Other day I was installing a DotnetNuke site on Windows 2008 R2 server. I followed all the usual steps of creating a new web site in IIS7.5 on Windows 2008. When I tried to access the site, I ended up with the following error.
HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.
In the past I had run into this problem and I knew that it has something to do with application pool and accounts associated with that pool. The error message clearly tells that it has something to do with file permissions on the folder where the web site was physically present. Here are some of the common causes of this sort of error when you configure a new web site on Windows 2008 IIS7.5.
Most important is that you need to check what Application Pool is being used for your site and make sure that that account being used by that pool has appropriate access rights on the folders and files. In Windows 2008 R2 there are some important changes related to accounts that are used for IIS application pools. Most of us who come to Windows 2008 R2 environment, get stumped by the fact that it may not be Network Service account that is used for your web site process.
First thing first, we need to figure out what application pool we are using and how we can change it. Here are my earlier posts where I described these steps.
This piece of information is at heart of solving the error with access control list. When you bring up advanced settings dialog box for the application pool, you will find the following value that tells you the account used by your application pool.
Select the button next to that name and it will bring up following diaolog box where you can change the account settings for your pool identity. You can select system defined accounts from the dropdown or you can select a custom account that you have created for your site.
So far I have discussed cause and remedies of the error that you got. Now let's see how you can diagnose the issue to really find out what account was trying to access the site files that ended up in access denied error.
I always keep my super tool Process Monitor tool handy on all my development as well as production servers. You can download it from SysInternals site. Fir it up and acces the site. After you get the error, capture the trace and then look for ACCESS DENIED error. I will not go into details about how to effectively use this tool with filters and all to get to the correct information quickly. There you will be able to see windows account that was trying to access the files. Now you can go to site fclder and configure appropriate access rights for the account and you are good to go!