ASP.NET Core runs as an out-of-process or in-process application hosted by IIS, Kestrel, or another web server. When startup fails, the error you see depends on which layer caught the failure: the ASP.NET Core Module (ANCM) on IIS produces 500.30, 500.31, or 500.34; Kestrel produces process exit codes; the framework itself produces unhandled exceptions during application configuration. Knowing which layer produced the error narrows the search dramatically. Most production startup failures come down to four root causes: missing runtime, configuration error, dependency resolution failure, or port conflict.
The HTTP 500.30 error specifically means the app started enough to be recognised by the host but threw an unhandled exception during the bootstrap phase before reaching the ASP.NET Core middleware pipeline. The error message itself rarely tells you anything useful. The actual cause sits in the stdout log, the Windows Event Viewer Application log, or the captured exception stack trace from launching the executable directly from a command prompt. Skipping these debugging steps and guessing at fixes wastes time. Reading the actual error first reduces typical resolution time from hours to minutes.
The article walks through the most common ASP.NET Core errors in production: 500.30, 500.31, 500.34, 500.0 generic, 502.5, 401 and 403 authentication errors, and 404 routing errors. For each, the most common root causes and the specific debugging steps to confirm the cause. The information assumes ASP.NET Core 6.0 or later (LTS through .NET 9), which covers the majority of currently supported deployments. Older versions have similar errors but slightly different diagnostic outputs.
One detail worth understanding upfront: ASP.NET Core errors during local development typically display detailed exception pages with stack traces, which makes debugging straightforward. Production errors deliberately hide that detail to avoid leaking implementation information to end users. The mistake new ASP.NET Core developers often make is assuming the production error page tells them anything useful โ it does not. The actual exception lives in logs that you have to enable, capture, and read separately. Closing this gap between local and production debugging speed is the single biggest productivity gain for ASP.NET Core teams.
Step 1: Run the app directly from command line: dotnet YourApp.dll. The exception will display in the terminal. Step 2: Check Windows Event Viewer โ Application log โ filter for source "IIS AspNetCore Module V2". Step 3: Enable stdout logging in web.config (set stdoutLogEnabled="true") and check the log files in your specified directory. Step 4: Run dotnet --info on the server to verify the runtime version matches what the app targets. Most 500.30 errors resolve at one of these four steps.
The 500.30 error means the application began initialising but threw an unhandled exception in Program.cs, Startup.cs, or during host building. The error appears as a generic browser page; the actual exception is logged elsewhere. The most common root causes: a connection string pointing to a database the app cannot reach, a missing configuration value the app reads at startup, a registered dependency that fails to construct, or a runtime version mismatch between what the app targets and what the server has installed.
Database connectivity issues during startup are the single most common cause of 500.30 in production. ASP.NET Core apps that call EnsureCreated(), run migrations, or seed data on startup will throw on database connection failures. The exception message in the log will typically include "A network-related or instance-specific error occurred" or "connection refused". Fix: confirm the connection string is correct, the database server is running, network access is open, and authentication credentials are valid. Test the connection from the application server using sqlcmd, psql, or another database client before assuming the app code is at fault.
Configuration value missing errors produce exceptions like "Section X not found" or "Required configuration value missing". This happens when appsettings.json contains different sections in development versus production, or when environment variables expected to override configuration are not set. Fix: dump the active configuration at startup using builder.Configuration.GetDebugView() in development, verify expected sections exist in the deployed configuration, and confirm environment variables are visible to the app process.
Dependency injection registration errors during host building also produce 500.30. If the app registers a service that fails to construct (constructor throws, missing dependency, circular reference), the failure surfaces during startup. Use builder.Host.UseDefaultServiceProvider(o => o.ValidateOnBuild = true) to catch these issues during development rather than in production. The ValidateOnBuild option attempts to construct every registered service during startup, surfacing problems immediately. Slightly slower startup but much faster debugging when something goes wrong.
Static asset bundling failures also produce 500.30 in newer .NET 8+ projects using static asset bundling. If the bundling configuration references files that do not exist or directories with permission issues, the host startup fails. Check the StaticWebAssets output in build logs to identify which asset is failing. The error message is sometimes opaque; tracing through the build configuration usually reveals the missing file or wrong path.
The deployed app targets .NET 8.0 but the server only has .NET 6.0 installed. Run dotnet --list-runtimes on the server to see what is available. Install the matching ASP.NET Core hosting bundle from Microsoft if missing. Check the project's TargetFramework in the .csproj file matches what the server provides.
App tries to apply migrations or seed data on startup but cannot reach the database. Connection string wrong, database server not running, network or firewall blocking access, or authentication credentials invalid. Test connection independently before assuming app code issue.
