1877

I've encountered an error deploying a site to a server. When trying to load the home page, or access authentication on the new site in IIS, I get the error:

Config Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

More detail can be found here, in Scenario 7 matches my hex error code.

The solution given on the linked site above is to set Allow for overrideModeDefault in the section mentioned in my error, in the applicationHost.config file. In my case, under Security in system.webServer. But if I look at the applicationHost.config on my local computer, where the site is properly deployed already, that section is set to Deny.

If this solution is correct, how is my local instance running just fine with the same web.config? According to my applicationHost.config, that section should be locked, but it's not. I'd prefer to not change the applicationHost.config file, because there are many other sites running on that server. Is there another solution?

Callum Watkins
  • 2,444
  • 2
  • 27
  • 42
Alex
  • 18,769
  • 3
  • 13
  • 20
  • 2
    If you've come here because you've gotten this error when trying to use the "Certify the web" program (https://certifytheweb.com/), then this blog article might be relevant: https://renniestechblog.com/information/29-joomla-on-iis-part-10-installing-and-using-an-ssl-certificate – RenniePet Dec 28 '17 at 06:03

34 Answers34

3505

I had the same problem. Don't remember where I found it on the web, but here is what I did:

  • Click "Start button"
  • in the search box, enter "Turn windows features on or off"
  • in the features window, Click: "Internet Information Services"
  • Click: "World Wide Web Services"
  • Click: "Application Development Features"
  • Check (enable) the features. I checked all but CGI.

btw, I'm using Windows 7. Many comments over the years have certified this works all the way up to Windows 10 and Server 2019, as well.

TylerH
  • 19,065
  • 49
  • 65
  • 86
chuck97224
  • 35,256
  • 1
  • 13
  • 3
412

You could also use the IIS Manager to edit those settings.

Care of this Learn IIS article:

Using the Feature Delegation from the root of IIS:

Feature delegation icon in IIS Manager

You can then control each of machine-level read/write permissions, which will otherwise give you the overrideMode="Deny" errors.

Example use of Feature Delegation

Gabriel
  • 3,331
  • 1
  • 24
  • 46
Overflew
  • 7,122
  • 8
  • 41
  • 63
  • 19
    To continue this, what worked for me is to (note this solution is on my DEV box and NOT a Production system): -> Sort by Delegation -> Find all of the Read Only types -> Set them to Read/Write – Aaron Reed Jun 09 '14 at 19:50
  • 1
    That fixed the error message I was getting in the IIS7 manager. More surprisingly is that it also fixed the HTTP 500 clients were receiving when attempting to access the website. – Brian Gideon Aug 13 '14 at 14:39
  • 7
    There are two seemingly different solutions posted here both of which are required. The first being, install the "Application Server" and "Web Server" Support features. The second being, check the delegation settings and change the offending setting to Read/Write from read only. Important to NOTE: The offending config may not be available in the Delegation features unless the correct Support Features are installed. In my case, "Authentication - Anonymous" was the issue, and this delegation feature did not show up until I installed the Application Server feature. – maplemale Jul 13 '15 at 17:25
  • @BrianGideon That's because the 500 error is the general "mask" used externally to hide the exact error from prying eyes – Roger Willcocks Mar 22 '17 at 01:38
  • 1
    This worked to me. in IIS 8.5 , Windows server 2012 R2 – ellickakudy rajeesh Apr 17 '17 at 11:58
  • The error page should give you some form of information about which feature is lacking permissions. It may highlight the tag for example, which would indicate you need to explicitly give read/write permissions to the "Handler Mappings" feature. For security purposed, you may want to be specific in your feature delegations. – Kyle Shrader Jan 29 '19 at 23:53
  • Thank you for this - as @maplemale said, the authentication was set to read-only. Changing it to read-write fixed it for me. – Arvindh Mani Mar 07 '19 at 16:37
  • 1
    The issue for me was in the authentication section, in IIS 10 in windows 10. This link has helped me. https://knowledgebase.progress.com/articles/Article/Windows-Authentication-This-configuration-section-cannot-be-used-at-this-path – Ajith Jun 13 '19 at 07:29
  • It's interesting to note that, when you override your site deletagion in the IIS manager console, what it does, is editing your actual applicationhost.config, and add that at the end of it, with "path" for the site you need to override, followed by the sections you want to. In case you prefer editing your config file without using the iis console. – foxontherock Jun 19 '19 at 14:51
  • This one solved it for me. I had to set HandlerMapping and Modules to Read/Write. IIS 10.0 and Windows Server 2019 – Henrik Hjalmarsson Nov 20 '19 at 10:09
190

