As mentioned in this article, DFS (Distributed File System) deletes the current config file and create a new one when there is a change in the IIS shared configuration environment. During this deletion/creation process, it is possible that a member server fetches the incomplete config file.
Solution 1
Change the value of the ConfigPollMilliSeconds parameter to 600000. This will tell IIS not to rely on file system change notifications and automatically check the last modified date of the configuration file every 600000 milliseconds (10 minutes).
The default value for this registry key is 0. When this value is set to 0, the ConfigPollMilliSeconds parameter is disabled. The configuration system relies on change notifications to track changes to configuration files. A positive value for this key indicates that the configuration system checks the last modified time of the configuration file for every N milliseconds. The configuration system does not use the directory monitors.
The registry key: HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ConfigPollMilliSeconds (REG_DWORD)
ConfigPollMilliSeconds registry key
Make sure to restart the server after changing the value of this registry key.
Solution 2
If the first solution doesn’t work, you may want to try enabling Offline Files for the shared folder. The instructions are below. If it is production environment, please make sure to implement this change out of business hours and monitor the system for a while to see if changes are synced and websites are served successfully
On the Web server, in Control Panel, open “Offline Files”
In the Offline Files dialog box, click “Enable Offline Files”. Do not reboot the machine yet
Ensure that the cache is set to read only by running the following command in Command Prompt: REG ADD "HKLM\System\CurrentControlSet\Services\CSC\Parameters" /v ReadOnlyCache /t REG_DWORD /d 1 /f
Restart the web server
Go to the file share folder from web server. Right click and select “Always Available Offline”
Go to “Control Panel > Offline Files”. Select “Schedule” option
Schedule offline file sync
Also, try…
I would recommend backing up the content of the temporary application pool folder (C:\inetpub\temp\apppools\) and then emptying it. IIS may have already stored the corrupted config files before you made the change in registry. Restart application pool(s) after removing the content of this folder.
Windows updates may cause “Configuration file is not well-formed XML” error as well. Check the latest updates you have installed. Uninstall them if to test if the issue is related to these updates. Here is a way to list Windows updates: How to list all Windows updates easily
Microsoft IIS (Internet Information Server) uses worker processes to handle requests coming from clients. Worker process is actually an instance of the w3wp.exe file. If w3wp.exe crashes, It means your users won’t get service for a short time until the process starts up again. Exception codes 0xc0000005 and 0xe0434352 are some of the most common causes of w3wp.exe crashes. Let’s see what you can do if you see these exception codes in Event Viewer.
Here are the exception descriptions from Event Viewer. Pay attention to the “Faulting module name” values. It may point out the root cause right away.
Event ID: 4096
An unhandled win32 exception occurred in w3wp.exe [3080]. Just-In-Time debugging this exception failed with the following error: Debugger could not be started because no user is logged on.
Check the documentation index for ‘Just-in-time debugging, errors’ for more information.
Event ID: 1000
Faulting application name: w3wp.exe, version: 10.0.14393.0, time stamp: 0x57899b8a
Faulting module name: KERNELBASE.dll, version: 10.0.14393.2608, time stamp: 0x5bd1340d
Exception code: 0xe0434352
Event ID: 1000
Faulting application name: w3wp.exe, version: 10.0.14393.0, time stamp: 0x57899b8a
Faulting module name: OraOps12.dll, version: 2.121.1.0, time stamp: 0x52002676
Exception code: 0xc0000005
Solution for 0xc0000005 and 0xe0434352 exceptions
Looking at the logs above, we see two exception codes which give clues about the root cause:
Exception code 0xc0000005: This error code translates into ERROR_ACCESS_DENIED (Source).
The main suspect is the file permissions. Make sure the application pool identity of your application pool has read and write permissions on the website’s folder (Related topic 1, related topic 2).
Other suspect is the Antivirus software. Check the Antivirus logs to see if there is any record indicating the file access block. Try temporarily disabling any antivirus software and monitor the system. Additionally, HIPS (intrusion prevention system) may cause this error as well.
Look for clues based on the faulting module name. In my case, it is OraOps12.dll which is a part of Oracle Data Access Components (ODAC). Upgrading or repairing the corresponding module may fix the issue.
Exception code 0xe0434352: CLR (Common Language Runtime) uses this generic exception code when there is an internal issue in the application. When the application throws System.NullReferenceException or System.ArgumentException error, CLR records exception code 0xe0434352 in the background.
It is not straightforward to solve these kind of issues because the root cause is not clear. I would recommend debugging the application in Visual Studio to get more details about the issue. If you don’t have access to the source code, you can use DebugDiag or WinDbg to for further analysis (A related topic).
