Cannot read configuration file due to insufficient permissions

Question

I've recently encountered an error trying to host my asp.net site with IIS. I have found a solution that many swear by.

Solution:

1. Add IIS_IUSRS with Read permission on files in the folder
2. Change IIS authentication method to BasicAuthentication
3. refresh the website. It will work

(http://vivekthangaswamy.blogspot.com/2009/07/aspnet-website-cannot-read.html)

What do I add to my web.config file though? I've never had to edit it before. Here is its current contents:

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
    <connectionStrings>
  <add name="DefaultConnection" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True;User Instance=True"
   providerName="System.Data.SqlClient" />
 </connectionStrings>
 <system.web>
  <compilation debug="true" strict="false" explicit="true" targetFramework="4.0"/>
    </system.web>
</configuration>

My error is:

Config Error: Cannot read configuration file due to insufficient permissions
Config File: \?\C:\Users*****\Documents\Visual Studio2010\WebSites\PointsForTime\web.config

Answer 1

In some cases the web.config file isn't in the correct format.

Open the web.config file and check all XML tags. (For example, by putting the following codes in the web.config, if the project is executed, then the problem is from it)

<?xml version="1.0" encoding="utf-8"?>
<configuration>
</configuration>

Answer 2

I had what appeared to be the same permissions issue on the web.config file.

However, my problem was caused by IIS failing to load the config file because it contained URL rewrite rules and I hadn't installed the IIS URL rewrite module on the new server.

The solution was to install the rewrite module.

Answer 3

Editor's note: Doing what this answer suggests: "changing Identity to LocalSystem" is DANGEROUS! The LocalSystem account is a ...

Completely trusted account, more so than the administrator account. There is nothing on a single box that this account cannot do, and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something)

---

Changing the Identity from ApplicationPoolIdentity to LocalSystem did the work ;).

I am using win7 64 with IIS 7.5

more about Application Pool Identity in IIS 7.5 and win 7

Answer 4

Instead of giving access to all IIS users like IIS_IUSRS you can also give access only to the Application Pool Identity using the site. This is the recommended approach by Microsoft and more information can be found here:

https://support.microsoft.com/en-za/help/4466942/understanding-identities-in-iis

https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

Fix:

Start by looking at Config File parameter above to determine the location that needs access. The entire publish folder in this case needs access. Right click on the folder and select properties and then the Security tab.

Click on Edit... and then Add....

Now look at Internet Information Services (IIS) Manager and Application Pools:

In my case my site runs under LocalTest Application Pool and then I enter the name IIS AppPool\LocalTest

Press Check Names and the user should be found.

Give the user the needed access (Default: Read & Execute, List folder contents and Read) and everything should work.

Answer 5

I set the .NET CLR version to No Managed Code and everything started to work fine.

Answer 6

The above answers were helpful, but in case this helps anyone - I had this exact problem, and it turned out that I was (windows networking) sharing the root folder that the site was being hosted from. We killed the share, and added the Users permission to read/execute and it worked again just fine.

I suspect the share messed it up.

Answer 7

There is no problem with your web.config. Your web site runs under a process. In iis you can define the identity of that process. The identity that your web site's application pool runs as (Network Services, Local System, etc.), should have permission to access and read web.config file.

Update:

This updated answer is same as above, but a little longer and simpler and improved.

First of all: you don't have to change anything in your config file. It's OK. The problem is with windows file permissions.

This problems occurs because your application can not access and read web.config file.

Make the file accessible to IIS_IUSRS group. Just right click web.config and click properties, under security tab, add IIS_IUSRS.

So what is this IIS_IUSRS thing?

Your web site is like an exe file. Just like any exe file, it should be started by a user and it runs according to permissions assigned to that user.

When your site is started in IIS, Application Pool of your web site is associated with a user (Network Services, Local System, Etc. ...) (and can be changed in IIS)

So when you say IIS_IUSRS, it means any user (Network Services, Local System, Etc. ...) that your site is running as.

And as @Seph mentioned in comment below: If your computer is on a domain, remember that IIS_IUSRS group is a local group. Also make sure that when you're trying to find this user check the location it should be set to local computer and not a corporate domain.

Answer 8

All answers given are valid and working under different circumstances.

For me, restarting Visual Studio worked.

Answer 9

I tried most of the previous suggestions but in vain. I can't reload the website, so I edited the .csproj file and changed the port number and it worked immediately:

 <WebProjectProperties>
      <UseIIS>True</UseIIS>
      <AutoAssignPort>True</AutoAssignPort>
      <DevelopmentServerPort>**4000**</DevelopmentServerPort>
      <DevelopmentServerVPath>/</DevelopmentServerVPath>
      <IISUrl>http://localhost:**4000**/</IISUrl>
      <NTLMAuthentication>False</NTLMAuthentication>
      <UseCustomServer>False</UseCustomServer>
      <CustomServerUrl>
      </CustomServerUrl>
      <SaveServerSettingsInUserFile>False</SaveServerSettingsInUserFile>
    </WebProjectProperties>

Editing .csproj file

Answer 10

This can happen if your application is in a virtual directory and the path to the files is a mapped drive.

If you change the path to the files to a local drive, this will solve it, if that indeed is your problem.

Answer 11

I was running a website at localhost/MyApp built and run through Visual Studio - via a Virtual Directory created by Visual Studio itself.

The "solution" for me was to delete the Virtual Directory and let Visual Studio recreate it.

Answer 12

I had this issue running on Windows 10 with the App Pool using a microsoftaccount\email@contosa.com account (e.g., signing in to the PC with a Microsoft Account instead of local account).

