All Products
Search
Document Center

Elastic Compute Service:How do I resolve the issues that occur when I access IIS websites?

Last Updated:Mar 27, 2025

This topic describes issues that may occur when you access Internet Information Services (IIS) based websites on Elastic Compute Service (ECS) instances, and how to resolve the issues.

Potential issues

What do I do if "500 Internal Server Error" appears when I access an IIS website deployed on a Windows instance?

Problem description

When you access an IIS website deployed on a Windows instance, "500 Internal Server Error" appears.

Cause

The error message does not include error details. You must check the actual error information about the website to identify and resolve the issue. The following section describes how to check the actual error information about the website in this scenario.

Note

You can also refer to What do I do if I cannot access a website hosted on an instance? to troubleshoot the issue.

Solution

Note

This example uses an instance running Windows Server 2019 Datacenter 64-bit (English). The operations that you must perform may vary based on the instance operating system.

Check the actual error information about the website:

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. Start IIS Manager.

    1. In the lower-left corner of the desktop, choose Start icon > Server Manager.

      打开服务器管理器

    2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

  3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website.

    View the IIS website

  4. In the IIS section, double-click Error Pages.

    18

  5. In the right-side pane of the Internet Information Services (IIS) Manager window, click Edit Feature Settings in the Actions section.

    19

  6. In the Edit Error Pages Settings dialog box, select Detailed errors and click OK.

    详细错误

  7. Use a browser to access the website and press Ctrl+F5 to forcefully refresh the browser.

    View the actual error information about the website.

  8. Resolve the issue based on the error information and then access the website again. If you can access it, the issue is resolved.

How do I disable direct IP access to an IIS website on a Windows instance?

Problem description

An IIS website is deployed on a Windows instance. Direct IP access to the website is enabled, which allows you to access the website by using the IP address of the Windows instance.

If domain names can be resolved to the IP address of the Windows instance, including malicious ones and those that do not have an Internet Content Provider (ICP) filing, the domain names can be used to access the website. This may lead to security risks.

Cause

The preceding issue occurs because a binding that includes an empty Host header is configured for the website in IIS.

Solution

Note

This example uses an instance running Windows Server 2019 Datacenter 64-bit (English). The operations that you must perform may vary based on the instance operating system.

Disable direct IP access to the IIS website by removing the binding that includes an empty Host header:

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. Start IIS Manager.

    1. In the lower-left corner of the desktop, choose Start icon > Server Manager.

      打开服务器管理器

    2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

  3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. Then, click Bindings in the Actions column in the right-side pane. In the Site Bindings dialog box, a binding that includes an empty Host header (Host Name parameter) is displayed. Add a binding to bind a domain name to the website.

    In this example, the domain name example.aliyundoc.com is bound, as shown in the following figure. Bind a domain name

  4. Use the public IP address of the instance and the domain name example.aliyundoc.com to access the website.

    • The website can be accessed by using the public IP address of the instance and the domain name.

    • If a malicious domain name or one such as demo.aliyundoc.com that does not have an ICP filing is resolved to the IP address of the instance, the domain name can be used to access the website even though the domain name is not bound as a hostname in IIS, as shown in the following figure.

  5. Disable direct IP access to the website.

    1. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. Then, click Bindings in the Actions column in the right-side pane.

    2. In the Site Bindings dialog box, select the binding that includes an empty Host Name parameter and click Remove. Retain the one that includes the required domain name of the website.

      In this example, the binding that includes the domain name example.aliyundoc.com is retained. 删除绑定网站的空主机头

    3. Use a malicious domain name or one that does not have an ICP filing to access the website to check whether direct IP access to the website is disabled.

      If you cannot use the domain name to access the website, even though the domain name is resolved to the IP address of the instance, direct IP access to the website is disabled. image

What do I do if an IIS website cannot be accessed because the IIS port is occupied by another process?

