Web file manager Free Installation assistance Manual Home page

HTTP Commander common FAQ

Windows authentication version related questions

How can I update my existing installation with the latest version without losing config and settings?
Answer: Please refer to the Upgrade section of documentation.
I got a "Request for the permission of type 'System.Web.AspNetHostingPermission..." error
Answer: Problem related to Windows Server security. You need to unblock HTTPCommanderAJSx.x.x.zip (distribution archive) file because it came from another PC (Internet) and then extract it to HTCOMNET folder again. Restart the application after this (close w3we.exe process).
See Installation section how to unblock files.
I got a "Compilation Error ... Compiler Error Message: CS1501: No overload for method 'AsHash' takes 0 arguments" error.
Answer: You must add a section system.codedom in the Web.config file with the latest version of the compiler. See Update Manual.
After auto-upgrade, i got a "Compilation Error ... Compiler Error Message: CS0009: Metadata file '...' could not be opened -- Illegal tables in compressed metadata stream." error.
Answer: see note for auto-upgrade.
I got a "Could not find part of the path '...\bin\roslyn\csc.exe'" error.
Answer: You must copy the bin\roslyn folder from the distribution to the bin folder with the HTTP Commander application installed.
I can't install the application. Is there anybody why can help me?
Answer: You can run Diagnostics and look for known problems. If you can't run the application or configure folders, we offer free installation assistance for both trial and commercial licenses. You can get help via email, instant messenger or via remote access to your server. You only need a few minutes to get online help.
How can I restart the application?
Answer: To restart the application, click the "Restart" button in the Admin panel. Also to restart the application, you can make some changes in the Web.config file (e.g. add a spacer in any comment). The Application will restart automatically.
For full application restart (only if you have some system errors!):
Answer: You can add a logo to the toolbar or to the top panel (at the top of file manager window)

Click here to read more about setting your logo.
How to branding of e-mail for sending public links?
Answer: see Branding manual.
How does HTTP Commander control user's count?
Answer: HTTP Commander controls user session count and unique user's names. A new session is created for every visitor. Each user can have a few sessions if he doesn't clicked logout button. But after 1 hour, the session is closed automatically. To terminate existing sessions by yourself, you need to restart the application.
How can I use HTTP Commander with SSL?

Answer: HTTP Commander works both with http and https protocols. http protocol works out of box. To enable https protocol, you need to install an SSL certificate on IIS. The instructions below describe how to order a certificate from a globally recognized certificate authority (recommended option) and how to create a self-signed certificate.

A self-signed certificate will allow you to use the https protocol, but the web browser will warn that the certificate is not valid since it comes from an unknown authority. To get a certificate that passes verification, you need to either order a certificate at a globally recognized certificate authority, or establish a trusted authority inside your corporate network.

Order certificate at a globally recognized certificate authority

As an example we consider ordering a certificate at Thawte. You may choose any other authority you trust.

Install Self-Signed certificate

A self-signed certificate is untrusted by definition. The web browser will warn you about the problem when you try to open a web site with untrusted certificate.


WebDAV over https with invalid certificate works unreliably. While web browser will warn you about the problem and allow you to proceed, WebDAV may refuse to connect to the web folder with a misleading error message. You may circumvent the problem by installing self-signed certificate into the trusted authorities container on the client machine.

Install untrusted certificate into trusted authorities container

  1. Open Edge (or IE) with administrative rights
  2. Open target site using https

  3. Confirm that you want to proceed in spite of the security problem

  4. Click "Certificate Error" Security report on the address bar, then click the "View certificates" link in the pop-up window.

  5. Click the "Install Certificate" button in the certificate properties window.

  6. Click "Next" in the Certificate Import Wizard. On the next step, "Certificate Store", select "Place all certificates in the following store", in the "Certificate store" field select "Trusted Root Certification Authorities". Click "Next".

  7. Click Finish to close the Certificate Import Wizard

Can the first loading process be faster?
Answer: The HTTP Commander has AJAX and 100% Javascript interface so it works rather quickly like a local application. When a visitor logons the HTTP Commander for the first time, it takes some time to load *.js, *.css and *.svg (image/svg+xml mime type) files. Such files are stored in a browser cache for some months, so the next logons will be much quicker.

