Troubleshooting: IIS 6 Status and Substatus codes

I thought it would be a great idea to write this down as an entry.The information that I am going to share now has helped me to troubleshoot a majority of cases I have had on IIS.

Lets start by understanding what are status and sub states codes.

Everytime IIS receives a request, if IIS logging in enabled, IIS logs the request into a Log file. In IIS 6 logging in enabled by default however in IIS 7 it's a choice.

To a beginner, the common questions that arise at this point are,

Q.) How do we drill down to the logs of an appropriate website?

A.) Here is how you do it.

By default,

In IIS 6 logs are stored at C:\windows\system32\LogFiles\

In IIS 7 the location would be C:\inetpub\logs\logfiles\

Once you get to this location you would be seeing entries like this W3SVC1, W3SVC87257621.

Q.) What do these entries mean?

A.) W3SVC stands for website and 1 or 87257621 stands for the unique identifier that is associated with a particular website.

Q.) How do you know which identifier is associated with which website?

A.) Goto, Inetmgr -> click on Web Sites and take a look at the right hand side screen ... And there you have it the Identifier column. This identifier is unique and no 2 websites have the same identifier. Even if you delete and recreate the same website you will notice that the website identifier is different.

Once you go into the log folder you will see logs depending on the format you have chosen. By default in IIS 6, they are daily. And the log filenames are in the format exYYMMDD.log ... (ROVASTAR, thanks for the inputs)

A typical Log information for a request would look something like this ....

2008-04-11 20:39:48 127.0.0.1 GET /test/1.asp - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2; +.NET+CLR+1.1.4322) 200 0 0

2008-04-11 20:40:04 127.0.0.1 GET /test/1.asp - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2; +.NET+CLR+1.1.4322) 404 2 1260

In the above example I have highlighted the Status Code and the Sub-Status code ... In the first case we have the values as 200 0 where in the status code is 200 and the sub status code is 0. 200 status code stands for "Request ok." Therfore, just by a look at the log we can determine that the request was served properly by IIS.... Moving on to the next example the 2 numbers are 404 and 2 , where in 404.2 means that the page could not be displayed because "Web service extension lockdown policy prevents this request."

See how easy it becomes once you understand the meaning of the status codes along with the help of sub-status codes!

Tip:If you don't get any thing much out of this information. Browse the page with the Show Friendly Http Error Messages unchecked.

To do that go to IE -> Tools -> Internet Options -> Advanced -> Browsing

Here's a list of status codes and substatus codes along with their meanings. Let me know if I have forgotten any :)

Broadly they are classified in this format:

Status Code Range	Type of Code
100	Informational
200	Successful
300	Redirection
400	Client Error
500	Server Error

Below is the table giving you in detail information:

