When setting up a virtual directory pointing to a UNC share that doubles as an FTP location, you'd expect simple file access. However, IIS triggers ASP.NET file monitoring even for static files. The error manifests when:
Failed to start monitoring changes on \\INTRANET\\FTP\\test\\web.config because access was denied
The WindowsAuthentication module throws a 500 error during AUTHENTICATE_REQUEST phase. Key observations:
- Works locally but fails on test server
- ClearText vs Network logon type produces different errors
- Configuration Editor shows access denied
IIS attempts to read the parent folder's web.config for inheritance rules. This explains why static file requests trigger config access:
Config File: \\\\?\\UNC\\INTRANET\\FTP\\test\\web.config
Physical Path: \\\\INTRANET\\FTP\\test\\images\\file.jpg
The service account needs these specific permissions:
| Location | Permission | Notes |
|---|---|---|
| UNC Share Root | Read & Execute | For traversing folders |
| Physical Path | Modify | For file change notifications |
| web.config | Read | For configuration inheritance |
Apply permissions programmatically:
# Grant IIS_IUSRS equivalent permissions on UNC
$acl = Get-Acl "\\INTRANET\FTP\test"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"DOMAIN\WebSvcAccount",
"ReadAndExecute",
"ContainerInherit,ObjectInherit",
"None",
"Allow")
$acl.AddAccessRule($rule)
Set-Acl -Path "\\INTRANET\FTP\test" -AclObject $acl
Add these directives to disable unnecessary monitoring:
<location path="Default Web Site/YourVDir">
<system.webServer>
<asp enableParentPaths="false" />
<caching enabled="true" enableKernelCache="true" />
</system.webServer>
<system.web>
<trust level="Full" />
<identity impersonate="false" />
</system.web>
</location>
When direct UNC access proves problematic:
<rule name="UNC Proxy" stopProcessing="true">
<match url="^uploads/(.*)" />
<action type="Rewrite" url="http://internal-server/{R:1}" />
<serverVariables>
<set name="HTTP_X_ORIGINAL_ACCOUNT" value="DOMAIN\WebSvcAccount" />
</serverVariables>
</rule>
When configuring a virtual directory in IIS that points to a UNC share (\\INTRANET\FTP\test), we're encountering a 500.19 error despite using domain admin credentials. The specific error indicates ASP.NET is attempting to monitor a web.config file in the UNC path, even when requesting static files like JPGs.
Even for static content, IIS hands off requests to the ASP.NET pipeline when:
- The virtual directory is under an application with managed code
- The web.config exists in parent directories
- The application pool runs in Integrated mode
Client → IIS → Application Pool Identity → UNC Share
↳ Impersonation via configured credentials
↳ File System ACL check
↳ Configuration file access checkFor the UNC path credentials in IIS:
<virtualDirectory path="/uploads" physicalPath="\\INTRANET\FTP\test"
userName="DOMAIN\admin" password="[encrypted]" logonMethod="ClearText" />| Resource | Required Access |
|---|---|
| UNC Share Root | Read+Execute |
| Physical Files | Read |
| Parent Folders | List Contents |
| IIS Config | Full Control (for apphost.config) |
1. Disable configuration inheritance in the affected directory:
<location path="uploads" allowOverride="false">
<system.web>
<trust level="Full"/>
</system.web>
</location>2. Modify the applicationHost.config to prevent scanning:
<application path="/">
<virtualDirectory path="/uploads"
allowSubDirConfig="false" />
</application>For high-security environments, consider these architectural changes:
- Implement a file handler that proxies requests to the UNC path
- Set up a scheduled sync job instead of direct UNC access
- Use WebDAV with proper authentication binding
PowerShell script to verify permissions:
$path = "\\INTRANET\FTP\test"
$user = "DOMAIN\admin"
# Check NTFS permissions
Get-Acl $path | Select -Expand Access |
Where IdentityReference -eq $user
# Test actual file access
[System.IO.File]::OpenRead("$path\web.config") |
Out-Null