Problem description

You cannot access an IIS website deployed on a Windows instance when the website process is in the Running state. When you run the netstat command on the instance, the command output indicates that the IIS port is in the LISTENING state.

Cause

The IIS port is occupied by another process.

Solution

Note

In this example, port 80 is used as the IIS port and an instance that runs Windows Server 2019 Datacenter 64-bit (English) is used. The operations that you must perform may vary based on the IIS port and the operating system of your instance.

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. In the search box, enter cmd. Then, click Command Prompt.

    20230120131443

  3. Run the netstat -ano | findstr 80 command to check whether the IIS port is in the LISTENING state.

    The following command output indicates that a process whose process ID (PID) is 4 occupies IIS port 80.

    Check whether port 80 is in the LISTENING state

    • Port 80 in the LISTENING state:

      The port may be occupied by another process. Run the taskkill <PID> command to terminate the process, and then run the iisreset /noforce command to restart IIS. Replace <PID> with the actual PID.

      In this example, run the taskkill 4 command to terminate the process that occupies port 80, and then run the iisreset /noforce command to restart IIS.

    • Port 80 not in the LISTENING state:

      Restart IIS or check whether the website is in the Running state.

  4. Access the website again. If you can access it, the issue is resolved.

What do I do if "403.14-Forbidden" appears when I access an IIS website on a Windows instance?

Problem description

When you access an IIS website on a Windows instance, an error message appears, as shown in the following figure.

21

Causes

The preceding issue may be caused by the following reasons:

  • A default document is not configured for the requested URL. To resolve the issue, use solution 1.

  • Directory browsing is disabled on the Windows instance. To resolve the issue, use solution 2.

Solutions

Solution 1: Configure a default document

If you do not want to enable directory browsing, you must configure a default document for the requested URL. Make sure that the document file exists.

Solution 2: Enable directory browsing

Note

This example uses an instance running Windows Server 2019 Datacenter 64-bit (English). The operations that you must perform may vary based on the instance operating system.

To use IIS Manager to enable directory browsing, perform the following steps:

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. Start IIS Manager.

    1. In the lower-left corner of the desktop, choose Start icon > Server Manager.

      打开服务器管理器

    2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

  3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the homepage.

    image

  4. In the IIS section, double-click Directory Browsing.

    image

  5. In the Actions section of the right-side pane, click Enable.

    image

  6. Access the website again. If you can access it, the issue is resolved.

What do I do if I cannot access an IIS website on a Windows instance and "0x80070002 The system cannot find the file specified" appears?

Problem description

You cannot access an IIS website on a Windows instance, and find many error messages similar to the following one in the operating system logs:

Failed to execute request because the App-Domain could not be created. Error: 0x80070002 The system cannot find the file specified.

Cause

Multiple .NetFramework versions are installed in the operating system, which causes conflicts.

Solution

Note

This example uses an instance running Windows Server 2019 Datacenter 64-bit (English). The operations that you must perform may vary based on the instance operating system.

Uninstall and then re-install ASP.NET for a .NetFramework version. In this example, .NetFramework 2.0 is used.

  1. Use the Everything search engine or the system built-in search utility to search for the aspnet_regiis.exe file and go to the directory of .NetFramework 2.0.

    Note

    In most cases, .NetFramework 2.0 is stored in the C:\Windows\Microsoft.NET\Framework64\v2.0.50727 directory.

  2. In the address bar, enter cmd to open the Command Prompt window.

    image

  3. Run the following command to uninstall ASP.NET for .NetFramework 2.0:

    aspnet_regiis.exe -u

    image

  4. Run the following command to install ASP.NET for .NetFramework 2.0:

    aspnet_regiis.exe -i

    image

  5. Run the following command to restart IIS. Then, access the website again. If you can access it, the issue is resolved.

    iisreset /noforce

    image

What do I do if "534 Policy requires SSL" appears when I connect to an IIS-based FTP site on a Windows instance by using FTP over TLS?