HTTP Commander have caching enabled by default for /Images, /Scripts folders and for styles.css. styles-min.css files. Max-Age used to control caching of these resources and it set to 365 days by default. Caching is not enabled for whole application to prevent caching of downloaded files.
If you want to disable caching, you need to find and remove following sections from web.config file :
Please note, that profiles of caching section is cleared to make IIS correctly send Cache-Control header in response. If this section is not cleared, IIS still adding no-cache attribute to Cache-Control header.

You can make even the first loading process faster if you enable gzip compression in the IIS settings. With gzip enabled, the loading is 4-5 times faster. You need to enable gzip for static and dynamic content (*.js, *.css and *.svg (image/svg+xml mime type) files). See article how to enable compression in IIS.
Download the trial HTTP Sniffer to test if the compression works successfully.
Can I make the application faster (increase performance)?
Answer: Yes. There are a few things that can help you make the application faster. You can do all or just some of them:
Loading of folders/files list is very slow (specially for a network folder) and takes several seconds.
It could be related to usage of NTFS alternate streams by HTTP Commander to store/read custom metadata on files and folders.
They used to store such information as Labels, Comments, File history, downloads counting and custom details fields.
By default HTTP Commander configured to display in file list some information stored in metadata for each file, e.q. existance of comments or other metadata and labels. If you do not plan to use mentioned functionalities feel free to disable them by configuring following parameters: Configuring these parameters is enough to disable load of metadata for each file during load of file list for folder, which may significantly speed up loading for network folders.
While you still will be able to see downloads count (if download counting is enabled), comments, description and other custom metadata fields in file properties window and in file details panel.
If I map a folder I get the error "The folder you entered does not appear to be valid..."?
Answer: First, try to map folder "https://demo.element-it.com/windows/hcwebdav" (without quotes). If it doesn't show the error and asks for credentials then it works (you can use demo/demo credentials). If mapping demo folder works but it doesn't map your application link, then the problem is with the application or WebDAV configuration. Check web folders mapping setup or contact us.
You cannot map folders in Server OS like Windows 2008, 2012, 2016 or 2019 by default. So, please test mapping from a non-server PC. For Servers 2008, 2012, 2016, 2019:
Click Start → Administration Tools → Server Manager → Features → Add Features → check WebDAV Redirector (or Desktop Experience for Windows 2008-2012) and click Next and Install buttons
I got an "Access to path '...' is denied" error.
Answer: The problem is related to the NTFS permissions. Check the NTFS permissions for HTCOMNET, data and your main content folders. See the NTFS Permissions section of the Documentation.
I got The page cannot be found error (error 404) when I open http://localhost/HTCOMNET/default.aspx or any other page.
Answer: If you are sure that the path http://localhost/HTCOMNET/default.aspx exists but you are still getting the error, it means that the IIS doesn't execute ASP.NET code. This problem occurs if your IIS was installed after the .NET Framework installation.
Reinstall the .NET Framework (v4.7.2 or above) or execute the following commands as administrator:
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i
and (for 64-bit systems):
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i
I see the page with ASP.NET tags at the top e.g. "<%@ Page Language="C#" %>".
Answer: ASP.NET has not started on the server and you have opened pages like clear HTML. See the "Application Install" section.
I got a "Required permissions cannot be acquired" error.
I got a " Request for the permission of type 'System.Security.Permissions... " error.
Answer: Both errors can be related to "Full trust" level. Check if "Full trust" is enabled for HTCOMNET application. See the Application Install section.
Also, check the permissions for IIS APPPOOL\DefaultAppPool" user on the HTCOMNET folder as well.
See the NTFS permissions section.
I got a "Internet Explorer cannot download Download.ashx from [domainname]" error while a file was being downloaded.
Answer: If you are using SSL, check Internet Explorer settings:
Tools → Internet Options → Advanced → Security → uncheck "Do not save encrypted pages to disk".