Users and servers communicate via unencrypted messages unless the website owners use SSL certificates. A valid SSL certificate ensures that communication is secure. Therefore, someone who intercepts packages in the network cannot read the data. Certificates are useful and easy to configure most of the time. However, in some cases, the connection may become unprotected and you may see the error message ERROR_INTERNET_SEC_CERT_REVOKED or ERR_CERT_REVOKED.
I came across “certificate has been revoked” message in a website hosted at GoDaddy. Everything was fine and SSL certificate was valid. One day, I visited the site and saw this annoying warning page in Chrome and Edge.
ERROR_INTERNET_SEC_CERT_REVOKED in Microsoft Edge
Here is the full error message Microsoft Edge browser displays when the website has a revoked certificate:
This site is not secure
This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.
This website’s security certificate has been revoked, so you can’t go there at this time.
Error Code: ERROR_INTERNET_SEC_CERT_REVOKED
ERR_CERT_REVOKED error in Google Chrome
Chrome displays a slightly different error message but it mentiones the same problem: A revoked certificate.
Your connection is not private
Attackers might be trying to steal your information from domain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_REVOKED
If you see ” Your connection to this site is not fully secure” message in your browser’s URL bar, check this post out.
Internet Explorer and Mozilla Firefox show similar warning pages as well. Let’s see why this issue happens and how to fix it.
The root cause of the “certificate has been revoked” error
When a browser accesses to a website that uses SSL certificate, it needs to check if the certificate is valid. There are two ways of checking the validation of an SSL certificate:
Using Certificate Revocation Lists (CRLs). The browser downloads a list of all the certificates that were revoked from . If the website you are visiting in this list, you receive a warning.
Query by using Online Certificate Status Protocol (QCSP). The browser queries the certificate of the website you visit. It is faster and more popular. Many browsers give this method priority.
If the website’s certificate appears in a CRL or QCSP query returns “invalid” message, then the browser display ERROR_INTERNET_SEC_CERT_REVOKED or ERR_CERT_REVOKED message. It doesn’t always mean that the certificate is revoked. The reason behind might be a network or DNS issue that is preventing your computer to access to the CRL list providers.
How to fix revoked certificate issues on client side?
You can explicitly configure your browser not to check certificate revocation. This solves the issue on that client but as you guess, the issue will remain for other clients.
In order to disable certificate revocation check for Internet Explorer, follow the steps below.
Open Internet Explorer
In the Tools menu, select Internet Options
Go to the Advanced tab. Scroll down to the Security section
Uncheck Check for server certificate revocation option
Click OK
For other browsers, there are similar settings. For example, in Firefox, you can force the usage of OCSP for checking certificate revocation value.
OCSP setting in Firefox
After changing these settings, remove the CRL and OCSP caches by runing the commands below in the Command Prompt (Source):
How to fix revoked certificate issues on server side?
It is the best idea to fix certificate revocation issues in your server or hosting provider. Start with making sure of the validity of the certificate. SSL Checker is one of the popular tools to view SSL certificate details.
Compare the certificate serial number and expiration date with the data of the certificate you installed in your web server or hosting control panel. In many cases, I saw that the server uses an old or invalid certificate.
If you are working with a hosting provider, it is possible that you didn’t install the certificate for that particular website. Even if you have a UCC certificate that covers your entire hosting plan, you may still need to install SSL certificate for each of the websites you want to protect. If you are working with GoDaddy, use this article to do this installation.
Do you see “TLS fatal error code 20” code? Here is how to fix it.
HTTP status and sub-status codes provide valuable information about the issues users come across. One of the code pairs is 500.19 which means “Configuration data is invalid“. However, IIS may show this pair incorrectly if a user drops connection before the browser loads the website completely.
The error message from the Failed Request Tracing log is below. Please note that this error appears during the execution of the Dynamic Compression module.
HttpStatus: 500
HttpReason: Internal Server Error
HttpSubStatus: 19
ErrorCode: An operation was attempted on a non existent network connection (0x800704cd)
Error log when the client drops connection
Steps to reproduce this issue:
The client goes to the URL
The page starts loading
The client drops the connection before the page is fully loaded (disconnects the wireless or turn off the device)
For a scenario in which 500.19 error appear because of an invalid configuration data, check this post out.
What happens if the user drops connection?
The expected behavior for IIS to log one of these code pairs: 200.0.995, 200.0.64, 206.0.995 or 206.0.64 (The last part of the codes is sc_win32_status. It is 64 or 995 in these pairs). However, in this case, IIS logs 500.19.64. clearly:
In the record above, the size of the data loaded is 678298 bytes. The page size is about 1 MB. It means that the user dropped the connection after the browser loaded about 70% of the data.