For Windows Server 2012 and IIS 8, the procedure is similar.

The Web Server (IIS) and Application Server should be installed, and you should also have the optional Web Server (IIS) Support under Application Server.

Windows Server 2012 and IIS 8 Requirements for MVC

ken
  • 16,047
  • 3
  • 46
  • 70
  • 30
    Just to clarify, the "Web Server (IIS) Support" feature checkbox is not under the 'Application Server' node in the pic above. It will show after you perform several 'next' and pass the Server Roles and Features on the left nav bar and get to 'Role Services' (doesn't appear in the pic above but will appear for you after several 'next'). This drove me crazy :P – thedrs Jun 10 '14 at 16:57
  • 2
    for me the options only appeared after I first added the Application Server rule then restarted the Add Roles and Features Wizard – wonster Jul 20 '15 at 01:22
160

Browse to “C:\Windows\System32\inetsrv\config” (you will need administrator rights here) Open applicationHost.config

Note: In IISExpress and Visual Studio 2015 the applicationHost.config is stored in $(solutionDir).vs\config\applicationhost.config

Find the section that showed up in the “config source” part of the error message page. For me this has typically been “modules” or “handlers”

Change the overrideModeDefault attribute to be Allow

So the whole line now looks like:

<section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Allow" />

After saving the file, the page loaded up fine in my browser.

Warning: Editing applicationHost.config on 64-bit Windows

Liam
  • 22,818
  • 25
  • 93
  • 157
Nime Cloud
  • 5,691
  • 13
  • 38
  • 70
  • 2
    Link for 64-bit is 404, to bad you didn't include the useful information directly in your answer. – Erik Philips Mar 11 '14 at 20:00
  • 1
    This was it for me on ipSecurity on Windows 8.1 dev environment, +1. – Moby's Stunt Double Sep 17 '14 at 21:34
  • 1
    For 64-Bit Windows, you need to go through notepad.exe and open up %SystemRoot%\System32\inetsrv\config to get the correct copy of the file – Eddie Fletcher Feb 17 '15 at 02:06
  • It happened to me when debugging locally in Visual Studio 2017, within the 'authentication' section. Life saver! – D Ie Nov 04 '19 at 11:33
  • I ignored this page after reading first answer which wasn't a fix a for me. I just came back here after few days of googling and my fix was right below the accepted answer. Thanks a lot mate!!! – The Godfather Feb 25 '21 at 16:06
75

You need to unlock handlers. This can be done using following cmd command:

%windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/handlers

Maybe another info for people that are getting this error on IIS 8, in my case was on Microsoft Server 2012 platform. I had spend couple of hours battling with other errors that bubbled up after executing appcmd. In the end I was able to fix it by removing Web Server Role and installing it again.

Gregor Primar
  • 6,401
  • 2
  • 30
  • 46
70

1. Open "Turn windows features on or off" by: WinKey+ R => "optionalfeatures" => OK

enter image description here

  1. Enable those features under "Application Development Features"

enter image description here

Tested on Win 10 - But probably will work on other windows versions as well.

