Among the many obscure permissions-related IIS errors, this one definitely deserves a honorable mention:
HTTP Error 500.19 – Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
The Detailed Error Information section gave a bit more information:
According to the MS Knowledge Base, such error has NINE (!) possible causes, which makes hard to understand what went wrong. Luckily enough, the most common scenario is fairly simple: most of the time, when you see something like this, it means that you tried to add a new web.config section which is locked at a parent level.
For example, it could be the <requestFiltering> section, just like in the example below:
Or the <rewrite> section, which is also a sub-element of the <system.webServer> block:
<rule name="Root_URL_Rewrite" stopProcessing="true">
<!-- your rule(s) here -->
… or any other web.config section.
The IIS locking mechanism is well-explained in this KB article and it’s basically a good thing, since it allows the administrators to lock and unlock specific configuration settings at the server level – which is a key thing to do, in terms of security, in many scenarios – for example, when you’re hosting a shared environment.
The locking (and unlocking) of the various sections can be issued by using the <location> element. By using it, you can:
- Lock specific elements and attributes
- Lock everything except specific elements or attributes
- Lock specific collection directives such as the <add>, <remove>, and <clear> directives
- Lock specific elements in collections
And so on.
By default, most IIS-specific web.config sections (such as <rewrite>, <windowsAuthentication> and so on) are locked down by default. If you’re getting the HTTP Error 500.19 above, it most likely mean that you need to unlock one (or more) of them. This can be done in two ways:
- By manually editing the applicationHost.config file.
- By using the Feature Delegation interface within the IIS Manager GUI.
The applicationHost.config file is located within the following path:
To unlock a section, move its content from its current location in the file to the bottom of the file and put it inside a <location overrideMode=”Allow”> element. It’s worth noting that you can either unlock the section for all applications on the server or for specific paths/sites. For example, by doing this:
<!-- the content of windowsAuthentication section is here -->
You will unlock the <authentication> section for all applications. Alternatively, you can specify a path on the location tag, so that the section will be unlocked only for this path.
Starting from IIS 7, MS added a neat Feature Delegation feature at the root (computer) level of IIS Manager that can be conveniently used to lock/unlock most of the sections from within the GUI. Once you click on the icon, a modal window will show a list of IIS sections/features and their current override setting: each of these features can be changed to Read/Write, Read Only, or Not Delegated for your convenience. You can even pick the Reset to Inherited option to remove any customization.
Each feature’s context menu also includes a Custom Site Delegation option that allows the settings to be changed per site (such as the Default Web Site). Pretty neat, isn’t it? Using the GUI is definitely more practical than manually editing the applicationHost.config file.