When trying to upload a file to a .NET web application, the transfer may time out or display a “Page not found” error with no helpful error message logged. This happens because ASP.NET and IIS both enforce default upload size limits that are relatively small. To fix this, you need to adjust settings at both the ASP.NET framework level and the IIS web server level.

Understanding the Two Layers of Upload Limits

There are two independent upload size restrictions that apply to .NET web applications hosted on IIS:

  1. ASP.NET limit (maxRequestLength in httpRuntime): Controls the maximum request size that ASP.NET will process. Default is 4096 KB (4 MB).
  2. IIS limit (maxAllowedContentLength in requestFiltering): Controls the maximum content length that IIS will accept before passing the request to ASP.NET. Default is approximately 30 MB on IIS 7 and later.

Both limits must be configured. If the IIS limit is smaller than the ASP.NET limit, IIS will reject the request before ASP.NET even sees it. If the ASP.NET limit is smaller, the request will pass IIS but fail in the application.

Configuring ASP.NET: maxRequestLength and executionTimeout

Open your application’s web.config file and add or modify the httpRuntime element within system.web:

<configuration>
  <system.web>
    <httpRuntime
      maxRequestLength="102400"
      executionTimeout="3600"
      requestLengthDiskThreshold="512" />
  </system.web>
</configuration>

Key Attributes

AttributeDescriptionDefaultUnit
maxRequestLengthMaximum allowed request size4096Kilobytes
executionTimeoutMaximum time a request can execute110Seconds
requestLengthDiskThresholdSize threshold before buffering to disk80Kilobytes

Common values for maxRequestLength:

  • 10240 = 10 MB
  • 51200 = 50 MB
  • 102400 = 100 MB
  • 1048576 = 1 GB

The executionTimeout should be increased proportionally for large uploads. A 100 MB file over a slow connection may need several minutes.

Configuring IIS 7+: maxAllowedContentLength

For IIS 7 and later, you also need to configure the request filtering module. Add the following to your web.config:

<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <requestLimits maxAllowedContentLength="104857600" />
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Note that maxAllowedContentLength is specified in bytes, not kilobytes. Common values:

  • 10485760 = 10 MB
  • 52428800 = 50 MB
  • 104857600 = 100 MB
  • 1073741824 = 1 GB

Complete web.config Example

Here is a complete configuration allowing uploads up to 100 MB with a 1-hour execution timeout:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <httpRuntime
      maxRequestLength="102400"
      executionTimeout="3600" />
  </system.web>
  <system.webServer>
    <security>
      <requestFiltering>
        <requestLimits maxAllowedContentLength="104857600" />
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Applying Settings to a Specific Path

If you only want to increase the upload limit for a specific page or folder rather than the entire application, use a location element:

<configuration>
  <location path="Upload.aspx">
    <system.web>
      <httpRuntime maxRequestLength="102400" executionTimeout="3600" />
    </system.web>
    <system.webServer>
      <security>
        <requestFiltering>
          <requestLimits maxAllowedContentLength="104857600" />
        </requestFiltering>
      </security>
    </system.webServer>
  </location>
</configuration>

This approach keeps the default limits for the rest of your application, reducing the attack surface for denial-of-service through large uploads.

Configuring via IIS Manager

You can also set the IIS-level limit through the IIS Manager GUI:

  1. Open IIS Manager.
  2. Select the site or application.
  3. Double-click Request Filtering in the Features View.
  4. In the Actions pane on the right, click Edit Feature Settings.
  5. Set the Maximum allowed content length to the desired value in bytes.
  6. Click OK.

Timeout Considerations

Large file uploads are affected by multiple timeout settings:

  • executionTimeout: The ASP.NET request execution timeout described above.
  • connectionTimeout: The IIS connection timeout, configurable in the site bindings or application pool settings. Default is 120 seconds.
  • Load balancer or reverse proxy timeouts: If your application sits behind a load balancer or reverse proxy (such as nginx or Azure Application Gateway), those services have their own timeout settings that may terminate the connection before IIS does.

Solución de Problemas Upload Failures

SymptomLikely CauseSolución
404.13 errormaxAllowedContentLength exceededIncrease value in requestFiltering
Page hangs then shows errormaxRequestLength exceededIncrease value in httpRuntime
Connection resetTimeout reachedIncrease executionTimeout and connection timeouts
No error loggedIIS rejects before ASP.NET logsCheck IIS logs in W3SVC folder for substatus codes

Seguridad Considerations

Increasing upload limits opens the door for potential abuse. Mitigate risks by:

  • Setting the increased limit only on pages that need it using the location element.
  • Implementing file type validation on the server side.
  • Adding antivirus scanning for uploaded files.
  • Setting reasonable limits based on actual business requirements rather than arbitrarily large values.
  • Implementing client-side file size checks for a better user experience.

Resumen

To increase the upload size in a .NET application hosted on IIS, you must configure both the ASP.NET maxRequestLength (in kilobytes) in httpRuntime and the IIS maxAllowedContentLength (in bytes) in requestFiltering. Remember to also increase the executionTimeout to allow enough time for large files to transfer. Apply the increased limits only where needed and implement proper validation to maintain security.