Aviram Fireberger
  • 3,122
  • 3
  • 40
  • 60
  • 4
    perfect. I only needed to check the ASP.NET 4.7 box and it autoselected all other requirements it needed. Worked like a charm without even restarting the website. – Bill Tarbell Jan 24 '19 at 11:04
  • For us IIS noobs, verifying that the correct version asp.net is actually installed should be the first step. – mrfelis Jun 26 '19 at 16:20
50

I ran these two commands from an elevated command prompt:

%windir%/system32/inetsrv/appcmd unlock config /section:anonymousAuthentication

%windir%/system32/inetsrv/appcmd unlock config /section:windowsAuthentication
Community
  • 1
  • 1
Benji
  • 501
  • 4
  • 2
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient [reputation](http://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](http://stackoverflow.com/help/privileges/comment). – Rook Nov 18 '14 at 12:29
  • 23
    @Rook this is a perfectly good answer because it doesn't blindly promote enabling Application Development Features on the server; it states a controlled solution to a particular scenario of getting this error. It could have been worded better. Good job boosting the then new guy's confidence - he never came back after you and NAZIK opinionated all over his first attempt at joining the community. – qujck Apr 02 '15 at 18:04
  • 1
    This fixed my problem with an application that had application-level configuration of Windows authentication. – nebffa Mar 31 '16 at 04:12
  • Nice, this did the trick where Application Development features did not – Stephen Holt Sep 02 '16 at 12:00
  • 3
    Works for me, but why? – Kevman Sep 25 '17 at 13:42
  • Worked for me on Windows Server 2016. – Daniel May 25 '21 at 19:49
43

As per my answer to this similar issue;

Try unlocking the relevant IIS configuration settings at server level, as follows:

  1. Open IIS Manager
  2. Select the server in the Connections pane
  3. Open Configuration Editor in the main pane
  4. In the Sections drop down, select the section to unlock, e.g. system.webServer > defaultPath
  5. Click Unlock Attribute in the right pane
  6. Repeat for any other settings which you need to unlock
  7. Restart IIS (optional) - Select the server in the Conncetions pane, click Restart in the Actions pane
Community
  • 1
  • 1
Chris
  • 3,231
  • 1
  • 29
  • 35
  • 2
    This solution worked for me, but the real reason was different - I had to install ASP.NET 4.5 (Add-WindowsFeature Web-Asp-Net45). – Der_Meister May 02 '16 at 05:26
  • 1
    This worked for me.. I unlocked the section which was shown in error. For me system.webServer > anonymousAuthentication (in web config) – nirav Oct 14 '20 at 18:23
  • Worked for me at Windows Server 2019 for system.webServer > security > authentication > basicAuthentication – Gil May 23 '21 at 12:22
27

On Windows Server 2012 with IIS 8 I have solved this by enabling ASP.NET 4.5 feature:

enter image description here

and then following ken's answer.

Community
  • 1
  • 1
Kimi
  • 11,963
  • 7
  • 49
  • 79
27

This Did the trick for me, for IIS 8 Windows server 2012 R2

Go to "Turn on Features"

Then go to all default setting , Next, Next, Next etc..

Then, select as shown below, enter image description here

Then reset IIS (optional) but do it safer side.

enter image description here

This is an additional solution as its a generic problem everyone have different of problem and thus different solution. Cheers!

Steve S
  • 429
  • 8
  • 18
Usman Younas
  • 1,203
  • 13
  • 18
26

The best option is to Change Application Settings from the Custom Site Delegation
Open IIS and from the root select Feature Delegation and then select Application Settings and from the right sidebar select Read/Write Step #1 Step #2

Dr TJ
  • 2,966
  • 31
  • 49
  • My IIS manager does not have many of these features. I think I have to add them via windows features. I had all of them selected (black square box) but when I click on it none of the options were selected! I have never seen this using all Windows OS. Shame on you Microsoft! Wasted a bunch of time. MAKE SURE ALL WINDOWS FEATURES ARE CHECKED THAT ARE DESIRED..DO NOT USE BLACK SQUARE SELECTION – yardpenalty.com Apr 05 '17 at 11:02
  • 3
    Or understand what the "black square" means when you're installing software on your server. – LarryBud Feb 11 '18 at 04:10
  • 1
    May I add step 2.1 -> click "custom site delegation" on the right, then choose which site you want to allow override from the top dropdown. I suggest to not allow overwrite on all sites, but only the site you need to. Then, continue to step 3. – foxontherock Jun 19 '19 at 14:42
19

