Elastic Compute Service:How do I resolve the issues that occur when I access IIS websites?

Problem description

When you access an IIS website deployed on a Windows instance, "500 Internal Server Error" appears.

Cause

The error message does not include error details. You must check the actual error information about the website to identify and resolve the issue. The following section describes how to check the actual error information about the website in this scenario.

Solution

Check the actual error information about the website:

1. Connect to the Windows instance.

   For more information, see Use Workbench to connect to a Windows instance over RDP.

2. Start IIS Manager.

   1. In the lower-left corner of the desktop, choose > Server Manager.

      

   2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website.

   

4. In the IIS section, double-click Error Pages.

   

5. In the right-side pane of the Internet Information Services (IIS) Manager window, click Edit Feature Settings in the Actions section.

   

6. In the Edit Error Pages Settings dialog box, select Detailed errors and click OK.

   

7. Use a browser to access the website and press Ctrl+F5 to forcefully refresh the browser.

   View the actual error information about the website.

8. Resolve the issue based on the error information and then access the website again. If you can access it, the issue is resolved.

Problem description

An IIS website is deployed on a Windows instance. Direct IP access to the website is enabled, which allows you to access the website by using the IP address of the Windows instance.

If domain names can be resolved to the IP address of the Windows instance, including malicious ones and those that do not have an Internet Content Provider (ICP) filing, the domain names can be used to access the website. This may lead to security risks.

Cause

The preceding issue occurs because a binding that includes an empty Host header is configured for the website in IIS.

Solution

Disable direct IP access to the IIS website by removing the binding that includes an empty Host header:

1. Connect to the Windows instance.

   For more information, see Use Workbench to connect to a Windows instance over RDP.

2. Start IIS Manager.

   1. In the lower-left corner of the desktop, choose > Server Manager.

      

   2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. Then, click Bindings in the Actions column in the right-side pane. In the Site Bindings dialog box, a binding that includes an empty Host header (Host Name parameter) is displayed. Add a binding to bind a domain name to the website.

   In this example, the domain name example.aliyundoc.com is bound, as shown in the following figure.

4. Use the public IP address of the instance and the domain name example.aliyundoc.com to access the website.

   • The website can be accessed by using the public IP address of the instance and the domain name.

     

   • If a malicious domain name or one such as demo.aliyundoc.com that does not have an ICP filing is resolved to the IP address of the instance, the domain name can be used to access the website even though the domain name is not bound as a hostname in IIS, as shown in the following figure.

     

5. Disable direct IP access to the website.

   1. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. Then, click Bindings in the Actions column in the right-side pane.

   2. In the Site Bindings dialog box, select the binding that includes an empty Host Name parameter and click Remove. Retain the one that includes the required domain name of the website.

      In this example, the binding that includes the domain name example.aliyundoc.com is retained.

   3. Use a malicious domain name or one that does not have an ICP filing to access the website to check whether direct IP access to the website is disabled.

      If you cannot use the domain name to access the website, even though the domain name is resolved to the IP address of the instance, direct IP access to the website is disabled.

Problem description

You cannot access an IIS website deployed on a Windows instance when the website process is in the Running state. When you run the netstat command on the instance, the command output indicates that the IIS port is in the LISTENING state.

Cause

The IIS port is occupied by another process.

Solution

1. Connect to the Windows instance.

   For more information, see Use Workbench to connect to a Windows instance over RDP.

2. In the search box, enter cmd. Then, click Command Prompt.

   

3. Run the netstat -ano | findstr 80 command to check whether the IIS port is in the LISTENING state.

   The following command output indicates that a process whose process ID (PID) is 4 occupies IIS port 80.

   

   • Port 80 in the LISTENING state:

     The port may be occupied by another process. Run the taskkill <PID> command to terminate the process, and then run the iisreset /noforce command to restart IIS. Replace <PID> with the actual PID.

     In this example, run the taskkill 4 command to terminate the process that occupies port 80, and then run the iisreset /noforce command to restart IIS.

   • Port 80 not in the LISTENING state:

     Restart IIS or check whether the website is in the Running state.

4. Access the website again. If you can access it, the issue is resolved.

Problem description

When you access an IIS website on a Windows instance, an error message appears, as shown in the following figure.

Causes

The preceding issue may be caused by the following reasons:

• A default document is not configured for the requested URL. To resolve the issue, use solution 1.

• Directory browsing is disabled on the Windows instance. To resolve the issue, use solution 2.