Problem description

You cannot connect to an IIS-based FTP site on a Windows instance by using FTP over Transport Layer Security (TLS), and "534 Policy requires SSL" appears.

Cause

When the preceding issue occurs, "534 Local policy on server does not allow TLS secure connections" appears, indicating incorrect FTP SSL settings.

Solution

Note

This example uses an instance running Windows Server 2019 Datacenter 64-bit (English). The operations that you must perform may vary based on the instance operating system.

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. Start IIS Manager.

    1. In the lower-left corner of the desktop, choose Start icon > Server Manager.

      打开服务器管理器

    2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

  3. In the FTP section of the FTP site home, double-click FTP SSL Settings.

    image

  4. In the FTP SSL Settings section, set SSL Policy to Allow SSL connections. In the Actions section, click Apply.

    image

  5. Access the FTP site again. If you can access it, the issue is resolved.

What do I do if "Bad Request - Invalid Hostname" appears when I access an IIS website on a Windows instance?

Problem description

When you access an IIS website on a Windows instance, "Bad Request - Invalid Hostname" appears, as shown in the following figure.

问题描述

Cause

No domain name binding is configured for the website in IIS, or the domain name in the binding conflicts with other domain names.

Solution

Note

This example uses an instance running Windows Server 2019 Datacenter 64-bit (English). The operations that you must perform may vary based on the instance operating system.

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. Start IIS Manager.

    1. In the lower-left corner of the desktop, choose Start icon > Server Manager.

      打开服务器管理器

    2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

  3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. In the Actions section of the right-side pane, click Bindings.

    image

  4. In the Site Bindings dialog box, bind a domain name to the website or check whether the information in the existing domain name binding is correct.

    • Add a binding to bind a domain name to the website.

      1. In the Site Bindings dialog box, click Add.

        image

      2. In the Add Site Binding dialog box, configure the parameters based on the website information and click OK.

        image

    • View or change the domain name in the existing binding for the website.

      1. In the Site Bindings dialog box, double-click the existing binding.

      2. In the Edit Site Binding dialog box, view website information.

        You can change the domain name as needed, and then click OK.

        image

  5. Access the website again. If you can access it, the issue is resolved.

What do I do if "500.19 - Absolute physical path xxx is not allowed in xxx" appears when I access an IIS website on a Windows instance?

Problem description

When you access an IIS website on a Windows instance, "500.19 - Absolute physical path xxx is not allowed in xxx" appears, as shown in the following sample code:

HTTP Error 500.19 - Internal Server Error Absolute physical path "C:\inetpub\custerr\zh-CN\404.html" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.

image

Cause

Invalid or unrecognizable XML elements may exist in the ApplicationHost.config or Web.config file.

Solution

Delete XML elements that cannot be recognized by IIS from the ApplicationHost.config or Web.config file.

Note

This example uses an instance running Windows Server 2019 Datacenter 64-bit (English). The operations that you must perform may vary based on the instance operating system.

Perform the following steps:

  1. Connect to the Windows instance.

    For more information, see Use Workbench to connect to a Windows instance over RDP.

  2. Start IIS Manager.

    1. In the lower-left corner of the desktop, choose Start icon > Server Manager.

      打开服务器管理器

    2. In the upper-right corner of the Server Manager window, choose Tools > Internet Information Services (IIS) Manager.

  3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the website. In the Actions section of the right-side pane, click Explore to open the site directory of the website.

    image

    image

  4. Open the web.config configuration file in the site directory, delete the httpErrors element from the file, and then save and close the file.

    Sample httpErrors element:

    <httpErrors>
      <remove statusCode="404" subStatusCode="-1" />
      <error statusCode="404" path="C:\inetpub\custerr\zh-CN\404.html" responseMode="File" />
    </httpErrors>
  5. Restart IIS.

    1. In the search box, enter cmd. Then, click Command Prompt.

      20230120131443

    2. Run the following command to restart IIS:

      iisreset /noforce

      image

  6. Access the website again. If you can access it, the issue is resolved.