By default this option is unchecked. If the option is checked, the files cannot be saved from any SSL website.
I got a "Server Application Unavailable" error.
Answer: There are two reasons for such error:
  1. The problem can appear because ASP.NET 4.5 and ASP.NET 2.0 applications are being used by the same pool. Check all your applications in IIS and set one application pool for the applications running under .NET 4.5 and another pool for applications running under .NET 2.0.
  2. There are not enough NTFS permissions to HTCOMNET folder. See the NTFS permissions section of the Documentation.
  3. There can also be some other reasons. You can try to restart the application.
I got the Error "500.19" at web.config file ("modules" section).
Answer: This error can occur if you you have disabled some features of Web.config to delegate. In most cases it occurs with the "modules" feature. You should open IIS, click the server root in the left tree. At the right panel, open "Feature Delegation", then Select "Modules" and change its delegation type to "Read/Write". If you have the error with other features, then set the delegation type for the other features.
Does HTTP Commander support Web garden or Web farm?
Answer: No. HTTP Commander is running but does not work correctly if you have web garden or web farm enabled in IIS. Check if you have enabled web garden in the application pool settings and disable it or create a new pool for HTTP Commander. You should use only one worker process for the application.
Is HTTP Commander supports file solutions like DFS folders, UNC folders, ABE, NAS?
Answer: Yes, it supports DFS, UNC, ABE, NAS and most other file related Windows Server technologies. First you would set up the folder in the Admin panel. Then type the path to the DFS folder like \\domain\foldername or UNC like \\servername\share\folder. If you set up UNC remote folder at the remote server or your DFS folders stores folders at remote servers then check if Basic Authentication is enabled in IIS settings, not Windows Integrated (for Domain network it is possible to use Windows Integrated authentication: May I use network folders with Windows Integrated Authentication?)! See why Basic authentication should be used.
For Domain network it is possible to use Windows Integrated authentication: May I use network folders with Windows Integrated Authentication? For ABE see more info here.
How Can I configure documents management features like Google Docs, MS Office and OpenOffice online edit?
Answer: All info related to documents management features is described in the Application settings section.
Can I pass some settings in URL?
Answer: Yes, you can pass some settings in the URL:
How can I add Static Content Role service at IIS7?
Answer: To add Static Content role go to
Start → Administrative Tools → Server Manager → Roles.
Find in the right list the Web Server (IIS) role and click the Add Role Services link.
In the new window check Static Content, and then click Next and then Install buttons.
How do I protect configuration files (prevent them to be retrieved by users)?
Answer: HTTP Commander stores configuration data on the server in a number of files. For security reasons, it is recommended to prevent users from retrieving them, since they expose sensitive information about the application. Configuration files are: Web.config, HttpCommanderSettings.config, .xml, .db files in the Data folder. Web.config, HttpCommanderSettings.config files are protected by default. .xml and .db files in Data folder are protected via the following section in Web.config file (in case of trouble make sure these settings are present in the configuration file).
  <location path="Data">
        <clear />
        <add name="HttpForbiddenHandlerXml" path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" />
        <add name="HttpForbiddenHandlerDb" path="*.db" verb="*" type="System.Web.HttpForbiddenHandler" />
            <remove fileExtension=".xml" />
            <add fileExtension=".xml" allowed="false" />
            <remove fileExtension=".db" />
            <add fileExtension=".db" allowed="false" />
In IIS configuration is restricted to Web.config file.
To test the settings, try to download the configuration files with a browser (http://server/HttpCommander/Data/Accounts.xml). You should see:
See also, how to prevent files download from Data folder.
Can I use SSO?
HTTP Commander includes examples of Single Sign-On (SSO) both for Basic Authentication and authentication via Form (for Active Directory users).



In all cases except Forms authentication across applications, you should have valid credentials to authenticate in HTTP Commander. Thus SSO topic breaks up into two subtopics: obtaining credentials and authenticating in the Web file manager.