ASP.NET Core requires the hosting bundle (not just the runtime) to integrate with IIS. Without it, ANCM cannot start the app process. Download the hosting bundle from dotnet.microsoft.com matching your app's runtime version and install on the IIS server. Restart the application pool after installation.
App reads configuration values that exist in development appsettings.Development.json but not in production. Common offenders: connection strings, JWT signing keys, external API URLs. Verify production configuration includes everything the app requires before deploying. Use a configuration validator at startup to fail fast with a clear error.
Service registered with circular dependency, scope mismatch, or missing constructor parameter. Errors typically include "Unable to resolve service for type" or "Cannot consume scoped service from singleton". Review service registration order and lifetime scopes in Program.cs. Validate scopes by enabling ValidateScopes on the host builder.
Another process is already using the port the app tries to bind. Common when running locally with leftover dotnet.exe processes from previous runs. Check with netstat -ano | findstr :5000 and kill the conflicting process. In production, verify the configured port (UseUrls or ASPNETCORE_URLS environment variable) does not conflict with existing services.
Enabling stdout logging is the first concrete step for diagnosing 500.30. In web.config on IIS deployments, find the aspNetCore element and set stdoutLogEnabled="true" with stdoutLogFile=".\logs\stdout". Create the logs directory and grant write permissions to the application pool identity. Restart the app and reproduce the error. The log file will contain the actual exception with stack trace. Disable stdout logging once the issue is resolved because it impacts performance.
Windows Event Viewer is the second source. Open Event Viewer, navigate to Windows Logs โ Application, and filter for source "IIS AspNetCore Module V2". Each failed startup produces an event with the exception message and stack trace. The events sometimes include more useful information than stdout logs because they capture failures before the app could write its own logs. Check both sources when debugging because either may have information the other misses.
Running the app directly from command line bypasses IIS entirely and shows exceptions in the terminal. Navigate to the deployment directory and run dotnet YourApp.dll. If the app runs successfully this way, the issue is in the IIS integration (ANCM, hosting bundle, web.config, app pool configuration). If the app fails this way too, the issue is in the application code or configuration. This binary test narrows the search significantly.
Application Insights provides a third diagnostic source if your app integrates with it. Failures during startup sometimes produce telemetry before the app fully starts, capturing exceptions and dependencies in the live metrics stream. The Application Insights overview blade shows failed requests with exception details. For apps already integrated with App Insights, check the failures blade after deployment to catch startup issues that may not appear in stdout or Event Viewer.
Container deployments (Docker, Kubernetes) handle stdout differently. The container's stdout is the equivalent of the IIS stdout log. Use docker logs container-name or kubectl logs pod-name to view the stream. Container restart loops typically indicate a startup failure; the logs from the most recent failed start contain the exception. Configure log retention so you can read logs from previous failures, not just the current one.
ANCM (ASP.NET Core Module) cannot find native dependencies needed to start the app. Usually means the app targets a runtime version not installed on the server. Check installed runtimes with dotnet --list-runtimes on the server. Install the matching hosting bundle. The error typically appears immediately after deploying a new version that bumps the target framework.
Two apps in the same app pool use different hosting models (one InProcess, one OutOfProcess). IIS cannot run both in the same pool. Fix: separate the apps into different app pools, or align all apps in the pool to the same hosting model. Update the aspNetCore hostingModel attribute in each app's web.config.
The app started successfully but threw an unhandled exception during a request. Check the app's logs for the actual exception. The cause varies enormously by app code โ null reference exception, database deadlock, external API timeout, or any other runtime exception. The 500.0 status is generic; the underlying exception is what matters.
App process exited unexpectedly during request handling. Could be a fatal exception in the request pipeline, a manual Environment.Exit() call, or a stack overflow that terminated the process. Check stdout logs and Event Viewer for the cause. Older versions of ASP.NET Core (1.x, 2.x) used 502.5 instead of the more specific 500.30 codes introduced later.
Authentication failed. JWT token expired, signature invalid, or claims missing. Check that JWT signing key matches between issuer and verifier. Verify token expiration. Confirm cookie authentication uses the same data protection keys across server farm. Use authentication event hooks to log the specific failure reason during development.
Route not registered or controller missing. Check that the controller exists and the route attribute matches the request URL. Verify app.MapControllers() or app.UseRouting() are called in the correct order in Program.cs. For static files, confirm app.UseStaticFiles() is called and the file exists in wwwroot.
Run dotnet --info on the server. The output lists the SDKs and runtimes installed. Compare to your app's TargetFramework in the .csproj file. If the app targets net8.0 and the server only has net6.0, install the .NET 8 ASP.NET Core hosting bundle. The hosting bundle includes the runtime, the ASP.NET Core shared framework, and the IIS integration components โ install all three rather than just the runtime alone. Restart the IIS application pool after installing.
