IIS 500.19 Error on Lucee Server

Rob_G · July 21, 2021, 10:16pm

I have a Lucee server… it’s a Windows 2021 server on Azure, running 5.4.7.

It was doing fine for the last few months until two days ago. Now going to any URL on it brings a 500 error (500.19 to be specific… permissions issue related to reading web.config).

The staff managing the server insist that no changes have been made to the server recently, so this is out of the blue.

Authentication is already set to pass-through. The perms on the wwwroot folder are SYSTEM ACCOUNT, Administrators and myself. The Lucee app has “Local Account” configured as it’s Log On account under Services, which is the default as far as I know.

I have of course rebooted the server, no luck.

Another Googling suggested that adding the IUSR_IUSRS group and IUSR account would fix it. What it DID do is make all the URLs point to the Welcome to Lucee 5 page deep inside the Lucee installation folder, thus bypassing IIS entirely.

I removed that group and account; it went back to 500.19.

I then uninstalled and reinstalled Lucee, no change.

Next, I created a new local user, I called it “webuser.” I set that in IIS to be the account to use. Next, it complained about being unable to write to some obscure .NET temporary file. So I added it to the Administrators group. Now it’s giving me a 403.1 error, access is denied due to ACL.

At this point I’m stumped as to what to do next. What’s better is the Microsoft-provided personnel for this instance have even less of a clue; instead they’re more concerned that the dns is mapped correctly to the server (wtf?).

This is not a production server, btw… it’s a proof-of-concept/development box.

Help please?
Rob

andreas · July 22, 2021, 5:00am

Hi Rob,

I don’t know Windows Server 2021, but very likely WIN Server 2021 will behave the same as 2019…

How did you install Lucee? Did you use Lucee installer?

Usually 500.19 erors are more likely to be because of malformed web.config or applicationhost.config files (e.g. duplicate entries, invalid syntax, etc). Did you do any manual changes to one of that files lately?

Usually you get a very specifc detailed error message of 500.19 on IIS if you access the page locally from your remote machine. There should be more details in there. Which was the one you had exactly? See https://docs.microsoft.com/en-us/troubleshoot/iis/http-error-500-19-webpage Would be interessting to know the exact error message.

In an default Lucee installation, Lucee runs with “Local Service” account and not “Local Account” ( and it shoud/must never run with “Local System” for security reasons). Under normal circumstances, you just need to add the user “Local Service” with write permissions to an IIS default webroot, so that Lucee/Tomcat is able to create the WEB-INF directory in that wwwroot. That’s all. All the permission changes you did, usually aren’t necessary.

Is it possible somehow to revert all your changes about the users permissions to the point as it were after Lucee Installation?

Rob_G · July 22, 2021, 12:49pm

Hi Andreas…

I installed it using the Installer. Also I was totally wrong on the Windows version; it’s Server 2016. D’oh.

The error code is 0x80070005, the exact error is “cannot read configuration file due to insufficient permissions.”

The web.config file is extremely simple. All it does is add index.cfm as a default document. The date stamp says it hasn’t been touched since February and was working fine until three days ago.

andreas · July 22, 2021, 1:57pm

Since the problem is reading the config file, this is what I’d do then:

Step 1: Backup your wwwroot, especially the web config file

Step 2: simply delete the web.config file. That way IIS will fallback to the default global settings of you applicationHost.config.

Step 3: check if the 500.19 persists, I assume the error will go away, then you can proceed with Step 4.

Step 4: In IIS Manager select the site and recreate the settings of your web.config manually through the IIS Manager. This way IIS will recreate a new web.config for you and also set the correct permissions to that file. You may need to use “Configuration Editor” to change specific settings, but usually that’s only necessary for few specific settings.

Rob_G · July 22, 2021, 3:01pm

I’ve actually already tried that; sorry I forgot to include that in the original post.

If I delete the web.config, it throws an error that it can’t find a web.config.
If I delete the site in IIS and recreate, the problem returns.

andreas · July 22, 2021, 6:38pm

Ok… let’s try to go step by step…When you recreate the new site in IIS, are you using the same webroot directory as before? What happens if you create a new site with a new webroot directory with only one single index.html file, e.g. named wwwroot_new (with an index.html and no .cfm file in it)? Does the problem persist?

Terry_Whitney · July 22, 2021, 6:52pm

Give read and write access to these accounts to the root folder of your Web application and all files and sub folders:

NETWORK,
NETWORK SERVICE
IIS_IUSRS

Rob_G · July 22, 2021, 8:05pm

I had tried a variation on this before… I added IUSR and IIS_IUSRS. The result was 401.3 – access denied due to ACL. I removed them and it went back to 500.19.

So this time I tried what you suggested… same result.

BTW, I find it odd that I can get to the Lucee Administrator despite all this… even with it throwing 500.19 errors, the Lucee admin still comes up fine as 127.0.0.1:8888/lucee/admin/server.cfm

andreas · July 22, 2021, 8:24pm

This is not really odd, that is because you are accessing Tomcat directly (through port 8888), thus you are bypassing IIS completely. Your issue is not an Lucee/Tomcat issue. It is an permission issue of your IIS.

Under which user (Log On) is your “World Wide Web Publishing Service” (named W3SVC) running?

Did you also try what I’ve suggested in my last post? In your answer it only sounds like you’ve tried Terry’s solution.

andreas · July 22, 2021, 8:45pm

This is a screenshot of how the default permission on an IIS looks alike on a Windows 2019 Server. That should be similiar on Win Server 2016.

“Benutzer” means “Users”
“ERSTELLER-BESITZER” means “CREATOR-OWNER”

That is just to run an index.html. When running cfml on such a webroot, the only one thing you still need to do is add permission for the user running Tomcat (that is “Local service”) with read/write permissions to that directory.

If you create another empty wwwroot folder somewhere on your OS you simply add that webroot to a plain new site in IIS Manager, than IIS Manager should create that default permissions for you. That is what I’ve tried to tell you on my post I’ve linked to you.

Terry_Whitney · July 22, 2021, 8:46pm

you have enabled inheritance upon the root folder.

Rob_G · July 23, 2021, 1:34pm

Thanks, everybody! I got it fixed this morning.

Andreas had suggested creating another site in IIS… something I had done before without luck, but I tried it again… and of course, it failed. BUT, then I had an idea. I dragged that new site’s folder out of my ‘wwwroot’ directory into C:\ and changed the settings in IIS. It worked! Interesting.

So, I made a new folder called ‘sites’ and moved all of the apps in there… updating the path in IIS. Bingo! They started working again.

For some reason, the permissions on wwwroot got hosed (before I ever started changing them), and moving the apps into a new folder fixed it.

Go figure. Good ole Microsoft… sigh.

Thanks again!

Rob