Status Code	Sub-Status Code	Explanation
100	-	Continue
101	-	Switching pools
200	OK.	The clinet request has succeeded
201	-	Created
202	-	Accepted
203	-	Non-authoritative information
204	-	No content
205	-	Reset content
206	-	Partial content
301	-	Permanent Redirect.
302	-	Object Moved
304	-	Not Modified.
307	-	Temporary redirect.
400	-	Cannot resolve the request/Bad request.
401	x	Unauthorized.
401	1	Access is denied due to invalid credentials.
401	2	Access is denied due to server configuration favoring an alternate authentication method.
401	3	Access is denied due to an ACL set on the requested resource.
401	4	Authorization failed by a filter installed on the Web server.
401	5	Authorization failed by an ISAPI/CGI application.
401	7	Access denied by URL authorization policy on the Web server.
403	x	Access is denied.
403	1	Execute access is denied.
403	2	Read access is denied.
403	3	Write access is denied.
403	4	SSL is required to view this resource.
403	5	SSL 128 is required to view this resource.
403	6	IP address of the client has been rejected.
403	7	SSL client certificate is required.
403	8	DNS name of the client is rejected.
403	9	Too many clients are trying to connect to the Web server.
403	10	Web server is configured to deny Execute access.
403	11	Password has been changed.
403	12	Client certificate is denied access by the server certificate mapper.
403	13	Client certificate has been revoked on the Web server.
403	14	Directory listing is denied on the Web server.
403	15	Client access licenses have exceeded limits on the Web server.
403	16	Client certificate is ill-formed or is not trusted by the Web server.
403	17	Client certificate has expired or is not yet valid.
403	18	Cannot execute requested URL in the current application pool.
403	19	Cannot execute CGIs for the client in this application pool.
403	20	Passport logon failed.
404	x	File or directory not found.
404	1	Web site not accessible on the requested port.
404	2	Web service extension lockdown policy prevents this request.
404	3	MIME map policy prevents this request.
404	4	No handler was found to serve the request.
404	5	The Request Filtering Module rejected an URL sequence in the request.
404	6	The Request Filtering Module denied the HTTP verb of the request.
404	7	The Request Filtering module rejected the file extension of the request.
404	8	The Request Filtering module rejected a particular URL segment (characters between two slashes).
404	9	IIS rejected to serve a hidden file.
404	10	The Request Filtering module rejected a header that was too long.
404	11	The Request Filtering module rejected a request that was double escaped.
404	12	The Request Filtering module rejected a request that contained high bit characters.
404	13	The Request Filtering module rejected a request that was too long (request + entity body).
404	14	The Request Filtering module rejected a request with a URL that was too long.
404	15	The Request Filtering module rejected a request with a too long query string.
405	-	HTTP verb used to access this page is not allowed.
406	-	Client browser does not accept the MIME type of the requested page.
407	-	Initial proxy authentication required by the Web server.
412	-	Precondition set by the client failed when evaluated on the Web server.
413	-	Request entity too large.
414	-	Request URL is too large and therefore unacceptable on the Web server.
415	-	Unsupported media type.
416	-	Requested range not satisfiable.
417	-	Expectation failed.
423	-	Locked error.
500	x	Internal server error.
500	11	Application is shutting down on the Web server.
500	12	Application is busy restarting on the Web server.
500	13	Web server is too busy.
500	14	Invalid application configuration on the server.
500	15	Direct requests for Global.asa are not allowed.
500	16	UNC authorization credentials are incorrect.
500	17	URL authorization store cannot be found.
500	18	URL authorization store cannot be opened.
500	100	Internal ASP error.
501	-	Header values specify a configuration that is not implemented.
502	-	Bad gateway.
503	-	Service unavailable.
504	-	Gateway timeout.
505	-	HTTP version not supported.

Hope this helps! ;)

IIS 6 Authentication vs Authorization

I have been wanting to write a blog on this topic like forever. Finally I have got down to write down the brief explanation.

IIS 6 authentication is of different types and is capable of delivering the needs of various scenarios.This blog is going to provide you with the best way to learn concepts of IIS 6 authentication.

Well from then on, it depends on how you want to take this article too. Put down your comments and I will try and stitch the various questions to another blog on this topic. I am pretty sure IIS authentication raises a lot of questions in the mind of the reader. So here it goes.

The 2 concepts which often confuses a lot of people are - authentication and authorization. Lets start by 1st differentiating them

Authentication is the process of obtaining credentials from the users and using those to verify the user's identity. These credentials can be received in many ways and can be of many types. Whereas, Authorization is the process of allowing an authenticated user access to resources.For example, in IIS 6 if you use Basic Authentication then the username and password are transmitted over the network in plain text format.

Lets understand this with the help of an example. I am going to consider that we are working with anonymous access. The usual misconception that people have is that with Anonymous access everyone can view anything on the server. Well that is not true!

Authentication always precedes Authorization; even if your application lets anonymous users connect and use the application, it still authenticates them as being anonymous.

Assume, if the authenticated user does not have privileges on the content that is to be viewed, the user is not authorized to view the content.The important point to understand here is that the user is never the less still authenticated.