Solutions

Problem description

You cannot access an IIS website on a Windows instance, and find many error messages similar to the following one in the operating system logs:

Failed to execute request because the App-Domain could not be created. Error: 0x80070002 The system cannot find the file specified.

Cause

Multiple .NetFramework versions are installed in the operating system, which causes conflicts.

Solution

Uninstall and then re-install ASP.NET for a .NetFramework version. In this example, .NetFramework 2.0 is used.

1. Use the Everything search engine or the system built-in search utility to search for the aspnet_regiis.exe file and go to the directory of .NetFramework 2.0.

   Note

   In most cases, .NetFramework 2.0 is stored in the C:\Windows\Microsoft.NET\Framework64\v2.0.50727 directory.

2. In the address bar, enter cmd to open the Command Prompt window.

   

3. Run the following command to uninstall ASP.NET for .NetFramework 2.0:

   aspnet_regiis.exe -u

   

4. Run the following command to install ASP.NET for .NetFramework 2.0:

   aspnet_regiis.exe -i

   

5. Run the following command to restart IIS. Then, access the website again. If you can access it, the issue is resolved.

   iisreset /noforce

   

Problem description

You cannot connect to an IIS-based FTP site on a Windows instance by using FTP over Transport Layer Security (TLS), and "534 Policy requires SSL" appears.

Cause

When the preceding issue occurs, "534 Local policy on server does not allow TLS secure connections" appears, indicating incorrect FTP SSL settings.

Solution

1. Connect to the Windows instance.

   For more information, see Use Workbench to connect to a Windows instance over RDP.

2. Start IIS Manager.

   1. In the lower-left corner of the desktop, choose > Server Manager.

      

   2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

3. In the FTP section of the FTP site home, double-click FTP SSL Settings.

   

4. In the FTP SSL Settings section, set SSL Policy to Allow SSL connections. In the Actions section, click Apply.

   

5. Access the FTP site again. If you can access it, the issue is resolved.

Problem description

When you access an IIS website on a Windows instance, "Bad Request - Invalid Hostname" appears, as shown in the following figure.

Cause

No domain name binding is configured for the website in IIS, or the domain name in the binding conflicts with other domain names.

Solution

1. Connect to the Windows instance.

   For more information, see Use Workbench to connect to a Windows instance over RDP.

2. Start IIS Manager.

   1. In the lower-left corner of the desktop, choose > Server Manager.

      

   2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. In the Actions section of the right-side pane, click Bindings.

   

4. In the Site Bindings dialog box, bind a domain name to the website or check whether the information in the existing domain name binding is correct.

   • Add a binding to bind a domain name to the website.

     1. In the Site Bindings dialog box, click Add.

        

     2. In the Add Site Binding dialog box, configure the parameters based on the website information and click OK.

        

   • View or change the domain name in the existing binding for the website.

     1. In the Site Bindings dialog box, double-click the existing binding.

     2. In the Edit Site Binding dialog box, view website information.

        You can change the domain name as needed, and then click OK.

        

5. Access the website again. If you can access it, the issue is resolved.

Problem description

When you access an IIS website on a Windows instance, "500.19 - Absolute physical path xxx is not allowed in xxx" appears, as shown in the following sample code:

HTTP Error 500.19 - Internal Server Error Absolute physical path "C:\inetpub\custerr\zh-CN\404.html" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.

Cause

Invalid or unrecognizable XML elements may exist in the ApplicationHost.config or Web.config file.

Solution

Delete XML elements that cannot be recognized by IIS from the ApplicationHost.config or Web.config file.

Perform the following steps:

1. Connect to the Windows instance.

   For more information, see Use Workbench to connect to a Windows instance over RDP.

2. Start IIS Manager.

   1. In the lower-left corner of the desktop, choose > Server Manager.

      

   2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. In the Actions section of the right-side pane, click Explore to open the site directory of the website.

   

   

4. Open the web.config configuration file in the site directory, delete the httpErrors element from the file, and then save and close the file.

   Sample httpErrors element:

   <httpErrors>
     <remove statusCode="404" subStatusCode="-1" />
     <error statusCode="404" path="C:\inetpub\custerr\zh-CN\404.html" responseMode="File" />
   </httpErrors>

5. Restart IIS.

   1. In the search box, enter cmd. Then, click Command Prompt.

      

   2. Run the following command to restart IIS:

      iisreset /noforce

      

6. Access the website again. If you can access it, the issue is resolved.