Self-contained deployments avoid runtime version concerns entirely. Publishing with --self-contained -r win-x64 embeds the runtime in the deployment. The deployed package is larger (60-80 MB versus 5-10 MB framework-dependent) but eliminates the runtime-installed-on-server requirement. Self-contained makes sense for environments where you cannot guarantee runtime versions or where multiple apps need different runtime versions on the same server.
Side-by-side runtime installation works on Windows servers. Multiple .NET runtime versions can coexist (3.1, 6.0, 7.0, 8.0, 9.0). The framework selects the correct runtime based on the app's TargetFramework automatically. Forcing a specific minor version is sometimes useful โ set the RollForward property in runtime configuration. The default value Minor upgrades to newer minor versions automatically; LatestMajor upgrades across major versions; Disable requires the exact version. Most production apps use the default; explicit settings help when migrating between major versions during testing.
Configuration errors are a recurring source of production failures. Common patterns: connection string in appsettings.Development.json works locally but the production appsettings.json file has a wrong or empty value. Environment variables that override configuration are not set in the production environment. Configuration sections are renamed in code but not in the JSON file (or vice versa). Required values are read using GetRequiredSection() but the section is missing.
Strongly typed configuration with IOptions<T> validation catches many of these issues at startup rather than at first use. Add builder.Services.AddOptions<MyConfig>().Bind(builder.Configuration.GetSection("My")).ValidateDataAnnotations().ValidateOnStart(). The ValidateOnStart() call forces validation during startup, producing a clear failure if required values are missing rather than a runtime null reference exception two hours after deployment.
Configuration providers stack in a specific order: appsettings.json, appsettings.{Environment}.json, environment variables, command-line arguments, and any custom providers (Azure Key Vault, AWS Secrets Manager). Later providers override earlier ones. The most common configuration mystery is a value defined in appsettings.json being overridden by an environment variable that was set days ago and forgotten. Use builder.Configuration.GetDebugView() in development to see the effective configuration with each value's source. The view immediately reveals override conflicts.
JSON syntax errors in appsettings files cause silent failures in some scenarios. The configuration loader sometimes silently ignores malformed JSON sections rather than throwing. Validating appsettings.json with a JSON linter before deployment catches syntax errors. Some IDE plugins highlight JSON issues in real-time. Failing fast on configuration errors is preferable to mystery production failures from missing values that look present but did not load due to syntax issues.
Dependency injection failures during startup produce exceptions like "Unable to resolve service for type X" or "Cannot consume scoped service from singleton". The first usually means a service was requested via constructor injection but never registered in the service collection. Fix: add builder.Services.AddSingleton<IMyService, MyService>() or the appropriate scoped/transient registration. The second means a singleton service is trying to inject a scoped service through its constructor, which is forbidden because singletons live longer than scopes.
Middleware order matters more than developers expect. The middleware pipeline runs in the order it is added. Common mistakes: UseAuthentication() before UseRouting(), UseStaticFiles() after UseAuthorization() (causes static files to require authentication unintentionally), UseCors() after UseAuthentication() (CORS preflight requests fail authentication). Read the Microsoft Docs middleware order section once carefully. The recommended order: ExceptionHandler โ HSTS โ HttpsRedirection โ StaticFiles โ Routing โ Cors โ Authentication โ Authorization โ Endpoints.
Hosted services and background workers add another layer to startup failures. Services registered with AddHostedService<T>() start during host startup and can throw startup exceptions. If a hosted service blocks startup or throws in its StartAsync method, the host fails to start. Wrap startup-critical operations in proper exception handling and consider deferred initialization patterns where possible. Catastrophic startup failures from background services are particularly hard to debug because the exception sometimes appears in the host's startup log rather than the service's own log.
Deployment-specific failures often relate to file permissions, app pool identity, or missing files. The IIS application pool runs as a specific identity (typically ApplicationPoolIdentity); that identity needs read access to the deployment folder and write access to logs and any temp directories. Check NTFS permissions on the deployment path. Confirm the app pool identity has the permissions the app needs. The error "Access denied" appearing in stdout logs typically points at a permission issue rather than an app code issue.
Application pool identity quirks deserve specific attention on IIS. The default ApplicationPoolIdentity is a virtual account that does not exist as a regular Windows user. Granting it permissions requires using the IIS APPPOOL\{AppPoolName} format. Custom identities (named user accounts) provide more granular control but require password management. Service accounts are typically the right choice for production because they have explicit credentials and access policies. Document which identity your app pool uses; permission troubleshooting on the wrong identity wastes substantial time.
