HTTP Error 403.14 – Forbidden ^
The HTTP Error 403.14 – Forbidden is displayed when you try to access a website hosted on IIS having detailed errors enabled. As you can see in the screenshot, the error page says The Web server is configured to not list the contents of this directory and also indicates the most likely causes of this error.
If the detailed errors are not enabled, you will see a custom error page with a generic message: 403 –Forbidden: Access is denied.
Cause of error ^
As indicated by the detailed error page, there are three likely causes of this error:
- Directory browsing is not enabled—Directory browsing is the ability of a web server to list the contents of the website's root directory in a web browser. The following screenshot shows what a website looks like when directory browsing is enabled:
As you can see in the screenshot, directory browsing enables visitors to view files and browse through the directories. The chances are pretty slim that you want your website to look like this.
- Default document is not configured—The default document is a file that is served by the web server when the client does not specify a particular file in a uniform resource locator (URL). By default, web server software recognizes file names such as default.htm, default.html, default.aspx, index.html, index.htm, etc. The following screenshot shows a list of default documents supported by IIS:
To add a custom default document (e.g., awesomehome.html), click Add and then type the name of the default document. You could even change the order of documents by selecting one and then clicking the Move Up or Move Down options in the Actions pane on the right.
- The ASP.NET feature is not installed on the server—The default documents, such as aspx and index.html, only work with websites that use traditional frameworks. With modern frameworks and programming technologies such as MVC, the default pages are defined and handled right inside the application code by the developers. So, if your website is using MVC or a similar technology, you need to install the ASP.NET feature on the server. See how to install ASP.NET on the web server.
Resolving the error ^
We covered the possible causes of this error in the previous section. Now, depending on your scenario, you could try the following steps to fix this error:
Directory browsing is not enabled
If you know that your website should list the contents of the root directory so that visitors can browse the files and folders, you need to enable the Directory Browsing option, using either the IIS Manager or the web.config file.
Enable directory browsing using the IIS Manager
Open the IIS Manager, select your website, and then double-click the Directory Browsing option under IIS in Feature view.
Now click Enable in the Actions pane on the right.
Enable directory browsing using the web.config file
If you're using a shared hosting server, you could enable directory browsing using the web.config file itself:
Open the web.config file and paste the following code between the <system.webServer> and </system.webServer> tags:
<directoryBrowse enabled="true" />
Default document is not configured
If your website uses a traditional framework and you see a file with a name such as default.aspx, index.html, or index.php in the website's root directory, make sure the same filename is also available in the list of default documents. You could even ask the developer about the name of the default document for your website. For instance, I know that my website is supposed to use home.html as the default document. Therefore, I will add it either using the IIS Manager or the web.config file. See the following screenshots for reference:
ASP.NET is not installed on the server
If neither of the above solutions works, it is likely that your website is using MVC or a similar technology that requires the ASP.NET development feature on the server, and it is not currently installed. This error is common when you try to host an MVC website on a web server for the first time. To install ASP.NET, use the following PowerShell command:
Install-WindowsFeature Web-Asp-Net45 -IncludeAllSubFeature
This command installs ASP.NET 4.5 or higher on the web server, and your MVC website will start working.
If your website is supposed to use a legacy version of ASP.NET (e.g., 3.5 or below), use the following command instead:
Install-WindowsFeature Web-Asp-Net -IncludeAllSubFeature
Common 403 substatus codes ^
The following table covers some common HTTP 403 substatus codes, along with their possible causes and troubleshooting advice:
Subscribe to 4sysops newsletter!
|Status Code||Possible Cause||Troubleshooting Advice|
|403.1||Execute access is forbidden||This error indicates that the appropriate level of the execute permission is not granted. To resolve this error, make sure the application pool identity has the execute permission.|
|403.2||Read access is forbidden||This error indicates that the appropriate level of the read permission is not granted. To resolve this error, make sure the application pool identity has the read permission.|
|403.3||Write access is forbidden||This error indicates that the appropriate level of the write permission is not granted. To resolve this error, make sure the application pool identity has the write permission.|
|403.4||An SSL connection is required||This error indicates that the request was made over a nonsecure HTTP channel but the web application is configured to require an SSL connection.|
|403.13||The client certificate has been revoked||This error indicates that the client browser tried to use a certificate that was revoked by issuing certificate authority.|
|403.14||The directory listing is denied||We covered how to fix this error above.|
The key to troubleshooting any IIS-related error is to enable the detailed errors. When the detailed errors aren't helpful in revealing the actual HTTP status and substatus codes, you could use Failed Request Tracing to understand what's going on with the HTTP request. I hope you find this post helpful.