There are two attributes that come handy if you want to enforce application settings in IIS: overrideModeDefault
and allowDefinition
. If your users try to override settings when these attributes are used, they may see to see HTTP Error 500.19.
Example: If you don’t want anybody to change the default document in your IIS, use overrideModeDefault
attribute in the applicationHost
.config
as the example below.
<sectionGroup name="system.webServer">
<section name="defaultDocument" overrideModeDefault="Deny" /></sectionGroup>
If an application owner tries to set the default document in a web.config
file, this error message will be displayed:
HTTP Error 500.19 – Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault=”Deny”), or set explicitly by a location tag with overrideMode=”Deny” or the legacy allowOverride=”false”.
If you try to change the default document in IIS Manager, you will receive this error message:
There was an error while performing this operation.
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault=”Deny”
), or set explicitly by a location tag with overrideMode=”Deny”
or the legacy allowOverride=”false”
.
Use allowDefinition
attribute if you want to specify which configuration file can edit which tags.
For instance, if you want to allow server-level configuration and deny application-level configuration, here is the setting that should go to your applicationHost.config file:
<sectionGroup name="system.webServer"> <section name="defaultDocument" overrideModeDefault="Allow" allowDefinition="MachineToWebRoot" /></sectionGroup>
When an application owner tries to set the default document in a web.config
file, the error message below will appear.
Configuration section can only be set in machine.config
or root web.config
This error is displayed becasue we specified MachineToWebRoot in allowDefinition
attribute. It means that only machine.config
, applicationHost.config
, and root web.config
file (the one in the same folder as machine.config
) can override this setting.
Here are other values for allowDefinition
attribute (Source:(
“Everywhere” |
The section can be defined in any configuration level. The default value. |
“MachineToApplication” |
The section can be defined in the Machine.config or ApplicationHost.config file. |
“MachineOnly” |
The section can be defined only in the Machine.config file. |
“MachineToWebRoot” |
The section can be defined in the Machine.config, ApplicationHost.config, or Web.config file. The Web.config file is stored in the Web site root. |
“AppHostOnly” |
The section can be defined only in the ApplicationHost.config file. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.