Setting Up IIS Website Directory/Folder

This began with me facing a 401.3 error when trying to access my website. Of course, I went wrong somewhere.

The 401.3 error indicates that the user accessing your website lacks the necessary permissions to view the content. While IIS_IUSRS (Internet Information Services User Rights) plays a role, it’s not the sole guardian.

Instead of this article being about how to fix the 401.3 error, let’s figure out how to get it right in the first place.

Setting Up IIS Website Directory/Folder

It’s a good practice to set up a separate folder for your website and not use the default IIS folder. Whether you have a single site to host or multiple sites, for each site, create a subfolder. Ideally, this folder should have the same name as your website.

Create a New Application Pool

Creating a new application pool for your new website is a good practice. Here’s why:

1. Isolation: Separate application pools ensure that each site or application runs independently. This isolation means if one application crashes, it won’t affect others.
2. Resource Management: You can allocate specific resources (like memory and CPU) for each application pool, allowing better resource management and performance tuning.
3. Security: Each application pool runs under a unique security context, providing an additional layer of security by limiting permissions and access for each application.
4. Recycling: Application pools can be configured to recycle periodically, refreshing the environment and reducing memory leaks or other potential issues.

You get a chance to create a new application pool when adding your website to IIS (next step) but we have greater focus and control doing it beforehand.

To create a new application pool in IIS Manager:

1. In the Connections pane, expand the server node and click on “Application Pools”.
2. In the Actions pane, click “Add Application Pool”.
3. Enter a name for the application pool and configure the settings as needed.
4. Click “OK” to create the application pool.
5. When adding your website, select this new application pool under the “Application Pool” drop-down menu.

Add Website to IIS

• In the IIS Manager, expand the node for your computer in the left-hand Connections pane.
• Right-click on “Sites” and select “Add Website”.
• In the “Add Website” dialog, enter a friendly name for your site in the “Site name” box.
• Set the “Physical path” to the folder you created, e.g., C://Sites/Example.
• Configure the “Binding” settings (IP address, port, and hostname) as needed.
• Click “OK” to create the site.

Permissions

Now let’s get to the meat of this article - the permissions.

1. Folder Permissions:

   • Right-click on the folder containing your website’s files and select “Properties.”
   • Navigate to the “Security” tab.
   • Ensure the following users have the appropriate permissions:
     • SYSTEM: Full Control (This is essential for system processes.)
     • <PC Name>\Administrators: Full Control (Administrators need full access for management.)
     • IIS_IUSRS: Read & Execute (This group requires permission to access website files.)
     • (Optional) Your User Account: Read & Execute (If you manage the website directly, this grants you access.)

Replace <PC Name> with the actual name of your computer.

2. Configuring IIS Authentication:
   • Open the IIS Manager on your server.
   • Locate your website and navigate to the “Authentication” section.
   • You have two options:
     • Specific User:
       • Select “Specific user” under “Anonymous authentication.”
       • Enter the username listed in the “Specific user” field (often IUSR).
       • Ensure the website folder has Read & Execute permissions for this user in the file system (refer to step 1).
     • Identity of the application pool:
       • Select “Identity of the application pool” under “Anonymous authentication.”
       • This leverages the identity assigned to your application pool, which should have the necessary permissions.

ref: https://stackoverflow.com/questions/19162553/iis-401-3-unauthorized