You can load the page just fine, but after going through the pages quickly or by opening several tabs at once, you see a 403 error:
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
This is a bit misleading since you might right away think that the you do not have permission to access the web page or the folder. But you know you’re authenticated because you could see the page a few seconds ago and the problem is intermittent. So why do you get 403 Forbidden: Access is denied?
What to Check
The first thing you want to check is the IIS log and look for the specific error code (403) with the timestamp when you see the 403 error. You might see something similar to the following:
2022-02-02 22:33:58 10.20.128.70 POST /ResultPage.asp - 80 - 192.168.1.25 Mozilla/4.0... https://www.itnota.com/CheckPage.asp 403 501 0 0
Open up the IIS log in a text editor and search for ” 403″ (without quotes). A leading whitespace is added to narrow down the search. You can also use regular expression to be precise but for this exercise, I think it’s an overkill.
One key thing we need to pay attention to is to check the whole error code by looking the one next to the 403 → 501. So to be exact, the error code is actually 403.501.
If you check the definition of this error here, you’ll soon find out this error has nothing to do with permission in the traditional sense of how we understand it:
403.501 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction Concurrent request rate limit reached.
This is the real issue and it’s easier to fix once we’ve figured out that we need to look at the Dynamic IP Restriction.
So now we have three options:
- Disable Dynamic IP Restriction.
- Increase the Maximum number of concurrent requests.
- If your connection comes from the same IP address (i.e. F5), then you can create a whitelist based on its IP address.
- Maybe four, as you can combine option 2 and 3 if needed.
Whether you choose option 1, 2, or 3, all the settings are in the same location in IIS.
Launch IIS Manager and on the left pane window, select the site that you want to modify.
In the middle window, double-click on the IP Address and Domain Restrictions.
If you want to do either option 1 or 2, click on Edit Dynamic Restriction Settings… on the right window pane.
Option 1: To disable the Dynamic IP Restrction, uncheck all the checkboxes and click OK.
Option 2: Modify the number in the Maximum number of concurrent requests: and still leave the Deny IP Address based on the number of concurrent requests checked. Then click OK.
Option 3: You can either leave the Dynamic Restriction Settings alone, or you may combine that setting with the whitelist as well.
In IP Address and Domain Restrictions window, click on Add Allow Entry… on the right window pane.
Note: All your modification is saved in applicationHost.config file in the server as indicated on the bottom of the IP Address and Domain Restrictions window.
Add the IP Address you want to allow entry that’s not limited by the Dynamic Restriction Settings in the Specific IP address: textbox. Or you can enter a range of IP addresses under the IP address range: textbox. Then click OK.
As mentioned earlier, all the settings we did above is saved applicationHost.config file. The file can be found in the following directory:
And all the steps above can be skipped if you edit the file using a text editor. I personally like to use GUI to prevent typos so just be aware of the risk of editing this file by hand.
<location path="##Your-website-name-in-IIS##"> <system.webServer> <asp appAllowClientDebug="true" appAllowDebugging="true" /> <security> <ipSecurity> <add ipAddress="192.168.1.25" allowed="true" /> </ipSecurity> <dynamicIpSecurity> <denyByConcurrentRequests maxConcurrentRequests="1" /> <denyByRequestRate maxRequests="20" /> </dynamicIpSecurity> </security> </system.webServer> </location>
Once you saved all the settings, the new change should take effect immediately.