Web.Config - Cannot read configuration file due to insufficient permissions

Asked 4/10, 2012 at 16:6 Answered 2/3, 2018 at 1:39

I am getting the error:

Module  IIS Web Core
Notification    Unknown
Handler Not yet determined
Error Code  0x80070005
Config Error    Cannot read configuration file due to insufficient permissions
Config File \\?\C:\inetpub\wwwroot\web.config

The file itself has full permissions for IUSR. IIS is running its app pool under ApplicationPoolIdentity. I did a file monitor on the file, and I see this:

9:04:43.8035456 AM  w3wp.exe    8104    CreateFile  C:\inetpub\wwwroot\Web.config   ACCESS DENIED   Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a

No idea why I am getting this error... Any ideas?

Qianaqibla answered 4/10, 2012 at 16:6 Comment(0)

Try giving read/write access to these accounts to the root folder of your Web application and all files/subs within:

NETWORK, NETWORK SERVICE, and of course IIS_IUSRS

Cherriecherrita answered 5/10, 2012 at 1:14 Comment(5)

I think you meant IUSR (instead of IIS_IUSRS) – Grippe 13/11, 2014 at 9:26

Depends on your windows/iis install. IIS7+ is IIS_IUSRS (if I'm remembering correctly). IUSR is an IIS6 thing (again if I remember correctly). – Cherriecherrita 26/11, 2014 at 18:54

Awesome! exactly what we needed – Dodge 23/8, 2019 at 4:48

Just a note: IIS_IUSRS user can be added as <your coumputer's name>\IIS_IUSRS. I naively tried to add it as IIS_IUSRS but it didn't work. – Troat 8/9, 2020 at 7:34

If you are using the GUI to manage permissions, just type IIS_IUSRS and click the Check Names button to resolve the domain/computer name prefix. – Cherriecherrita 8/9, 2020 at 16:21

I found that adding the mymachine/USERS with full permissions to C:\inetpub\wwwroot fixed the issue.

The problem was caused because I shared some sites content inside C:\inetpub\wwwroot with other developers. This must have changed permissions and broke my IIS completely.

Tibbitts answered 13/7, 2016 at 10:41 Comment(2)

I set up sharing for my wwwroot folder and started to get this error. This solution worked for me as well. – Manzanilla 25/7, 2016 at 18:36

Just <read / read & execute> permissions were enough for me. – Daric 25/8, 2023 at 7:16

First, make sure IUSR has Read permission on the config file (which I believe you have done that)

Then, change IIS authentication method to BasicAuthentication

If still not working, probably the .config extension is not properly installed in IIS.

Try all 3! Good luck!

EDIT: Forget to ask you, what kind of appliation is it?

Shashaban answered 4/10, 2012 at 16:12 Comment(3)

Its a .Net web service (ASP.Net 4.0) IIS has BasicAuth and AnonymousAuth turned on and the file does have read perms for the IUSR. I'll check the IIS config for .config extensions now. – Qianaqibla 4/10, 2012 at 16:21

I did an aspnet_regiis then iisreset. Still getting the same error. – Qianaqibla 4/10, 2012 at 16:24

Can you also try grant permission to your whole app directory? – Shashaban 4/10, 2012 at 16:59

I just came across this and was unable to find applicationpoolidentity as an account in order to add it to the folder security. I changed the application pool identity from applicationpoolidentity to Local Service and the site ran fine.

Reardon answered 29/6, 2015 at 2:14 Comment(1)

As an fyi, this has security implications. If there is a flaw in your application, and the server gets compromised, the LocalSystem account basically has admin privileges. Consider the Principal of Least Privilege and create a new limited user. en.m.wikipedia.org/wiki/Principle_of_least_privilege – Qianaqibla 30/6, 2015 at 3:23

I was copying a live WordPress site to my local machine for editing/updating when this IIS error occurred. Changing permissions did nothing.

In my case, simply deleting the web.config did the trick.

Crave answered 12/9, 2015 at 23:40 Comment(0)

I ran into this issue again today. This time, no amount of granting permissions worked (tried all the usual accounts, everybody, read-only, modify, full control).

Closed processes, restarted IIS, full reboot. No results.

Eventually changed the owner from "Administrators" to myself, and things fell into place.

I usually run Visual Studio at Admin level (using my own account) because I like to use the local IIS for hosting / debugging ASP.NET sites. Perhaps that caused new files to be owned by \Administrators, which in turn may have limited access to those files by the IIS or App Pool processes.

My DefaultAppPool identity is set to load the user profile. I don't know at what point the session manager applies UAC / permissions drops and whether user profile loading has any influence on this. Food for thought...

Kreitman answered 2/3, 2018 at 1:39 Comment(3)

You more or less answered your own problem in the last paragraph. If you set a specific identity to your Application Pool, you need to make sure that identity has the proper permissions to access the files, but this can have other byproduct problems depending on what Windows version you're on. If the identity specified has login credentials, for instance, you could end up requiring that user to be logged in for it to work. – Cherriecherrita 1/12, 2018 at 22:42

@LawrenceJohnson Essentially, but... in this case, the App Pool had permissions to the files. However, I think the problem was that the files were also owned by \Administrators group, which restricts access (at least in Explorer) to a non-elevated session. I haven't been able to find specific reference of how this behaviour manifests with respect to a non-logged in user, the AppPoolIdentity (no explorer? how about general UAC?). Simply replacing \Administrators from ownership solved the problem. – Kreitman 5/12, 2018 at 10:45

Hmm, interesting. It could maybe be a security policy set on the machine that does that. – Cherriecherrita 5/12, 2018 at 17:39

Recommended topics

Hot tags