The Default.aspx page is incorrectly displayed.
If Default.aspx page is displayed incorrectly, as on a screenshot below
please check the following:
I got the "Error HTTP 403.18 - Forbidden" when open files from folders with dots in name.
This error means that in IIS installed URLScan ISAPI Filter and it is configured so that not allowed URLs in which path there are folders having in the name of a dots (parameter AllowDotInPath=0).
For the solution of this problem see how to configure URLScan Tool below:
Check URLScan ISAPI filter settings in IIS if it is installed.
I got the error The parameter is incorrect when open file list.
This error can arise when reading to the network folder if the site in IIS with HTTPCommander works at a 64-bit platform, and in settings of a pool indicated value True for the Enable 32-Bit Applications parameter.
Specify False value for the Enable 32-Bit Applications parameter in advanced settings of a pool and restart it
(Application PoolshtcomnetpoolAdvanced Settings).
See about Wow64FsRedirection in FindFirstFile article.
Why Microsoft Office still opens my document (View / Edit → Edit in MS Office) as read-only?
First of all check settings of work with WebDAV and read article Using MS Office and OpenOffice to work with documents.
Also check before opening of the document, having refreshed the file list, whether it is opened by other user (an icon The file is locked on the right or in the Labels column):
Also check NTFS persmissions for a read-write for a pool of applications and the user who opens the file.
And in addition check the file for block (the Unblock button in properties of the file) and if it is blocked, remove block (privileges of the administrator are necessary):
If the problem isn't fixed clear Microsoft Office WebDAV cache in registry on computer of user.
Microsoft Office reads WebDAV server options when connecting to server first time and stores them for later use.
The Microsoft Office WebDAV cache is stored under the key:
HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Common\Internet\Server Cache\
To clear cache just delete all keys under this key.
Also set OpenDocumentsReadWriteWhileBrowsing DWORD Value to 1 on a user machine under the key
Note! After change registry keys restart computer or WebClient service.
Error on download/upload with Dropbox or Box: Could not load file or assembly 'Newtonsoft.Json, Version=...'.
Solution: in Web.config file replace Newtonsoft.Json assembly version x.0.0.0 to (where x < 12).
See Update to version 5.
How to disable WebDav feature.
There are 2 ways to completely disable WebDav feature in HTTP Commander.
  1. With settings on settings tab in Admin Panel.
    You will need to set to false the values of following parameters:
  2. Edit Web.config file of HTTP Commander and remove from modules section (system.webserver → modules and at system.web → httpModules sections) following module:
    <add name="FileWebDavModule" type="HttpCommander.FileWebDAVServer.FileWebDavModule, FileWebDAVServer" precondition="integratedMode" />
Page reloaded when file list is scrolled up in Chrome browser on Android.
This issue is fixed in HTTP Commander 4.5 an later. Here are steps to fix this issue on version prior 4.5:
  1. Open Default.aspx page in text editor.
  2. Search for body tag
  3. Append to body tag following code:
    <% if(isMobileBrowser) { %> style="overflow-y: hidden;" <% } %>
  4. Result should look like this:
    <body id="pageBody" class="<%= pageBodyStyle %>" onload="<%= Utils.GetSetTimeOutScript() %>" <% if(isMobileBrowser) { %> style="overflow-y: hidden;" <% } %>>
IE browser does not rotate image loading.
To fix this, enable the "Play animations in webpages" option in the IE setting:
Internet options → Advanced → Multimedia → Play animations in webpages.
How can I hide files/folders that the user does not have rights to read?
Answer: This feature is controlled by Windows Server. You need to use ABE (Access Based Enumerations) for share. Windows Server (2008 R2 SP1, 2012, 2012 R2, 2016 and 2019) have ABE installed. But the ABE is disabled by default. To enable it (for each folder you need): Screenshot