Web.config transformations apply per-environment configuration during deployment. Visual Studio publish profiles support transformations like Web.Production.config that override values in the base Web.config during deployment. The transformations apply at publish time, not runtime, so you cannot adjust them on the deployed server without republishing. Knowing which transformations apply prevents confusion about why deployed configuration differs from source-controlled configuration.
Add Serilog.AspNetCore and configure outputs (console, file, Seq, Application Insights). Structured logging captures the context around exceptions making post-mortem debugging much faster than plain text logs. Configure log levels per namespace to reduce noise from framework internals while keeping detail on application code.
Log explicit messages at key startup points: 'Configuration loaded', 'Database connection verified', 'Services registered', 'Middleware configured'. When startup fails, the last successful log message tells you exactly where the failure occurred. Free benefit: makes startup easier to monitor in production.
Strongly typed configuration with ValidateDataAnnotations and ValidateOnStart() catches missing or invalid configuration before the app accepts requests. Failures appear immediately during deployment rather than as mysterious request-time exceptions hours later. Fail-fast principle applied to configuration.
Run the deployment package in a staging environment with the same runtime, IIS configuration, and connectivity as production before deploying to production. Catches runtime mismatches, missing configuration, and IIS integration issues before they affect users. Investment in staging environment pays back many times in avoided production incidents.
The ASPNETCORE_ENVIRONMENT environment variable determines which configuration files the app loads. Setting it to "Development" loads appsettings.json plus appsettings.Development.json with detailed errors enabled. Setting it to "Production" loads appsettings.json plus appsettings.Production.json with detailed errors disabled. The variable can be set on the system level, in IIS app pool settings, in web.config environmentVariables, or in launchSettings.json for local debugging. Check the actual effective value at startup if behaviour differs from expectations.
Some environments use custom environment names beyond Development, Staging, and Production. Setting ASPNETCORE_ENVIRONMENT to a custom name like 'QA' or 'Integration' loads appsettings.QA.json or appsettings.Integration.json respectively. The framework uses string comparison without case sensitivity. Custom environment names allow more granular configuration management, particularly useful in multi-environment pipelines with QA, UAT, integration, and pre-production stages between development and production.
Built-in environment helpers like app.Environment.IsDevelopment() only return true for the exact string 'Development' (case-insensitive). Custom environments will return false for these helpers; check exact environment name with app.Environment.EnvironmentName for custom logic. Mixing built-in and custom environment names is a recurring source of subtle production bugs because development-only code paths sometimes activate or deactivate unexpectedly based on which environment string is set.
Production environments differ from development in ways the app reads at startup: connection strings, environment variables, file system paths, certificate stores, and configuration overrides. The 500.30 production-only failure typically points to one of these environment-specific values. Run the app directly via dotnet YourApp.dll on the production server to see the actual exception. The exception message usually identifies the missing value or unreachable resource immediately.
Edit web.config directly on the server. Find aspNetCore element and set stdoutLogEnabled="true". Create the logs directory specified in stdoutLogFile if it does not exist. Grant the app pool identity write access to that directory. The change takes effect on the next request without an app restart in many cases. Disable when finished โ leaving stdout logging on in production has measurable performance impact.
InProcess hosting runs the app inside the IIS w3wp.exe process for better performance (no inter-process communication overhead). OutOfProcess hosting runs the app in a separate dotnet.exe process, with IIS proxying requests via HTTP. InProcess is faster but requires Windows-only deployment and complicates debugging. OutOfProcess is portable across IIS, Nginx, and Kestrel-direct deployments. Default since ASP.NET Core 2.2 is InProcess; many teams switch to OutOfProcess for deployment portability.
The IIS integration (ASP.NET Core Module, hosting bundle, web.config, app pool configuration) introduces dependencies that dotnet run bypasses entirely. Common causes: hosting bundle missing or wrong version, web.config syntax error, app pool identity lacking permissions, ANCM hosting model misconfigured, environment variables not propagated to IIS process. The dotnet run success confirms application code is fine; the IIS failure is in the integration layer.
The exception message names the type that could not be resolved. Search Program.cs for that type. If not registered, add the appropriate AddSingleton, AddScoped, or AddTransient registration. If registered but still failing, check the lifetime scopes โ singletons cannot inject scoped services through constructors. Enable scope validation with builder.Host.UseDefaultServiceProvider(o => o.ValidateScopes = true) to surface scope mismatches at startup rather than at first request.
UseExceptionHandler, UseHsts (production), UseHttpsRedirection, UseStaticFiles, UseRouting, UseCors, UseAuthentication, UseAuthorization, MapControllers/MapEndpoints. Putting UseStaticFiles after UseAuthorization causes static files to require authentication. Putting UseCors after UseAuthentication causes CORS preflight to fail authentication. Following the recommended order avoids most middleware-order bugs. The Microsoft Docs page on middleware order is worth reading once thoroughly.