In addition to IIS logs, it is a good idea to check HTTPERR logs as well. IIS saves logs for the activities happened in kernel-mode. In this case, HTTPERR file shows “Connection_Dropped”. However, this could be misleading because if there is a record in IIS logs, HTTPERR should have a record for that request. Pay extra attention to see if the timestamp matches the date/time of the issue. Read the next section for details.
I would like to open a parenthesis before going forward with the issue details and the solution. There is a very similar scenario to the issue I mentioned above (The client drops connection while page is loading). Microsoft well documented this scenario.
When a client drops the connection before getting the full response, this connection is called a “zombie connection”. IIS (more specifically, HTTP.SYS) doesn’t drop these connections right away. It waits for the timeout value (120 seconds by default). If the response is still not completed, It drops the connection. In this case, It is expected to see a 500 error along with the 64 code in sc_win32_status column.
The Http.sys driver adds the “zombie connection” to a list. Because the original connection object is still available, the original connection object information can be included in the logging information when the request is completed. If the response is completed before the time-out value that is used by the Http.sys driver is reached, no information is logged in the Httperr.log file. Instead, the status code is logged in the IIS log. For example, an “HTTP 200-OK” status code is logged in the IIS log when the request succeeds.
It is a bug in the Dynamic Compression module. This module throws 500 error for any failure. I am hoping that a patch is developed to address this issue soon.
If the incorrect logs are causing serious issues, you can disable Dynamic Compression so that IIS logs accurate error codes. However, please note that disabling Dynamic Compression increases the bandwidth usage and response times.
If you are receiving “Internal Server Error” in your WordPress blog, here is the solution.
Users can upload and download files by using FTP (File Transfer Protocol) clients such as FileZilla or WinSCP. These clients connect to an FTP server hosted by IIS (Internet Information Server) or other web server technologies. In most cases, it is easy to set up and maintain an FTP server. However, you may run into issues like “530 User cannot log in, home directory inaccessible” error while trying to connect your FTP server. In this post, I will explain how to solve this issue in IIS.
No matter if you are using anonymous access or basic authentication, you may come across this error message. Here is the full connection log from FileZilla:
Connecting to 192.168.83.82:21… Connection established, waiting for welcome message… Insecure server, it does not support FTP over TLS. USER anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. PASS * 530 User cannot log in, home directory inaccessible. Critical error: Could not connect to server
530 error message in FileZilla
This issue may appear as “Failed to retrieve directory listing” or “Home directory inaccessible” error as well.
Depending on the FTP client, you may not see the detailed error message right away. For instance, when I tried to connect to the same site with the same configuration by using WinSCP, I received “Access Denied” error. If your FTP client doesn’t show the entire connection history, look for the log folder to get more information about the root cause.
Root causes and solutions for “530 User cannot log in, home directory inaccessible” error
There might be a few reasons for running into this error. Here are the most common root causes and their solutions:
The user is not able to access to the home directory. This is by far the most common root casue of “home directory inaccessible” error. Go to “IIS > FTP site > FTP User Isolation”. Make sure to select the directory that your users can access to. If you are not sure about what to select, select “FTP root directory”. More information: User Isolation Settings.
User Isolation settings in IIS
IIS is not supporting passive mode FTP. There are two types of FTP connections: Active mode and passive mode. In active mode, the client opens a port. The server connects to this port for transferring data. In passive mode, the server opens a port. The client connects to this port to transfer data (More information: Active and Passive FTP). In order to configure IIS for supporting passive mode, enter a port range and external IP address in “IIS > Server name > FTP Firewall Support” page (More information: Using a single port for IIS FTP in passive mode).
Configuration to support FTP passive mode in IIS
Note: If you don’t want to turn on passive mode in IIS, you can force your FTP client to use only the active mode. In order to do this, go to “Edit > Settings > FTP” and choose “Active” in FileZilla.
Less common reasons for 530 error and how to fix them
The items below may cause “530 User cannot log in, home directory inaccessible” as well.
Authorization rules. Make sure to have an Authorization rule that allows the user or anonymous access. Check “IIS > FTP site > FTP Authorization Rules” page to allow or deny access for certain or all users.
NTFS permissions. The FTP users (local or domain users) should have permissions on the physical folder. Right click the folder and go to Properties. In the Security tab, make sure the user has required permissions. You can ignore Shared tab. It is not used for FTP access. A related post: Combining AD permissions with FTP.
Locked account. If you local or domain account is locked or expired, you may end up seeing “User cannot log in” error. Check local user properties or Active Directory user settings to make sure the user account is active. A related topic: Microsoft Support.
Other permission issues. The user account may not have “Log on locally” or “Allow only anonymous connections security” rights. More information: Microsoft Support.
Still having the issue?
