Problem introduction
403 is a very common error code returned by the web server. The definition of 403 error in the Http protocol is as follows:
403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
In IIS, 403 errors are classified in more detail in the form of sub-error codes according to specific functions.
IIS 7.0 defines the following HTTP status codes that indicate a more specific cause of a 403 error:
403.1 - Execute access forbidden.
403.2 - Read access forbidden.
403.3 - Write access forbidden.
403.4 - SSL required.
403.5 - SSL 128 required.
403.6 - IP address rejected.
403.7 - Client certificate required.
403.8 - Site access denied.
403.9 - Forbidden: Too many clients are trying to connect to the Web server.
403.10 - Forbidden: Web server is configured to deny Execute access.
403.11 - Forbidden: Password has been changed.
403.12 - Mapper denied access.
403.13 - Client certificate revoked.
403.14 - Directory listing denied.
403.15 - Forbidden: Client access licenses have exceeded limits on the Web server.
403.16 - Client certificate is untrusted or invalid.
403.17 - Client certificate has expired or is not yet valid.
403.18 - Cannot execute requested URL in the current application pool.
403.19 - Cannot execute CGI applications for the client in this application pool.
403.20 - Forbidden: Passport logon failed.
403.21 - Forbidden: Source access denied.
403.22 - Forbidden: Infinite depth is denied.
403.502 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction limit reached.
This article reproduces some common 403 errors through experiments, hoping to demonstrate the causes of various errors more vividly, and introduce the solutions to the corresponding problems.
[403.1 403.3]
The main reason for 403.1 - 403.3 is because the permissions required by the handler are restricted by the permissions enabled in the Handler Mapping.
How to check the permissions required by the handler? You can use IIS Manager - Handler Mapping to find the corresponding Handler according to the requested extension. For example, when we request an .asp file, an error 403.3 is reported, and the handler for the .asp file is found to be the ASPClassic handler. Double-click to open the Script Map - Request of this handler. Restrictions - Access, you can view the permissions required by the handler. Here in order to reproduce the 403.3 issue, I set the required permission to write.
How to check the permissions enabled by Handler Mapping? You can open the system.webServer/handlers@accesspolicy configuration node through IIS Manager - Configuration Editor as follows, you can see that the Write option is not selected, so a 403.3 error will appear when accessing the asp page. In addition, in the handler mapping, you can also see that the corresponding state of the corresponding ASPClassic handler is disabled.
The error causes of 403.1 and 403.2 are the same as those of 403.3, that is, the Script or Read permission required by the corresponding handler is not enabled.
[403.4 403.5 403.7]
403.4, 403.5, and 403.7 are all caused by SSL settings. Most of the time, it is not a server-side error, but the client's request does not meet the server's requirements. E.g
403.4 means the client sent an http request to a website configured to require SSL
403.5 means that the request sent by the client does not meet the encryption bit requirements of the server for SSL
403.7 means that the client did not provide the corresponding certificate
These configurations can be configured through the server-side IIS Manager - SSL Setting,
But for the 128-bit requirement of ssl, you need to find system.webServer/security/access@sslFlags through the Configuration Editor to configure
There is a point worth noting about the 403.7 error. If the server is configured to require a client certificate, the client will normally pop up a certificate selection box to allow the user to choose which certificate to send to the server. If the client has only one certificate, it will not pop up the selection box and send it directly to the server. If a 403.7 error is encountered, it is likely that the client did not find a valid certificate.
The so-called available certificates here are defined according to the trust list returned by the server. According to the SSL protocol, the server will return a set of root certificates trusted by the server to the client during the SSL handshake, and the client will check whether there is a corresponding user certificate linked from the These root certificates, and then the selection box pops up. So if the client certificate is not found here, you must first determine whether the client has the corresponding certificate. If not, you need to install it. If the certificate exists, check whether the corresponding root certificate is in the server-side trust list.
[403.14]
403.14 is very common, and the reason is simple, the directory is not allowed to be browsed.
The solution depends on the actual needs.
1. If the problem of the client request is to browse the directory that should not be browsed, then the server does not need any changes
2. If the expected result of the browsed directory should be a default web page, it is very likely that the default document has not been matched or is not in the directory.
3. If you need to enable directory browsing, go to IIS Manager to the specified directory - Directory Browsing - Enable
[403.6 403.8]
These two errors are related to the server configuration, the server blocks the corresponding ip or dns name of the client in the ipSecurity configuration. The specific configuration is system.webServer/security/ipSecurity
The above are the most common 403 errors and corresponding solutions. If you encounter some other rare errors, you can refer to here to find specific solutions.
http://support.microsoft.com/kb/943891