In HTTP Commander you then create share. You should type your real share path like "\\servername\sharename". Don't use a full folder path like "c:\foldername" becouse ABE won't work in this case! After ABE is enabled, HTTP Commander will show only the files which user has rights to read and will not show other users files (if there are no read permissions).
How can I create a "dropbox" for users (student can upload their own files but can't view other students files)?
Answer: First, you need to create the folder on your server file system and configure users NTFS permissions. It is possible to configure the NTFS permissions for students to enable them to create or modify their own files and to disable reading other users files from this folder. You can also configure to enable teachers to view all files. So this folder will be as dropbox there students can upload their own works and teachers can view their works. For this folder it is recommended to enable ABE to hide files which the user does not have rights to read (other students files).
In HTTP Commander you can share this folder with students and teachers groups. You can disable some actions you don't want in right "permissions" window. HTTP Commander supports NTFS so users won't be able to modify or view other users files if it is disabled by NTFS. Also if ABE is enabled, then files which the user does not have rights to read will be hidden.
Every time I insert my login and password in the authentication window I get a "You are not authorized" error.
Why would I need to use Basic Authentication instead of Windows?
You can use Windows Integrated Authentication (our demo works under this auth). But if you want to use Windows authentication, you will have some limitations: As conclusion: We recommend to use Windows Integrated Authentication when Web Server is joined into Domain and delegation can be configured.
For standalone Web Server we recommend to use Basic auth if you plan to use Network Shares in HTTP Commander and Windows Intergated Authentication if all folders will be local to the web server.
If you worry about sending password as a clear text while Basic authentication, you can use SSL.
May I use network folders with Windows Integrated Authentication?
Yes, you can use Network folders with Windows Integrated Authentication when Web Server is member of Domain. But you will need to configure Delegation.
On the domain controller for your Web Server’s domain, complete the following steps: It may take some time for new settings to take effect.
I can't create access for a group or to a home folder.
Answer: You need to check if the application reads groups correctly. You can see group list in Diagnostics.aspx page.
If the group list is empty in the diagnostics page or some error happens:
Can I setup access only for single OU (Organisational Unit) of domain?
Answer: Yes, you can. Set UseUniversalWayToReadGroups parameter in the Application settings to "false" and for LDAPContainer parameter value of LDAP path of needed OU (like "LDAP://OU=staff,DC=HOMEELEMENT-IT,DC=COM" ("staff" OU of "homeelement-it.com" domain)). In such a case for the logon user, groups will be detected only from this OU (you can run Diagnostics.aspx to see groups list of logon user).
Can I use application in DMZ and what ports for firewall should I open?
Answer: Yes, you can. You can install the application at the server in DMZ. Open HTTP (80) and HTTPS (443) ports. If you want to use Active Directory groups membership and home folder info then open LDAP port 389 and set UseUniversalWayToReadGroups parameter in the Application settings to "false" and for the LDAPContainer parameter, the value of the LDAP path to your domain controller.
Loading of folders tree is very slow and needs a few seconds.
Answer: It can be because of reading user group membership info and AD home folder. This needs some time because code connects to AD. You can disable this feature by ReadWindowsUsersGroupMembership parameter or play with UseUniversalWayToReadGroups and LDAPContainer parameters at Application settings.
Can I use Forms Authentication (Form at the web page) instead of standard browser popup authentication window?

Answer: yes. You have a number of options.

Solution 1. testSSO.html page

HTTP Commander distribution includes testSSO.html file for this purpose. You need to configure anonymous authentication for this page in IIS Manager:


Note This solution only works in the Windows version of HTTP Commander. IIS authentication on the target web application (HTTP Commander) should be set to Basic or Windows.

Details - how testSSO.html works

testSSO.html page presents the user with an HTML form where they will enter their user name, password, and select the language of the HTTP Commander interface. After clicking on the Login button, JavaScript code sends an asynchronous HEAD request to Default.aspx page — the main page of the HTTP Commander application. JavaScript code authenticate in the Default.aspx page using the credentials supplied by the user. Note that Default.aspx page should be configured for Basic or Windows authentication, Forms authentication will not work here. If authentication succeeds, the web browser is redirected to the Default.aspx page. Since the browser already authenticated in that page (and hence to the application), the user is logged on to HTTP Commander. If authentication fails, the user sees an error message and is presented with the same login form on testSSO.html.

Simply put, testSSO.html page provides an HTML logon form for a web application requiring Windows authentication.

