locked
403 Forbidden / Contact the server administrator. (12202) / SharePoint

    Question

  • Hello,

     

    I have Forefront TMG 2010 and I’m trying to publish SharePoint site that has anonymous access enabled. This server has a single NIC and is dedicated only to Web publishing.

     

    The external URL of the site collection I’m trying to publish is http://app1.company.com/applications/app1;  Internal: http://app1.company.com:8002/applications/app1

     

    Other published urls that require authentication work just fine on this server.

     

    I get the following error for this publishing:

     

    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

     

    For testing purposes I stopped Firewall service and I was able successfully get to the site anonymously from TMG server itself. So the problem is definitely in the config.

     

    Rule parameters:

     

    Action: ALLOW

    From: Anywhere

    To: Published site: app1.company.com; IP:  10.10.10.20;  Requests appear to come from the Forefront TMG computer (Tried “Forward the original host header… / no impact)

    Traffic: HTTP

    Listener: Enable HTTP connection on port 80; Authentication: No Authentication; Advanced -> Allow Client to authenticate over HTTP (tried enabling and disabling /no impact)

    Public name: app1.company.com

    Path: /applications/app1/*

    Authentication Delegation: No Delegation but Client may Authenticate directly

    Bindings: Web Server -> Redirect requests to HTTP port: 8002

    USERS: ALL

    Schedule: ALWAYS

    Link Translation: Unchecked.

     

    Any ideas how to resolve this ?

     

    Friday, May 21, 2010 4:56 PM

Answers

All replies

  • Check the live log and see whether any other rule is blocking
    Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security
    Sunday, May 23, 2010 4:18 AM
    Answerer
  • Hello,

     

    I have Forefront TMG 2010 and I’m trying to publish SharePoint site that has anonymous access enabled. This server has a single NIC and is dedicated only to Web publishing.

     

    The external URL of the site collection I’m trying to publish is http://app1.company.com/applications/app1;  Internal: http://app1.company.com:8002/applications/app1

     

    Other published urls that require authentication work just fine on this server.

     

    I get the following error for this publishing:

     

    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

     

    For testing purposes I stopped Firewall service and I was able successfully get to the site anonymously from TMG server itself. So the problem is definitely in the config.

     

    Rule parameters:

     

    Action: ALLOW

    From: Anywhere

    To: Published site: app1.company.com; IP:  10.10.10.20;  Requests appear to come from the Forefront TMG computer (Tried “Forward the original host header… / no impact)

    Traffic: HTTP

    Listener: Enable HTTP connection on port 80; Authentication: No Authentication; Advanced -> Allow Client to authenticate over HTTP (tried enabling and disabling /no impact)

    Public name: app1.company.com

    Path: /applications/app1/*

    Authentication Delegation: No Delegation but Client may Authenticate directly

    Bindings: Web Server -> Redirect requests to HTTP port: 8002

    USERS: ALL

    Schedule: ALWAYS

    Link Translation: Unchecked.

     

    Any ideas how to resolve this ?

     


    Have you defined alterante access mappings in SharePoint?

    Are you sure no other paths are needed than '/applications/app1/*' ?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 24, 2010 8:36 AM
  • I don't see anything in Monitoring/Sessios that is beeing blocked. The most interesting part is that I see an incoming session (WebProxy) for this particular site with external IP address, anynymous client username.... however on the client side... it is "403 Forbidden......."

    Monday, May 24, 2010 2:10 PM
  • Yes, AAMs are defined and working OK. I'm 100% sure no any other paths are needed since this is a brand new and blank site collection that I'm publishing.

    Monday, May 24, 2010 2:12 PM
  • There could be a few things going on here.

    Did you notice whether the requests are being denied by the rule you set up for publishing or by the Default rule? If they are being denied by default rule you may have a resource conflict. Check to make sure IIS is not running on the TMG Server itself. If it is, stop it, set it to disabled, then restart Firewall Service.

    When you try to get to the site via a browser, are you putting the correct path in or are you trying to go to root which it doesnt look like you are allowing?

    On the listener properties, authentication, advanced, do you have "Allow client authentication over HTTP" checked?

    Monday, May 24, 2010 5:17 PM
    Answerer
  • >>>Did you notice whether the requests are being denied by the rule you set up for publishing or by the Default rule?

    The strange thing is that when I look at Monitoring\Sessions I see that the sessions is established (clients IP, anonymous) but on the client site it browser says: Error Code: 403 Forbidden; I don't see anything being denied on TMG .

    >>>Check to make sure IIS is not running on the TMG Server itself

    IIS is not running for sure... I have removed it after I have deployed TMG originally and was getting resource conflicts for the other rules.

     

    >>>When you try to get to the site via a browser, are you putting the correct path

    I go to the correct path (not a root)

    >>On the listener properties, authentication, advanced, do you have "Allow client authentication over HTTP" checked?

    it is checked. I have played with this option enabling and disabling it but no impact whatsoever

    Monday, May 24, 2010 5:48 PM
  • Are the 403 errors coming from the Sharepoint IIS Server? Check the IIS logs on that machine and see if the request is getting there and if a number 401 is out beside it. You may also want to bridge (temporarily) from TMG to IIS on port 80 and take a trace of the traffic. Put a network capture utility on the IIS Server and you should be able to see exactly what is going on since it will be unencrypted.
    Monday, May 24, 2010 6:04 PM
    Answerer
  • If I stop TMG firewall service on the TMG box I can get to the site just fine from the server... so to me it is likely something within the Rule or the TMG server itself.
    Monday, May 24, 2010 6:12 PM
  • But you are saying that TMG is not denying traffic. I am just suggesting an alternative way of troubleshooting  the problem. The data doesnt lie and it is always better to analyze it than to make assumptions.
    Monday, May 24, 2010 6:20 PM
    Answerer
  • Keith,

    I totally agree and I will definitely try what you were suggesting. In my previous reply I just wanted to point out that once the TMG FW service is off I can get to the site.

    Thanks!

    Monday, May 24, 2010 6:27 PM