To fix this open up the IIS Express applicationhost.config. This file is stored at C:\Users[your user name]\Documents\IISExpress\config\applicationhost.config

Update for VS2015+: config file location is $(solutionDir).vs\config\applicationhost.config

Look for the following lines

<section name="windowsAuthentication" overrideModeDefault="Deny" />
<section name="anonymousAuthentication" overrideModeDefault="Deny" />
<add name="WindowsAuthenticationModule" lockItem="true" />
<add name="AnonymousAuthenticationModule" lockItem="true" />

Change those lines to

<section name="windowsAuthentication" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<add name="WindowsAuthenticationModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />

Save it and refresh Asp.net Page.

Rao Adnan
  • 1,327
  • 9
  • 16
16

In our case on IIS 8 we found the error was produced when attempting to view Authentication" for a site, when:

  1. The server Feature Delegation marked as "Authentication - Windows" = "Read Only"
  2. The site had a web.config that explicitly referenced windows authentication; e.g.,

Marking the site Feature Delegation "Authentication - Windows" = "Read/Write", the error went away. It appears that, with the feature marked "Read Only", the web.config is not allowed to reference it at all even to disable it, as this apparently constitutes a write.

site web.config IIS Manager - Server Feature Delegation

IronRod
  • 874
  • 10
  • 21
14

Seems that with IIS Express and VS 2015, there's a copy of the applicationHost.config file at $(solutionDir).vs\config\applicationhost.config so you'll need to make changes there. See this link: http://digitaldrummerj.me/iis-express-windows-authentication/

Make sure these lines are changed per below:

<section name="windowsAuthentication" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<add name="WindowsAuthenticationModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />
PBMe_HikeIt
  • 583
  • 6
  • 23
12

In my case it was that on server was not enabled "HTTP Activation" under .NET Framework Features. So for Windows Server 2012 the solution which worked for me was:

Server Manager -> Add roles and features -> Features -> make sure that under .NET Framework of version you want to use is checked "HTTP Activation"

Pavel Nemec
  • 153
  • 1
  • 6
9

The Powershell way of enabling the features (Windows Server 2012 +) - trim as needed:

Install-WindowsFeature NET-Framework-Core
Install-WindowsFeature Web-Server -IncludeAllSubFeature
Install-WindowsFeature NET-Framework-Features -IncludeAllSubFeature
Install-WindowsFeature NET-Framework-45-ASPNET -IncludeAllSubFeature
Install-WindowsFeature Application-Server -IncludeAllSubFeature
Install-WindowsFeature MSMQ -IncludeAllSubFeature
Install-WindowsFeature WAS -IncludeAllSubFeature
Chris S
  • 62,476
  • 49
  • 214
  • 238
7

The error says that the configuration section is locked at the parent level. So it will not be directly 1 config file which will resolve the issue, we need to go through the hierarchy of the config files to see the inheritance Check the below link to go through the File hierarchy and inheritance in IIS

https://msdn.microsoft.com/en-us/library/ms178685.aspx

So you need to check for the app config settings in the below order

  1. ApplicationHost.config in C:windows\system32\inetsrv\config. Change the overrideModeDefault attribute to be Allow.
  2. ApplicationName.config or web.config in the applications directory
  3. Web.config in the root directory.
  4. Web.config in the specific website (My issue was found at this place).
  5. Web.config of the root web (server's configuration)
  6. machine.config of the machine (Root's web.config and machine.config can be found at - systemroot\MicrosoftNET\Framework\versionNumber\CONFIG\Machine.config)

Go carefully through all these configs in the order of 1 to 6 and you should find it.

Avil Mascarenhas
  • 118
  • 1
  • 8
7

I noticed one answer that was similar, but in my case I used the IIS Configured Editor to find the section I wanted to "unlock".

enter image description here

enter image description here

Then I copied the path and used it in my automation to unlock it prior to changing the sections I wanted to edit.