It’s time to dive deep. Check IIS logs but don’t let it mislead you. IIS logs sometimes may show PASS. It doesn’t mean everything is well. It’s better to check FTP logs that IIS records for FTP connections. It is located in c:\inetpub\logs\LogFiles\FTPSVC2
FTP logs recorded by IIS
In FTP logs, you will see a status and sub-status code. Here is a list of the most common FTP status codes:
4xx- Transient Negative Completion Reply The command was not successful, but the error is temporary. If the client retries the command, it may succeed.
421 – Service not available, closing control connection. This may be a reply to any command if the service knows it must shut down. 425 – Cannot open data connection. 426 – Connection closed; transfer aborted. 431 – Need some unavailable resource to process security. 450 – Requested file action not taken. File unavailable (e.g., file busy). 451 – Requested action aborted. Local error in processing. 452 – Requested action not taken. Insufficient storage space in system.
5xx- Permanent Negative Completion Reply The command was not successful, and the error is permanent. If the client retries the command, it receives the same error.
500 – Syntax error, command unrecognized. This may include errors such as command line too long. 501 – Syntax error in parameters or arguments. 502 – Command not implemented. 503 – Bad sequence of commands. 504 – Command not implemented for that parameter. 521 – Data connection cannot be opened with this PROT setting. 522 – Server does not support the requested network protocol. 530 – Not logged in. 532 – Need account for storing files. 533 – Command protection level denied for policy reasons. 534 – Request denied for policy reasons. 535 – Failed security check (hash, sequence, and so on). 536 – Requested PROT level not supported by mechanism. 537 – Command protection level not supported by security mechanism. 550 – Requested action not taken. File unavailable (for example, file not found, or no access). 551 – Requested action aborted: Page type unknown. 552 – Requested file action aborted. Exceeded storage allocation (for current directory or dataset). 553 – Requested action not taken. File name not allowed.
HTTP/2 protocol improves the performance and security of today’s digital world. It consists of several frames to carry requests between clients and servers. One of these frames is SETTINGS frame which may be used by attackers to increase CPU usage to 100% in IIS and eventually make the server unresponsive (Denial of Service – DoS).
In this post, we will discuss the root cause and the solution for this bug.
What is HTTP/2 SETTINGS frame?
It is part of the HTTP/2 request which contains 6 parameters to manage communication between peers. Here is how IETF HTTP Working Group explains the usage of this frame:
The SETTINGS frame (type=0x4) conveys configuration parameters that affect how endpoints communicate, such as preferences and constraints on peer behavior. The SETTINGS frame is also used to acknowledge the receipt of those parameters.
HTTP/2 SETTINGS frame (Source: IETF HTTP Working Group)
SETTINGS frame has the following parameters:
SETTINGS_HEADER_TABLE_SIZE: The maximum size of the header compression table used to decode header blocks
SETTINGS_ENABLE_PUSH: It can be used to disable server push
SETTINGS_MAX_CONCURRENT_STREAMS: The maximum number of concurrent streams that the sender will allow
SETTINGS_INITIAL_WINDOW_SIZE: The sender’s initial window size for stream-level flow control
SETTINGS_MAX_FRAME_SIZE: The size of the largest frame payload that the sender is willing to receive
SETTINGS_MAX_HEADER_LIST_SIZE: The maximum size of header list that the sender is prepared to accept
SETTINGS frame vulnerability
HTTP/2 protocol allows a client to specify any number of SETTINGS frames with any number of SETTINGS parameters. While IIS works on the request, it may cause high CPU load if there are too many frames and parameters to process.
Hopefully, Microsoft took action quickly to address this vulnerability before it is widely leveraged by the attackers.
Other factors such as using instances that are not thread-safe in your code may cause high CPU load as well. Check out this post for the root cause and solution: High CPU load in IIS web server caused by HttpClient
Solution for SETTINGS frame bug
Microsoft released a security update to fix this bug. The update provides two registry keys to control maximum how many settings can be transferred in a frame and maximum how many settings can be transferred per minute. After installing the update, you should set these registry keys to a desired value based on your environment.
Make sure to restart your server after setting values to these keys. For more information, check out Microsoft Support page.
I recommend setting both of them to 256 but these values are highly dependent on the individual environment. There is currently no official formula to calculate optimum values.
Unfortunately, there is also no performance counters to monitor the count of SETTINGS frames and parameters. Therefore, you may need to dive deep in HttpQueryServiceConfiguration() API or a netsh helper to develop a script for monitoring these values.
Many web applications have pages for users to upload files. Whether or not it’s a PDF document or image file, IIS has a limit for the size of the content users can upload. If the file size exceeds this limit, the application throws “Error in HTTP request, received HTTP status 413 (Request Entity Too Large)” error.
The default upload size in IIS is 49 KB (49152 bytes). The application logs the error message below if user tries to upload a file that is bigger than the default upload size.
