Well that was two hours I won’t get back, but I’ll make a note here in case it helps anyone else. I had simply overlooked one of those many tiny things…
We use MapServer as a lightweight GIS engine in many of our products, giving us WMS/WFS API endpoints for a wide range of purposes. When upgrading the Colchester Heritage Explorer website, an ASP.NET Core MVC site made with cloudscribe and HBSMR WEB/API components, I dived in to configure and test the MapServer instance. I followed our usual processes, enabled the CGI extension to execute, setting folder permissions to allow MapServer to write out log files, configured our secure MapServer Proxy component, etc.
But it wasn’t working.
One of our first tests of a MapServer instance is to browse to the location of the main MapServer executable, in this case the address was:
https://colchesterheritage.co.uk/wwwroot/MapServer/Scripts/mapserv.exe
but instead of a nice diagnostic response, I got “401 – Unauthorized: Access is denied due to invalid credentials”:
This was very puzzling, as I already had this working perfectly in a parallel test site, on the same server with identical configuration in every respect – or so I thought. Both sites were using an application pool with Identity set to ApplicationPoolIdentity, folder permissions were all good for this identity, there were no ip restrictions, and no reason I could see for it not to work.
Except that I’d forgotten about the Anonymous Authentication Credentials… in IIS select the site > Authentication > select Anonymous Authentication and click “Edit…” > I found the default setting:
And of course I had not set up permissions for this user to access the location of the MapServer files. So there are two solutions: a) less preferred: add the IUSR account at the root of site with default permissions:
(if I were using this solution I would also tick “Deny” for the “Write” setting off bottom of that image);
or b) preferred: change the Anonymous Authentication Credentials for the site to the Application pool identity:
After making this change, on browsing to our MapServer executable I saw the expected response “Noquery information to decode. QUERY_STRING is set, but empty. ” which means the CGI application is working.
Phew – problem solved!
My next step in hardening this site is to block this direct access, and route all requests through a secured proxy, so the above URL to the exe won’t work by the time you read this if we’ve done our security right.
To see the working result, check out the maps within the Colchester Heritage Explorer, for example this map of the historic buildings and sites that are included on the Colchester “Local List”.
And here’s a rather nice map of WW2 pillboxes and related defensive sites around Colchester, generated by a MapServer WFS request in response to a a free text search on “pillboxes”:
I hope this helps someone, and please feel free to add comments below.