Tags

I found a solution to the 403 Forbidden (event id 1314) errors. Microsoft
Support couldn’t fix it but my two minute session with SysInternal’s FileMon
revealed the cause:
–> w3wp.exe attempts to access the bin/ directory of the
webapplication in context of the requesting (non-admin) user and fails with
an access denied.

SYMPTOMS
-User (non admin) wants to create a new list item (eg calenderitem, …) or
upload a file and sees a 403 Forbidden. The ‘new’ page is not show.
– User (non admin) wants to edit a list item (eg blogpost) and sees a 403
Forbidden. The ‘edit’ page is not shown.
– A Farm Administrator has NO issues with these ‘new’/’edit’ pages and is
able to edit and save content.

CAUSE
w3wp.exe (IIS worker process for ASP.NET) tries to look into the /bin
directory in the context of the requesting user account (impersonation), but
fails for non-admin users. The bin/ directory is not readable for normal
users but is readable for administrators.
I believe this is an ASP.NET 2.0 bug that is related to KB 928365. This
hotfix is removed when you install .NET 2.0 Service Pack 1. SP1 contains the
solution from KB 928365 and thus the problems continue.
I don’t think WSS3/MOSS or WSS3/MOSS Service Pack 1 causes this issue.

WORKAROUND/SOLUTION
Make sure your normal user accounts can access the /bin directory in the
webapplication:
– Open an Windows Explorer for the /bin directory of your webapplication and
display its properties.
– On the security tab, add the local server group “SERVER\Users” to the
list, (“SERVER\Users” usually contains “DOMAIN\Users”) and select the
following rights for “SERVER\Users”: “Read & Execute”, “List Folder
Contents”, “Read”. Click OK to apply the new settings.

The 403’s should be gone.
Do this for every webapplication in your farm.

Advertisements