Error in HTTP request, received HTTP status 413 (Request Entity Too Large)
You may ask why this issue occurs for sites protected by SSL. It is because the request body must be preloaded during the SSL handshake process.
Solution for “413 Request Entity Too Large” error
The simplest solution is that increasing the upload size limit. IIS uses uploadReadAheadSize parameter in applicationHost.config and web.config files to control this limit. This parameter specifies the number of bytes that IIS will read to run respective IIS module.
uploadReadAheadSize Optional uint attribute. Specifies the number of bytes that a Web server will read into a buffer and pass to an ISAPI extension or module. This occurs once per client request. The ISAPI extension or module receives any additional data directly from the client. The value must be between 0 and 2147483647. The default value is 49152.
Steps to change the value of this parameter are below. Make sure to increase this value only if your application has to work with files bigger than the default limit (49 KB). Set the new value to the minimum limit which is high enough to upload files successfully.
Go to IIS Manager
Select the site that you are hosting your web application under
In the Features section, double click “Configuration Editor”
In the “Section” list, select system.webServer and then serverRuntime
Modify the uploadReadAheadSize value
Click “Apply”
For security reasons, you may not want to allow changing this parameter in the individual web.config files because you may want to enforce the settings in the applicationHost.config. Here is a step-by-step guide to configre IIS accordingly: Configure IIS to ignore web.config files in application subfolders
uploadReadAheadSize parameter
Another parameter you may want to change is maxRequestEntityAllowed. This parameter specifies the maximum number of bytes allowed in the requesy body.
Another parameter you may want to change is maxRequestEntityAllowed. This parameter specifies the maximum number of bytes allowed in the requesy body.
If you make a mistake while editing the website configuration, you may receive “Configuration file is not well-formed XML” error. Check this post out to see how to solve this issue: Configuration file is not well-formed XML
When a cookie is empty and corrupt, users may run into intermittent access issues to your website. IIS may record CryptographicException (The data is invalid) error to Event Viewer for this issue. Since the issue is intermittent, there may not be a need for immediate solution. However, a root cause analysis can provide valuable information and clues to prevent future occurrences.
Here is the key part of the error message from the Application container in Event Viewer:
Event code: 3005 Event message: An unhandled exception has occurred. Trust level: Full Process name: w3wp.exe Exception type: CryptographicException Exception message: The data is invalid. at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) at System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded)
CryptographicException (The data is invalid) error in Event Viewer
I recommend checking application specific logs as well. In my case, the application logged the error message below at the time of the issue:
2019-01-26 08:56:28 AM ERROR: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.
Root Cause Analysis for CryptographicException (The data is invalid) error
My conclusion is that the issue happened because of an empty or corrupt cookie. As IIS didn’t log the cookie information at the time the issue occurred, It is not possible to tell which cookie it was or how the integrity of the cookie was at that time. Some reasons why a cookie is empty or corrupt are:
Network issues
Closing the browser while the request is being prepared
Browser crash
Since this issue hasn’t happened again, It must have been an intermittent issue occurred on the network or client side.
Possible Solutions
If your application pool is not set to load user profile, this may cause CryptographicException (The data is invalid) error.
If you are using WIF (Windows Identity Foundation) and receiving “Key not valid for use in specified state” error, check this post out for solution.
Additionally, check Unprotect function or any methods that call this function in your source code. As per the stack trace, this is the function that throws the exception. This function takes 3 parameters. One of them is complaining about the input. The parameter that is complaining is most likely the first one (encryptedData). Somehow, on the day/time the issue occurred, the value that was provided to this function was not in the right format. You can debug your source code to find out possible causes.
Please note that both of these extra loggings will increase log folder sizes significantly and they may cause high CPU load as well.
You may also want to record the actual client IP address if there is a load balancer in front of your web server. Check this post out for step-by-step instructions: How to log actual client IP address in IIS?
I have come across to “Static compression is being disabled” error message in Event Viewer while reviewing logs for a web server. This error didn’t cause any user-side issue but it kept being flagged by SCCM.
Here is the Event 2264 with the entire error description:
The directory specified for caching compressed content C:\inetpub\temp\IIS Temporary Compressed Files\domain.com is invalid. Static compression is being disabled
Event 2264 – Static compression is being disabled
Environment and Settings
Here are more details about the server and issue:
OS is Windows Server 2012 R2
There are over 12 websites hosted in the server
Only Anonymous Authentication is enabled
Anonymous Authentication uses App Pool Identity
Static Compression is enabled on both server and website level
Static Compression folder is C:\inetpub\temp\IIS Temporary Compressed Files
There are sub-folders for each application pool / website. The owner of these folders are Administrator except the DefaultAppPool folder (the owner is DefaultAppPool itself)
There are no warnings for the other server which uses %systemdrive% as the Static Compression folder which is not recommended
Solution for “Static compression is being disabled” error
The best practice is to have application pool accounts as the owners of the sub-folders in IIS Temporary Compressed Files. For example: IIS APPPOOL\domain.com local account should be the owner of the domain.com folder.
