How to Resolve IIS 8 ASP.NET MVC HTTP Error 500.19 (Config Section Locked at Parent Level)


3 views

When migrating ASP.NET MVC applications to a new IIS 8 server, you might encounter HTTP Error 500.19 with error code 0x80070021. The key error message states: "This configuration section cannot be used at this path. This happens when the section is locked at a parent level."

This occurs because IIS applies strict security lockdowns by default, preventing certain configuration sections from being modified at the application level when they're locked in parent configuration files (applicationHost.config or machine.config). In your case, this is preventing proper reading of the web.config file.

Here's how to resolve this:

1. Open IIS Manager
2. Select your server node in the connections pane
3. Open "Configuration Editor" in the Management section
4. In the Section dropdown, navigate to:
   system.webServer/handlers
5. Click "Unlock Section" in the right action pane
6. Repeat for system.webServer/modules if needed

For server administrators who prefer CLI:

%windir%\system32\inetsrv\appcmd unlock config 
  -section:system.webServer/handlers
%windir%\system32\inetsrv\appcmd unlock config 
  -section:system.webServer/modules

After making changes, verify the applicationHost.config file at:

C:\Windows\System32\inetsrv\config\applicationHost.config

Look for these sections and ensure they don't contain overrideMode="Deny":

<sectionGroup name="system.webServer">
  <section name="handlers" overrideModeDefault="Allow" />
  <section name="modules" overrideModeDefault="Allow" />
</sectionGroup>

If you're managing multiple sites, you might need to unlock sections at specific levels:

appcmd unlock config /commit:WEBROOT 
  /section:system.webServer/handlers
appcmd unlock config /commit:APPHOST 
  /section:system.webServer/modules

To avoid similar issues during future migrations:

  • Document all IIS feature dependencies
  • Use Web Deploy for consistent deployments
  • Maintain identical IIS feature sets across environments

If the issue persists after unlocking sections:

  1. Check for malformed XML in web.config
  2. Verify IIS and ASP.NET installation states
  3. Ensure proper inheritance of application pool identity

When migrating an ASP.NET MVC application to a new IIS 8 server, you might encounter HTTP Error 500.19 with the message "This configuration section cannot be used at this path". This occurs when IIS configuration sections are locked at the server level, preventing your application from overriding these settings.

IIS uses a hierarchical configuration system where settings can be locked at higher levels. The error code 0x80070021 specifically indicates a configuration locking issue. In your case, certain sections in web.config are being blocked by server-level settings.

These sections are frequently locked:

<system.webServer>
<handlers>
<modules>
<security>

The most effective approach is to unlock the required sections using IIS Manager:

1. Open IIS Manager
2. Select your server in the Connections pane
3. Open "Configuration Editor" under Management
4. Navigate to the locked section (e.g., system.webServer/handlers)
5. Click "Unlock Section" in the right pane
6. Repeat for any other locked sections

For server administrators, you can unlock sections via command line:

%windir%\system32\inetsrv\appcmd.exe unlock config 
-section:system.webServer/handlers

After unlocking, check if your application runs properly. If you still get errors, examine the exact section mentioned in the error message.

Before unlocking sections:

  • Understand the security implications
  • Only unlock what's necessary
  • Consider using <location> tags for specific paths
  • Document changes for future maintenance

If modules are locked, you might need to either unlock them or modify your application to work without overriding these settings:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <modules>
      <!-- Your module entries -->
    </modules>
  </system.webServer>
</configuration>

If you're using shared hosting and can't unlock sections yourself, you'll need to:

  1. Identify exactly which sections are locked
  2. Contact your hosting provider with the specific request
  3. Provide them with the exact error message