The different types of Authentication available in IIS 6 are:
(For the sake of me not typing duplicate material, I have given the appropriate links which explains the phenomenon the best ;) )

• Anonymous Authentication. (Microsoft Explains)
• Digest Authentication for Windows Domain Users. (Microsoft Explains)
• Integrated Windows Authentication. (Microsoft Explains)
• Basic Authentication. (Microsoft Explains)
• .Net Passport authentication. (Microsoft Explains)

In case of configuring websites which deal with content located on UNC paths, we come across UNC authentication or UNC pass through authentication. This authentication method is not listed along with other authentication methods in website properties but comes into picture only when we deal in UNC path. For more, (Microsoft Explains)

Incorrect settings may lead to certain errors depending upon the configuration that may have gone wrong. But mostly you may come across a 401.x or 403.x errors. For description on these errors view my previous blog on understanding the status and substatus code

Will be coming about with a few more articles on IIS authentication in the near future. Just need to decide how to go about it :D

How To: Create a Website using IIS 6 - Level 100

After checking initial stats related to search queries that reached this blog I have decided to write an introductory article on How to create a website using IIS 6.

For the beginners, you must know that IIS 6 is not part of the default installation on Windows Server 2003 as compared to it's predecessor. Therefore to get started with your website you will first need to install IIS 6 on a windows server 2003 (IIS is available on all the versions). That can be achieved in 2 ways ...

• Server Manager
  
• Add\Remove Programs (Windows Components-Application Server-IIS)

If you intend to run ASP.Net pages then you will have to choose that explicitly as well.

Note: Post-installation you will need to enable ASP through Web Server Extensions, if you plan to run them.

Ok, once the installation is done, the next thing that we would be needing is the actual content that is to be hosted. For the sake of this article I will be using.

1. A very simple HTML page.(sample.htm -Save file in C:\Inetpub\wwwroot)
2. A very simple ASP page.(sample.asp -Save file in C:\Inetpub\wwwroot)
   

In IIS 6 the page available by default is iisstart.htm, however, this page has the tendency to confuse people as the page says Under Construction ... :)

In the past I have had numerous cases wherein the users complained of IIS installation going bad. When asked, they told me that this was the page they were viewing when they typed in localhost for the 1st time. ;)

Whereas, in IIS 7 this page is great and shows you a good image of IIS 7 with a few links. I like it in IIS 7 if you ask me.

Anyways, To create a website,

Click on Start -> Administrative Tools ->Internet Information Services (IIS) Manager

This will open up a window.To view the pages that we just saved, go to Default Web Site. On the right hand-side pane you will notice that you would already have 2 files(sample.htm and sample.asp) listed. To view them right-click on the file and click browse. Perhaps, while browsing the sample.asp page you may receive an error Service Unavailable.

This will come up if you have not yet allowed Active Server Pages extension from the Web Service Extensions. To do it,

Go to Web Service Extensions ->Select Active Server Pages ->Select Allow

Now refresh the sample.asp page in the browser and this time you will be able to browse it. But, all this was working with the already created website, What if we wanted to create a new website all together? Well lets do that now,

1. Right-click on Web Sites -> Select New-> Website.This will open up a Website creation wizard. Click next and give a description, say sample -> next.
2. Enter the Ip address for your website. If you have any reason to work on a specific port then you could specify that as well. Next.
3. Browse to the content location. In my particular case, I will creating a website whose content in based in the E: drive

   Note: If you want everyone to browse this website then you can keep the checkbox that says (Allow Anonymous access to this Website )

4. Let the default check boxes be as they are and click next. Click Finished.

And that's it, your website in now created and will be up and running. However, this website will be running under the Default Application Pool. As an advice, it is always appropriate to have different websites running under different App Pools, this gives us lot more flexibility.
If you need to understand this concept better, read my blog on Difference Between Virtual Directories and App Pools. Therefore to achieve that create an Application Pool by the name sample:

Application Pool -> New -> Application Pool and give it a name sample where it says App Pool ID.

To associate this Application Pool to our Sample website.

Right-Click on the Sample website-> Properties -> Home Directory Tab -> Under Application Settings . Click on the Application Pool drop down and select the Sample. Hit Apply. OK.

And now we are done. You will now be able to

• Create a sample website with the content and settings of your choice.
  
• Create an Application Pool and associate it to your website.
  

FYI, If you create a website with the same Ip Address and Port as that of any other pre-existing website, your website will be created but will be in a stopped state. It will not function until you stop the other website and explicitly start the new one.

As always, let me know if any issues.