In order to change owners, please follow the steps below for each folder.
Delete the folder
Create it with the same name
Right click and select “Properties”
Go to “Security”. Click “Advanced”
Click “Change” for the owner field at the top
More Information
When a compression folder is created by IIS app pool identity that is part of local Administrators group, the folder is owned by the local Admin group and not the worker process identity. IIS checks ownership on existing compression folders when app pool starts so when it isn’t the owner it attempts to delete and recreate the folder. Subsequent app pools get caught in infinite loop attempting to delete and recreate the folder which results in “The directory specified for caching compressed content is invalid” error.
Windows Admin Center is a web application that makes it easier to manage multiple servers via multiple Microsoft tools such System Center, RSAT, Intune, and PowerShell. If you install Windows Admin Center in an IIS server, you may come across “503 Service Unavailable” error.
Windows Admin Center works as gateway between clients and servers. Once it is installed, it redirects all HTTP traffic (port 80) to HTTPS port (443). Therefore, if you try to access that server via browser, you will reach to Windows Admin Center.
Even if you uninstall it, the port 80 traffic still goes to Windows Admin Center. If you install IIS to that server and try to access localhost in your browser, you will see “503 Service Unavailable”. It’s because the server tries to load Windows Admin Center dashboard instead of IIS Default Web Site.
Solution for “503 Service Unavailable” error
In my case, I was able to solve this issue by removing the port 80 entries from the server. In order to do it, first list all entries by running the command below:
netsh http show urlacl
Run the netsh http delete urlacl command for the entries with port 80. For example:
IIS hosts millions of websites around the world. Thanks to IIS Manager, it is easy to create and manage websites. Websites use default functional and performance settings which are efficient most of the time. However, you may want to fine-tune IIS performance for specific applications and cases.
Fine-tuning IIS Performance
In this post, I will explain 8 recommendations that potentially improves IIS performance. Most of the recommendations are compatible with IIS 7.0 and newer versions with a few exceptions. I will mention the exceptions in their respective section.
Recommendation areas:
Output Caching
Application Initialization
Default Document
HTTP keep-alive
Cache-control Header
Idle Time-out Action
Dynamic Compression
and 9. Other options (Queue Length, Enable 32-bit Applications)
1. Output Caching
Applies to IIS 7+
IIS has kernel-mode and user-mode components. Kernel-mode components receive and route HTTP requests, manage connections, and send responses back to clients. User-mode components process the requests and prepares responses. There is a response cache for both kernel-mode and user-mode levels.
Using
cache allows IIS to handle requests faster. However, the consumption of the
physical memory increases as the cached entries occupy space in the memory. It
is recommended to monitor the memory usage and limit the maximum amount memory
that can be used by cache.
Kernel-mode
cache
HTTP.sys is a part of kernel-mode and it includes a response cache (kernel-mode cache). Requests can be satisfied entirely by using this cache. Enabling kernel-mode cache speeds up page load time, reduces bandwidth usage and the amount of data transfer, and decreases the server load which significantly lowers the CPU cost of handling the requests.
Some features such as authentication and authorization cannot be served by using Output Caching. Therefore, IIS only allows the static content such as HTML, JavaScript, CSS, and images to be cached at kernel-mode level.
User-mode
cache
Dynamic
content such as ASP and PHP pages can be cached in the user-mode level. In
user-mode level, requests are handled in containers (worker processes) which
provides more security and manageability.
Enable Output Caching
Follow the steps below to enable Output Caching. These steps will enable both kernel-mode and user-mode caching.
Go to IIS Manager
Click the server name
Double click “Output Caching”
Click “Edit Feature Settings” in the “Actions” menu on the right side
Check both “Enable cache” and “Enable kernel cache” options
Click a website that you want to enable Output Caching for
Double click “Output Caching”
Click “Edit Feature Settings” in the “Actions” menu on the right side
Check both “Enable cache” and “Enable kernel cache” options
Restart HTTP service. Run the commands below in the given order on Command Prompt:
iisreset /stop
net stop http
net start http
iisreset /start
Enabling Output Caching on server level
2. Application Initialization
Applies to IIS 7.5+
This
is a feature in IIS that manages what happens when an application is started
for the first time. The startup process affects the speed of the website for the
users who hit the website for the first time after a deployment, server restart,
IIS reset, application pool restart or application pool idle time. For large
applications, the startup time could be high because the website compiles the
code, initiates caching, loads components, and generate files.
