Intermittent "HTTP 403 – Forbidden" error while trying to browse to a SharePoint web app
Consider a scenario where you receive the following error when you browse to a SharePoint web app
The website declined to show this webpage
HTTP 403
Most likely causes:
This website requires you to log in.
This issue is intermittent. Strangely, if we create a copy of the web.config file, rename the web.config file, refresh the home page, we receive an "HTTP 404 - Page Not Found" error. Rename the web.config file back and refresh the page. The site is browse able for a while before failing after some time
We see the following error in Failed Request Tracing
A procmon trace captured while accessing the web app from the server showed the following:
w3wp.exe 4180 CreateFile C:\inetpub\wwwroot\wss\VirtualDirectories\Web80.Contoso.com80\bin ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR
This issue usually occurs when a request from an authenticated user without local admin rights results in a failed read of the /BIN directory by the impersonating w3wp.exe (IIS worker process for ASP.NET) process. This behavior is typically associated with lack of permissions to the temporary folder /BIN where ASP.Net assemblies are Just In Time (JIT) compiled.
Resolution
The solution is to ensure that the Authenticated Users or <SERVER NAME>\Users group (which usually contains DOMAIN\Users group) has Read & Execute, List Folder Contents and Read permissions on the /BIN folder below C:\inetpub\wwwroot\wss\VirtualDirectories\{Sitename80}. Follow the steps listed below to grant the required permissions:
- Open Windows Explorer and navigate to the /bin directory of your web application
- Right-click on the folder and click on Properties
- Go to Security tab and click on Edit
- Click on Add and add the local server group Authenticated Users or <SERVER NAME>\Users (this usually contains DOMAIN\Users group).
- Select the Read & Execute, List Folder Contents and Read permissions (if you are planning to add Everyone to the /bin folder, grant Read permissions only)
- Click OK to apply the new settings
Refresh the page and we should be able to browse to the site.
There are instances where this permission needs to be re-applied as part of every deployment and we may often find that the permissions have reset after touching the Authentication Providers settings in Central Admin.
More Information
If an administrator accesses the site/feature that caused the error, the subsequent requests from non-administrators would succeed. This behavior is typically associated with lack of permissions to the temporary folder where ASP.Net assemblies are Just In Time compiled.
The freb trace shows a 403.0 for ManagedPipelineHandler
It seems to go through quite a few ASPNet events - but happens during the ASPNetPageRender - it goes to the ASPNetPageRender Enter, then ASPNetHTTPHandler Leave.Only then does it get a 403.0 which is not an official RFC error. The first sub-status for 403 is 403.0.
Application pool in Classic or Integrated mode
- Application Pool in Classic Mode – In this case, we can configure a Wildcard mapping for ASPNET_ISAPI.dll at the website level. That would propagate to child virtual directories. That should not need any further modifications at the virtual directory level.
- Application Pool in Integrated Mode – In this case, all relevant virtual directories would need individual modifications. They need to be set for specific handler. E.g. ‘book’ virtual directory needs mapping for BookAPI and ‘movie’ directory would need mapping for MovieAPI.
Comments
Anonymous
January 01, 2003
Thanks! saved me from hours of binging :)Anonymous
January 01, 2003
I can not get through to http-403--can not get into ddc to get free chips..i do not know how to fix it cause--I do not know how to fix it..if you could fix it for me...it worked yesterday but not today..i can not figure it out ..can you fix it for me --please..can not get into links..Anonymous
October 15, 2013
The comment has been removedAnonymous
October 24, 2013
Hi Praveen, I am getting HTTP 403 Forbidden for /_vti_bin/client.svc and all. .svc files under /_vti_bin. Initially I was not able to browse the /_vti_bin folder itself, however I was able to resolve it by enabling Directory Browsing. But I am still unable to browse client.svc. I took Failed Request Tracing log and below is the error: MODULE_SET_RESPONSE_ERROR_STATUS ModuleName : ManagedPipelineHandler Notification : EXECUTE_REQUEST_HANDLER HttpStatus : 403 HttpReason : Forbidden HttpSubStatus : 0 ErrorCode : The operation completed successfully. (0x0) Any suggestions on how to resolve this...Anonymous
November 12, 2013
Exactly what I needed. Worked great, thanks!Anonymous
November 20, 2013
hi Fuady, Yes. By default, Everyone has Read access to the folder. But if its missing, then please grant the permissions.
- Praveen
Anonymous
November 20, 2013
hi Bhavik, Could you check if 'domainusers' is added to the ISAPI folder under 'C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15' ?Anonymous
March 21, 2014
Great Post, it helps me to fix my problem also!Anonymous
June 23, 2014
This is great. My problem is resolved.Anonymous
June 23, 2014
This is great. My problem is resolved.Anonymous
June 26, 2014
Found similar behavior post-deploy of SP1, and used this reference to guide on the troubleshooting. Effectively found the lack of ACLs in the bin directory and solved it... thanks Praveen!Anonymous
August 12, 2014
That worked for me too.Anonymous
August 23, 2014
thanks mate. worked for me. one thing to keep in mind - it may not work if you add those permissions to folder which higher in the hierarchy.Anonymous
January 02, 2015
[SOLVED] I had 403 on WFEs, but all worked fine from workstations. Solution: turn off the proxy on WFE.Anonymous
January 12, 2015
HI All,
we have similar experience on few of the links resulting in 403 error . we have 4 WFE servers in SP Farm and the functionality is working perfectly fine on one of the servers whereas we are having issue on rest of 3 WFE servers.
we have tried the above recommendations but no luck yet.
enabled request tracing logs and getting the below warning in ISAPI module.
ModuleName IsapiModule
Notification 128
HttpStatus 403
HttpReason Forbidden
HttpSubStatus 0
ErrorCode 0
ConfigExceptionInfo
Notification EXECUTE_REQUEST_HANDLER
ErrorCode The operation completed successfully. (0x0)
can you please recommend and share your viewpoints on priority.Anonymous
January 27, 2015
You, sir are a boss! Thanks for this solution.Anonymous
February 20, 2015
Very useful! Helped me to solve my issue!Anonymous
May 01, 2015
I was getting 403 error on custom SP 2010 login page.
Gave "IUser" account Read access to FBA Virtual directory bin folder. It worked :)
Thanks a lot.Anonymous
September 09, 2015
I have tried in the above but it could not resolve the issueAnonymous
October 09, 2015
Worked for me!!!Anonymous
January 20, 2016
Thank you for this article! We were receiving this error only form the APP server in a three tier Test farm - WFE worked correctly without any issues. Checked permissions on the bin folder and Everyone with READ was missing on the APP server! Added back and everything is working as expected again. Thank you!Anonymous
February 01, 2016
hi Praveenh
im getting the 403 error, I can use the mapped network folder ( I saved earlier on my laptop) to browse a document library but accessing the portal itself gives 403. central admin and mysites are working OK.
I checked the bin folder which had everyone with read and I added authenticated users with the 3 permissions but still no luck :( don't know if you are monitoring this post or not I desperately need your help.
I read through the comments you asked someone for isapi folder if it had the authenticed user or not, mine does not have authenticated users on the ISAPI folder. should I add n check.
I don't want to further mess it up on my own :(
zaidumer@gmail.com