. "$($env:windir)\system32\inetsrv\appcmd" unlock config -section:system.webServer/security/authentication/windowsAuthentication
. "$($env:windir)\system32\inetsrv\appcmd" unlock config -section:system.webServer/security/authentication/anonymousAuthentication
Brandon Hawbaker
  • 121
  • 1
  • 6
6

I needed to change the SSL settings on a subfolder when i got this nice message. In my case following action helped me out.

Opened C:\Windows\System32\inetsrv\config\applicationHost.config

And changed the value from overrideModeDefault="Deny" to "Allow"

<sectionGroup name="system.webServer">
 ...
    <sectionGroup name="security">
        <section name="access" overrideModeDefault="Allow" />
    </sectionGroup>
Stefan Michev
  • 3,938
  • 2
  • 32
  • 29
4

In my case, I got this error because I was operating on the wrong configuration file.

I was doing this:

Configuration config = serverManager.GetWebConfiguration(websiteName);
ConfigurationSection serverRuntimeSection = config.GetSection("system.webServer/serverRuntime");
serverRuntimeSection["alternateHostName"] = hostname;

instead of the correct code:

Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection serverRuntimeSection = configApp.GetSection("system.webServer/serverRuntime", websiteName);
serverRuntimeSection["alternateHostName"] = hostname;

in other words, I was trying to operate on the website's web.config instead of the global file C:\Windows\System32\inetsrv\config\applicationHost.config, which has a section (or can have a section) for the website. The setting I was trying to change exists only in the applicationHost.config file.

Mark R
  • 243
  • 2
  • 10
4

In my case, it was something else.

When I loaded the solution in a new version of Visual Studio, VS apparently created a new project-specific applicationhost.config file:

MySolutionDir\.vs\config\applicationhost.config

It started using the settings from the new config, instead of my already customized global IIS Express settings. (\Users\%USER%\Documents\IISExpress\config\applicationhost.config)

In my case this was the setting that needed to be set. Of course it could be something else for you:

<section name="ipSecurity" overrideModeDefault="Allow" />
Andrew
  • 787
  • 2
  • 9
  • 21
3

Received this same issue after installing IIS 7 on Vista Home Premium. To correct error I changed the following values located in the applicationHost.config file located in Windows\system32\inetsrv.

Change all of the following values located in section --> 

<div mce_keep="true"><section name="handlers" overrideModeDefault="Deny" /> change this value from "Deny" to "Allow"</div>
<div mce_keep="true"><section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Deny" /> change this value from "Deny" to "Allow"</div>
Bhavesh
  • 31
  • 1
3

Can You try this:

Go to application path where you're getting deny error, right click

Properties->Security tab

In that, change the permissions and check the checkbox read and write. Then it will work without any error hopefully.

Phiter
  • 12,987
  • 14
  • 45
  • 77
user5891257
  • 31
  • 1
2

For Windows Server 2008 and IIS 7, the procedure is similar. please refer to this: http://msdn.microsoft.com/en-us/library/vstudio/bb763178(v=vs.100).aspx

in add role service, u will see "Application Development Features"

Check (enable) the features. I checked all.

Scott 混合理论
  • 2,052
  • 8
  • 30
  • 58
1

I had an issue where I was putting in the override = "Allow" values (mentioned here already)......but on a x64 bit system.......my 32 notepad++ was phantom saving them. Switching to Notepad (which is a 64bit application on a x64 bit O/S) allowed me to save the settings.