Enable
Application Initialization
Follow
the steps below to enable Application Initialization.
Note: The steps below apply to IIS 7.5+. IIS 7.5 requires Application Initialization Module to be installed. This module is built-in for IIS 8+ but it should be checked during IIS installation:
Application Initialization module should be installed via Server Manager
Steps:
Go to IIS Manager
Click “Application Pools”
Select the application pool that is used by the website you want to enable Application Initialization for
Click “Advanced Settings” in the “Actions” pane
Select “AlwaysRunning” from the “Start Mode” list (For IIS 8 and lower versions, select “True” for “Start Automatically” option in addition to the “Start Mode” selection)
Enable Application Initialization for an application pool
Continue with the steps below:
In the “Connections” pane, select the website or the application
Click “Advanced Settings” in the “Actions” pane
Select “True” from the “Preload Enabled” list
Restart IIS (iisreset in Command Prompt)
Preload Enabled option
3. Default Document
Applies to IIS 7+
IIS uses modules to process requests in the integrated pipeline. One of these modules is the Default Document Module. It handles the requests that go to the root of a directory for an application. Since these requests don’t specify a file name, the Default Document Module searches the list of allowed default documents. This can negatively affect the IIS performance.
By
reducing and reordering the list of default documents, the application response
time can be increased. While editing the list, make sure to have only the
default documents that are used by that particular application. Additionally,
make sure that the list begins with the most frequently accessed default
document name.
Edit
Default Document List
Follow the steps below to edit the Default Document list.
Go to IIS Manager
Click the website or application which you want to edit the Default Document list for
Double click “Default Document”
Edit the list (Remove the file names that are not used. Move the most used file name to the top)
Default Document list
4. HTTP keep-alive
Applies to IIS 7+
When a client visits a webpage, the browser makes multiple requests to download the entire page. In order to load the page, the browser may initiate separate connections for each element such as images. By enabling “HTTP keep-alive” option, the server keeps the connection open for these multiple requests which increases the server performance and response time.
Enable HTTP keep-alive
Follow the steps below to enable the HTTP keep-alive option for a website or application:
Go to IIS Manager
Click the website or the application which you want to enable “HTTP keep-alive” for
When
a client visits a webpage for the first time, the request is processed by the
web server and a response is sent through network. If no caching is set up, the
same steps are executed which could be time-consuming if the response hasn’t
changed (there is no update for the website). If caching is set up, the client
will use its own cache to visit the website which significantly improves the
response time. It also improves the server performance as the request is not
served by the server.
The cache-control is an HTTP header. In addition to the client machines, this header is also used CDNs, load balancers, and proxies. This header has a setting that states how long the assets should stay in the cache for.
Enable Cache-control Header
Follow the steps below to enable cache-control header for a website or application:
Go to IIS Manager
Click the website or the application which you want to enable cache-control header for
Click “Set Common Header” in the “Actions” pane
Select “Expire Web content” option
Select “After”. Enter a value. The value you enter entirely depends on how often you update your content. For example, if you update it weekly, make sure that the value doesn’t exceed 7 days.
Click “OK”
Enabling cache-control header
6. Idle Time-out Action
Applies to IIS 8.5+
A request in IIS is handled by a worker process (w3wp.exe). Each application pool has one or more worker processes. By default, if a worker process is idle (no requests received) for 20 minutes, it is terminated (Idle Time-out Action). When a new request comes in after a worker process is terminated, the user experiences the spin-up cycle which consumes resources.
By setting the Idle Time-out Action to “Suspend”, you can prevent worker processes to be terminated after the idle time-out threshold is reached. Theoretically, it improves the web server performance because a worker process won’t need to go to startup process which means the user will access the site almost instantly. In practice, “Suspend” option may not be ideal for your application if it has a high-traffic or it is using a large amount of memory:
High-traffic applications will have visitors constantly so the worker process will stay active. The sites that take advantage of the “Suspend” option are the ones that have 20 visitors or less per day. In order to make decision about this option, please check your traffic patterns. If visits have time lapses more than the time-out value (20 minutes by default), then enabling the “Suspend” option is a good idea. Please have a look at this article for an example.
The applications that use a large amount of memory are not good candidates for “Suspend” option because the computer writes the data used by worker process to disk. Since the size of the data is big, the cost of suspend is higher than termination.