Apparently on my computer something got corrupted; removing IIS and re-adding it did nothing (because it seems the IIS metabase was not removed). Deleting and recreating the app pool didn't help either.

My solution was just to create a new App Pool with the same settings but a different name. This fixed the issue for me; apparently something got corrupted with the apppool which even deleting it and re-adding it with the same name would not fix.

Answer 13

Make sure your web.config file is not marked Read-only

Answer 14

I had this same issue and none of these solutions worked for me. I kept getting the same error and one about "Failed to start monitoring changes" in the event viewer.

The only thing that worked was to copy the folder and rename it back. It must have been a corrupted folder in Windows that IIS/ASP.NET could not access.

Answer 15

1. Go to IIS, (sites)
2. Right click on project inside the sites.enter image description here

and click on edit permission.

3. Go to security.

4. click on edit button.

5. click add button. type COMPUTER_NAME\IIS_USERS

   or

6. click advance.

7. click find now button.

   and there is option to choose. choose IIS_USERS and click ok...ok....ok .

Answer 16

Certainly, this is an issue with permissions. I took following steps and it worked for me.

1. select your website or application in left corner. In most cases it would be under Default web site.
2. click on Basic settings on right corner in IIS Manager 7 or above.
3. click connect as button.
4. Use "Specific User", Click on set button.
5. Enter your username and password. like Domain\username. for me it was like ABC\rrajkumar, enter password.
6. restart IIS, browse your website. It should work now.

Answer 17

The accepted solution didn't for me. I use a Git repo and it cloned to the following folder

c:\users\myusername\source\repos\myWebSite

I made new IIS website and pointed it at the path. Which didn't have the iis_iusrs permissions suggested in the accepted solution. When I added the permissions it still didn't work.

It only started working when I gave the following permissions to the 'Users' group and inheritance cascaded the permissions to web.config. Probably should have applied it just to the web.config to reduce attack surface area.

Answer 18

I gave permission and used ICACLS.exe but didn't work. Then I changed the physical path and it worked successfully.

(IIS 8.5 windows 2012 R2)

Answer 19

In my case, I was trying to host pages from a mapped drive (subst). The issue is that the subst was run under my account and the IIS user is not able to see the same drive

Answer 20

Shift your project to some drive other than C: Worked for me with the same error.

Answer 21

I have solved this by adding read permission to folder for application pool user (WIN SERVER 2008 R2): C:\Windows\System32\inetsrv\config

A little background: Our server has been hacked using classical error where app user had more permissions that it should (local admin).

To fix it we created new domain user that had only permissions on application folder, with min needed rights and assigned it as application pool user. than we hit in the issue and this was solution to our problems.

Answer 22

Sometimes if it is a new server you need to configure or install ASP.NET feature on IIS for it to be able to read your web.config file.

In my case this was the reason.

Answer 23

Make the file accessible to the IIS_IUSRS group. Right click your web.config, expand properties, and under security tab, add IIS_IUSRS. Give the group read/write access.

When the group is NOT available, replace IIS_IUSRS by ComputerName\IIS_IUSRS

Answer 24

This happened to us when the IIS application has a Virtual Directory with a Physical Path that contains forward-slashes / instead of backslashes \. This was accidentally done using a powershell management API for IIS during our continuous delivery process.

Bad Config Example - applicationHost.config

<application path="/MySite/MyService" applicationPool="MyAppPool" enabledProtocols="http">
    <virtualDirectory path="/" physicalPath="C:\inetpub\MySite/MyService" />
</application>

Make sure the physicalPath attribute does not contain forward-slashes /, only backslashes \

Corrected Config Example - applicationHost.config

<application path="/MySite/MyService" applicationPool="MyAppPool" enabledProtocols="http">
    <virtualDirectory path="/" physicalPath="C:\inetpub\MySite\MyService" />
</application>

Answer 25

Right click Web.Config => Tab Security => Button Edit => Button Add => Button Advanced => Button Find Now = > In Search results select your group(in our case " IIS_IUSRS") => Ok => Ok=> Ok

Answer 26

I had the same issue and after doing all the stuff written here as answers, it still reproduced. The second half of the issue was the fact that .NET was turned off under "Turn Windows features on or off"

Answer 27

I had the same problem when I tried to share the site root folder with another user. Some folder lost the permission. So I followed the steps to add permission to IIS_IUSRS group as suggested by Afshin Gh. The problem is this group was not available for me. I am using windows 7.

What I did I just changed some steps:

1. Right click on the parent folder (who lost the permission),
2. Properties => Security =>In "Group or user names:",
3. Click Edit...
4. Window "Permission for your folder" will be opened.
5. In "Group or user names:" press ADD... btn,
6. Type Authen and press Check Names,
7. You will see the complete group name "Authenticated Users"
8. Press ok => apply.
9. This should enable privileges again.

That worked for me.

Answer 28

I had this error message that turned out to be due to my physical folder being located on a network drive as opposed to the local drive. It seems the permissions on such drives by default can be different. For example, while the local drive location gave permission to the users of the local computer, the network location did not.

Further, the accepted answer does not work for such a case. The local users or IIS users were not an available to assign permissions to. The solution was to move the physical folder to the local drive.

Answer 29

check if the file is not marked as read-only, despite of the IIS_IUSRS permission it will display the same message.

Answer 30

Had this issue with a Virtual Application. All the permissions were set. IIS_IUSRS, AppPoolIdentity and then gave full access to Everyone. Nothing worked. Restarted apppool, site and IIS but No go.

Deleted the virtual application and added it again from scratch and it started working.

Wish I knew what solved it.