Many developers transitioning from IIS6 to IIS7 encounter this surprising behavior when trying to clean up HTTP modules. While IIS6 allowed simple module clearing via <httpModules><clear/></httpModules>, IIS7 introduces a more complex configuration system that requires additional steps.
The error occurs because IIS7 locks certain configuration sections at the applicationHost.config level by default. When you attempt to modify these locked sections in your web.config, IIS throws the "Lock violation" error.
<system.webServer>
<modules>
<clear/> <!-- This line triggers the error -->
</modules>
</system.webServer>Here's how to properly clear modules in IIS7+ without triggering lock violations:
1. Unlock the Section at Server Level
First, run this command as Administrator:
%windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/modules2. Web.config Configuration
After unlocking, your web.config should contain:
<system.webServer>
<modules runAllManagedModulesForAllRequests="false">
<clear/>
<!-- Add your custom modules here if needed -->
</modules>
<handlers>
<clear/>
<!-- Add your custom handlers here -->
</handlers>
</system.webServer>If you don't have server access (shared hosting), you can remove modules individually instead of clearing all:
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="DefaultAuthentication" />
<!-- Continue with other modules -->
</modules>
</system.webServer>- Clearing all modules might break functionality that depends on built-in modules
- For handlers, you might need
<validation validateIntegratedModeConfiguration="false"/> - Always test in development environment first
When migrating ASP.NET applications from IIS6 to IIS7/IIS7.5, developers often encounter a frustrating "Lock Violation" error when attempting to clear HTTP modules in the system.webServer section. This occurs because IIS7 implements a more rigid configuration hierarchy with locked sections by default.
IIS7 introduces a multi-layered configuration system where higher-level settings (like ApplicationHost.config) can lock certain sections. The error manifests when trying to execute:
<system.webServer>
<modules>
<clear />
</modules>
</system.webServer>The commonly suggested solution using:
%windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/modulesmight not work because:
- It needs administrator privileges
- The lock might be at multiple levels
- There could be inherited locks from parent configuration
Here's a step-by-step method to resolve this:
First, check current lock status:
appcmd.exe list config -section:system.webServer/modulesThen unlock at machine level (requires admin):
appcmd.exe unlock config -section:system.webServer/modulesFor specific applications, use:
appcmd.exe unlock config /app.name:"Default Web Site/YourApp" -section:system.webServer/modulesIf unlocking isn't possible, you can explicitly remove each module:
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="DefaultAuthentication" />
<remove name="RoleManager" />
<!-- Add other modules you need to remove -->
</modules>
</system.webServer>Remember that these changes affect deployment:
- Include AppCmd commands in your deployment scripts
- Document configuration requirements for server admins
- Consider using
locationtags for specific path configuration
If issues persist:
- Check the application pool identity permissions
- Verify inheritance in applicationHost.config
- Use Failed Request Tracing to capture detailed errors