See :

http://dpotter.net/technical/2009/11/editing-applicationhostconfig-on-64-bit-windows/

The relevant text:

One of the problems I’m running down required that I view and possibly edit applicationHost.config. This file is located at %SystemRoot%\System32\inetsrv\config. Seems simple enough. I was able to find it from the command line easily, but when I went to load it in my favorite editor (Notepad++) I got a file not found error. Turns out that the System32 folder is redirected for 32-bit applications to SysWOW64. There appears to be no way to view the System32 folder using a 32-bit app. Go figure. Fortunately, 64-bit versions of Windows ship with a 64-bit version of Notepad. As much as I dislike it, at least it works.

granadaCoder
  • 21,474
  • 7
  • 81
  • 117
1

In my case I was getting this error when attempting to update the authentication settings in IIS also in addition to browsing. I was able to remove this error by removing the authentication setting from the web.config itself. Removing a problematic configuration section may be less invasive and preferable in some cases than changing the server roles and features too much:

Section Removed:

    <security>
        <authentication>
            <windowsAuthentication enabled="true" />
        </authentication>
    </security>
Brandon Hawbaker
  • 456
  • 5
  • 5
0

I had the same issue.

  • Resolved it by enabling Application Server feature. Restarted iis after that.
Jyo Reddy
  • 602
  • 5
  • 9
  • How-to ***enabling Application Server feature*** ? in Windows Server 2008 o 2012 ? Windows 7,8,10? using Powershell? – Kiquenet Nov 06 '16 at 11:51
0

This worked for me Also in IIS 8 you can solve this problem by changing the server to IIS Express. Goto debug->Properties In the Web select the server as IIS Express from the dropdown and then rebuild the solution

LahiruD
  • 73
  • 1
  • 12
0

To make a change at Application Level (Web.Config):

Please remove the Trust Level from the web.config:

Actually I was getting this error when I was trying to host my Website on the Hosting Server where I don't have control on their Server. Removing the above line from my Application web.config solved my issue.

Ankit Prajapati
  • 1,175
  • 2
  • 12
  • 20
0

The following worked for me:

Go to project properties. Web tab. Set to Local IIS and set specific page.

I have Windows 7 and Visual Studio 2013.

user3900346
  • 169
  • 1
  • 4
0

i solved this issue

go to cmd and execute aspnet_regiis -i

hope it helpful to someone.

DKR
  • 4,758
  • 1
  • 15
  • 19
0

Before reinstalling iis and possibly all of your sites, go to: C:\inetpub\history

There should be number of folders (example: CFGHISTORY_0000000029). Each time a root config file is modified, and entry is made in there. (by default backups of the last 10 modifications are saved)

Look for a backup folder that has the right date and time for it, Click on it and see if there is a file called; applicationhost.config

Compare this to your current applicationhost.config file, or replace your current version with it (make a backup first!!!).

I recently had my localhost iis file modified by a windows 2004 update package, which locked a few features at the root (such as handlers), which prevented localhost sites from working - hence my search.

If you open the file in Visual Code, you can see each area that is locked with a overrideModeDefault="Deny"

This might get you a step closer, and also a way to recover if this file ever gets corrupted.

Michael Khalsa
  • 11
  • 1
0

I had the similar issue, but I used the following powershell script which helped me to achieve above steps in on button click.

#Install IIS
Import-Module ServerManager

Add-WindowsFeature Web-Server, Web-Asp-Net45, Web-Mgmt-Console, Web-Scripting-Tools, NET-WCF-HTTP-Activation45, Web-Windows-Auth

the list of features can be added or removed based on the requirement.

Sachin Vishwakarma
  • 651
  • 5
  • 9
-1

Adding following key in registry solved my issue:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ASP.NET_64\Performance

When I tried these steps I kept getting error:

  1. Search for "Turn windows features on or off"
  2. Check "Internet Information Services"
  3. Check "World Wide Web Services"
  4. Check "Application Development Features"
  5. Enable all items under this

Then i looked at event viewer and saw this error:Unable to install counter strings because the SYSTEM\CurrentControlSet\Services\ASP.NET_64\Performance key could not be opened or accessed. The first DWORD in the Data section contains the Win32 error code.

To fix the issue i manually created following entry in registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ASP.NET_64\Performance

and followed these steps:

  1. Search for "Turn windows features on or off"
  2. Check "Internet Information Services"
  3. Check "World Wide Web Services"
  4. Check "Application Development Features"
  5. Enable all items under this
SharpCoder
  • 15,708
  • 34
  • 126
  • 225