Version 5

    PURPOSE: This is intended to be an extended guide for IIS Errors pertaining to Authentication and access. This is to clean up the Smart Card Guide (to simplify both in the end), and to incorporate General Orion Web Console IIS Errors.

     

    This is a Work in Progress (WIP) and is being updated.

     

    IIS Log Files: Enabling additional logging, then monitoring the IIS connection will help to determine if IIS is causing the issue.

     

     

    In IIS manager> go under the local Server> Sites> Solarwinds NetPerfMon> Logging

    Directory will show the location, you will usually see it under C:\inetpub\logs\LogFiles\W3SVC2 or W3SVC1 if Default is deleted.

     

     

    IIS Common Web Return Codes

    The Focus of this guide is over the 300, 400, 500 series codes

     

     

    Sourcing of Error Codes: https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0

     

    Code Series - Meaning

    • 100s - Informational messages
    • 200s - Success
    • 300s - Site Redirection
    • 400s - Client Issue
    • 500s - Server Issue

     

    300 Codes

    • 301 - Moved permanently.
    • 302 - Object moved.
    • 304 - Not modified.
    • 307 - Temporary redirect.

     

    400 Subcode - Browser Error

         400 Usually point to Client browser being at fault for the error. Try another browser/check configuration.

     

    401 Subcode - Access Denied

    • 401.1 - Logon failed.
    • 401.2 - Logon failed due to server configuration.
    • 401.3 - Access is denied due to ACL. Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access.
      • User is not in the Users Group on the Windows Server. You can add the User or a group to the OS, and the user will have access to login.

     

     

    403 Subcode - Forbidden

     

    User Permission Access Issue:

    • 403.1 - Execute access forbidden
    • 403.2 - Read access forbidden
    • 403.3 - Write access forbidden

     

    If the user sees the above Error(s), Group Policy has blocked the user from accessing the System. IIS leverages the same Authenticate access as if a user was logging into the system.

    1. Open up Group Policy Manager, whether on the System Directly or through Group Policy Editor
    2. Go into Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\
    3. Check Security Settings to ensure that accounts are not denied Login Access. IIS uses multiple Group Policy Settings to determine access. If the user does not fall into these groups, the user will be blocked access.
    4. On the Solarwinds Server, Check the Security Event Log on the Solarwinds Server and the Event ID.
    5. Use this Microsoft Page to identify what setting is causing the issue based on the Event ID or Message. Interactive Logon Tools and Settings: Logon and Authentication

     

    User connected via http://, change to https://

    • 403.4 - SSL required

     

    SSL Setting is set to Required see Setup SSL and Enable Smart Card (CAC/PKI) User Authentication for Orion 2017.1+

    • 403.7 - Client certificate required. This error message is received if a client does not provide a client certificate when one is required. Either the client refused to send a client certificate or the client did not have a certificate issued by a mutually trusted certification authority.

                        See Also: https://blogs.msdn.microsoft.com/friis/2011/11/15/troubleshooting-403-7-client-certificate-required-errors-step-by-step-to-make-sure-your-client-certificate-is-displayed-and-selected/

    • 403.13 - Client certificate revoked. This error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority.
    • 403.16 - Client certificate is untrusted or invalid. Primarily generated when client certificate provided is improperly formed. It can also occur if the Intermediate Certification Authorities in the certificate chain is not trusted by the Web server. It can also occur if the Trusted Root Certification Authorities certificate store contains non-self-signed certificates. See the link below.
    • 403.17 - Client certificate has expired or is not yet valid. The current date on the server is not within the valid date ranges that are presented in the client certificate.

    Sometimes 403.7 accompanies 500: 500.0 - Module or ISAPI error occurred.

    • 500 0 64 & 403 7 5

              https://blogs.msdn.microsoft.com/friis/2011/11/15/troubleshooting-403-7-client-certificate-required-errors-step-by-step-to-make-sure-your-client-certificate-is-displayed-and-selected/

              https://blogs.msdn.microsoft.com/chiranth/2016/07/14/403-7-and-500-client-certificate-authentication-errors-iis/

     

     

    Directory List denied (should not be needed)

    • 403.14 - Directory listing denied. Error w

    https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_(NPM)/HTTP_Error_40314__Forbidden_The_Web_server_is_configured_to_not_list_the_contents_of_this_directory

     

     

     

    500 Subcode - Server Error

    • 500.0.64 Did you possibly modify the Application Pool?
      • In IIS, Right Click Solarwinds NetPerfMon Website, select Explore
      • Back in IIS, Right Click Solarwinds NetPerfMon, select Remove.
      • Back in File Explorer, go one directory up, and delete.
      • Select Application Pools, select Solarwinds Orion Appliaction Pool, Remove the Pool.
      • Run the Configuration Wizard, select Website and let the wizard run.