Set Idle Time-out Action to “Suspend”
Follow the steps below to set the Idle Time-out Action to “Suspend”:
Go to IIS Manager
Click “Application Pools”
Select the application pool that is used by the website you want to change Idle Time-out Action for
Click “Advanced Settings” in the “Actions” pane
Select “Suspend” from the “Idle Time-out Action” list
Changing Idle Time-out Action
7. Dynamic Compression
Applies to IIS 7+
IIS compresses the static content (images, CSS files, HTML files etc.) by default to reduce the bandwidth used for requests. By enabling the compression for dynamic content such as ASP.NET pages, you can save bandwidth for dynamic content as well. It results in decreasing the response time and improving the web server performance. However, enabling the dynamic compression adds extra load to CPU (about 5% CPU overhead).
Enable
Dynamic Compression
This feature should be installed first before using it. In the Server Manager, make sure “Dynamic Content Compression” is installed. For Windows Server 2008 and Windows Server 2008 R2, see the instruction in this link.
Dynamic Compression module in Server Manager
Once making sure that Dynamic Compression is installed, follow the steps below to enable it:
Go to IIS Manager
Click the site or application you want to enable Dynamic Compression for
Double click “Compression”
Select “Enable dynamic content compression”
Click “Apply”
Enabling Dynamic Compression
8. Other options (Queue Length, Enable 32-bit Applications)
Queue Length
Application pools have a setting called “Queue Length”. The value of this setting specifies how many requests can be queued by HTTP.sys which is a kernel-mode component that manages and reroutes requests.
The default Queue Length is 1000 which is enough for majority of web servers. If the web server needs to queue more than 1000 requests, IIS starts rejecting requests and logs 503 Service Unavailable error. There is no recommendation and formula to calculate the optimum value. It is recommended to monitor queue size and increase this value only if the size approaches to 1000 (default value).
Default Queue Length
Enable 32-bit Applications
If the memory usage is a concern in the web server, consider enabling this option in the application pool settings. Since 32-bit applications use less memory than 64-bit applications, enabling this option decreases the memory usage.
Internet Information Services (IIS) brings your websites live with a robust infrastructure at fast speeds. Even the default configuration is optimized for speed, you may notice slowness loading your websites due to possible reasons such as the inefficient application code. Here are 5 performance counters I would recommend checking if you want to monitor the resource usage in your IIS server:
Processor (All instances – % Processor Time): CPU consumption broken down by processes
Memory (Available Mbytes): Available memory in OS
HTTP Service Request Queues (CurrentQueueSize): The request count that is pending in the IIS queue
.NET CLR Exceptions (# of Exceptions Thrown/sec): The count of System.NullReferenceException thrown by the applications
APP_POOL_WAS (For all listed Application Pools):
Current Application Pool State: allows you to see the state of application pools
Current Application Pool Uptime: Allows you to see if the web application has been restarted or not
Recommended counters to monitor for IIS performance
In order to monitor these counters, follow the steps below:
Go to Start. Search for “Performance Monitor“
Click on the green plus sign (+)
Select a category (Processor, Memory etc.)
Select a sub-category (% Processor Time, Available Mbytes etc.)
Select an object (_Total, <All instances> etc.)
Click “Add“
Click “OK“
With these instructions, you can monitor the real-time statistics of your server. If you want to save these statistics:
Right click on “Performance Monitor” under “Monitoring Tools” on the left side
Select “New > Data Collector Set”
Give a name and click “Next“
Select a path to save the data and click “Next“
Select “Start this data collector set now” and click “Finish“
You will see an arrow icon on the collector set you created. It means it’s recording the logs. Once you have recorded for a desired time, right click on the collector set and select “Stop“
You can go to the path you specified in Step 4 or you can click “Latest report” button (Green notebook icon) to see the report
IIS applications run on application pools. Application pools receive requests and process them based on the settings defined. One of the settings is application pool identity. This is the account that runs application pool and perform required tasks. You may come across to this error message while trying to set a custom account as application pool identity: “Value does not fall within the expected range.“
This error occurs only if you are specifying a custom account and not using any predefined accounts such as ApplicationPoolIdentity or NetworkService.
The exact error message:
There was an error while performing this operation. Details: Value does not fall within the expected range.
Solution for “Value does not fall within the expected range” issue
The username and password fields of the custom application pool identity window in IIS Manager has only basic validations such as empty field check, password match check, local user check (no check for domain users). Therefore, “Value does not fall within the expected range” issue is not always a good clue to lead to the solution.
It is likely that there is something simple but easy to miss (a formatting issue in the config files etc.) is causing this issue. I would recommend taking the actions below first:
Check the application pool identities in the applicationHost.config file (C:\Windows\System32\inetsrv\Config) for any syntax issues
Try to obtain a clean copy of applicationHost.config and replace it with the current one
Restart Windows Process Activation Service (Reference)
Close and reopen IIS Manager
net stop was /y
net start w3svc
If this doesn’t work:
Create a new application pool and try set its application pool identity
Try to open IIS Manager as a local or domain administrator if you are not already
Check Event Viewer for more details of the error message