Solution 2. "Forms with Windows users" authentication mode

Note This solution only works in the Standard (Forms) version of HTTP Commander.

Solution 3. Proxy server in front of HTTP Commander.

You may configure a proxy server to handle authentication using web form (cookie-based authentication) while the web application is using windows authentication.

Some our customers using MS ISA Server successfully replaced Basic Authentication with Forms by ISA settings. Read more info at http://technet.microsoft.com/en-us/library/bb794733.aspx. See also our article Publishing HTTP Commander through Forefront Threat Management Gateway 2010.

How do I clear windows authentication on Log out?

Answer: Contemporary web browsers cache credentials a user supplied to authenticate to a web application. Unfortunately, they do not provide an interface to clear authentication data on demand (with the exception of Microsoft Internet Explorer). Web browsers clear authentication data when you close the browser, but they normally do not clear them when you simply close the tab. The practical result of this issue is that the Log out button in HTTP Commander does not in fact log the user out in any browser except Internet Explorer. After log out you may continue to use HTTP Commander under the same user you used to log in the last time. You'll not be asked to authenticate again. The only reliable method to log out is to terminate the browser process.

HTTP Commander implements a workaround to this problem. That is it makes the browser to forget user credentials. The user has to authenticate in the application after logout to continue using HTTP Commander. You need to go through a few configuration steps to activate the solution.

Step 1. Enable anonymous authentication for ForceLogout.aspx

Step 2. Specify basic authentication realm in IIS

You may use any non-blank string for the realm parameter, for example, name of the server machine. The point is you must specify the same value in both IIS manager and in HTTP Commander settings.

Step 3. Specify BasicAuthenticationRealm parameter in HTTP Commander

After changing my username in Active Directory/WinNT I can still login to HTTP Commander, but then I don't see any of the folders.
Answer: This problem can arise because of caching the mapping between the SID and the user name in a local cache on the computer.
For obtaining more detailed information and problem elimination, see LsaLookupSids .
When opening - request of authorization occurs 2 (or more time) and after login form for Forms version opens.
Answer: This problem is because Anonymous Authentication is enabled in IIS. It is necessary to disable it.
To check it, you can open IIS or launch Diagnostics Page (Authentication Mode section).
See also Manual configuration authentication mode.
How can i restrict access to application for some users/groups?
When Windows authentication version is used, it is possible to restrict access to the application with help of the Authorization rules. They are configured in the system.web/authorization section in the web.config file.
Here is an example of the rule to allow access to the application only for a "teachers" group:
        <allow roles="element-it\Teachers"/>
        <deny users="*"/>
For more information about authorization rules read article.
How can I display some text when user logs into HTTP Commander (at the time when popup login window appears) instead of white screen?
Answer: You can create separate html page which will be available without authentication and redirect to Default.aspx page immediately after load of this page.
This will result to render page with your custom text while users enter their credentials. For example you can explain which credentials should be entered, which users are allowed, what users will see after login, etc.
How to do that:
  1. Create new html page in root folder of HTTP Commander. For example, index.html.
  2. Edit contents of that page to display some useful information.
    Include following meta tag into head section of the page to automatically load default.aspx page:
    <meta http-equiv="refresh" content="1;url=default.aspx">
  3. Configure Anonymous access to newly created index.html file:
    • Open the IIS console: Control panelAdministrative toolsInternet Information Services (IIS) Manager
    • Expand Web Sites, Default Web Site, HTCOMNET.
    • Right-click the "HTCOMNET" virtual folder and select Switch to content view in the context menu. In the list of files in the middle panel, select the index.html file and click the Switch to features view option. Now you may change settings pertaining to the index.html file. Click the Authentication feature on the central pane.
      • Enable Anonymous Authentication and ASP.NET Impersonation. Disable other items.
  4. Use link to HTCOMNET/index.html file to display contents of index.html page during login process.
When I receive or edit files in OneDrive, Office 365, Dropbox, Box, I get the error "Access to the path '...' is denied."
First of all, check if Impersonation is enabled for the application and Handlers folder.
Then check the NTFS folder rights.
If everything is correct, then follow these steps: