IIS7 and Higher : system.webServer element ApplicationHost.config vs Web.config

Hi All,

This is another post on Authentication for ASP.NET applications. In one of my last posts, I talked about setting up authentication mode as Windows in web.config and Enabling/Disabling windows authentication at IIS. You can access that post from the below link.

Looking into Windows authentication at Web.config and at IIS

But can we control the authentication set at IIS using web.config?


There is a tag named system.webServer that can be used in web.config and that allows to control authentication that is set at IIS for the application.

Let us go little inside that. We create application pool, deploy web application and assign application pool to it at IIS. So where does the metadata get stored? It’s not just application pools and application names, there are many other information associated like authentication settings, modules, handler mappings etc.

There is a new file named ApplicationHost.config that got introduced with IIS7 that contains all the information. We can say that this is root file for all configuration details of applications, virtual directories and application pools settings at IIS. It also includes global defaults for the web server settings.

This applicationHost.config resides at the path %windir%\System32\inetsrv\config. You are not advised to play with this file. And before making any changes in it, first make a copy of this file so that it can be used revert the changes.

sytsem.webServer element is defined in the ApplicationHost.config file and it is child of system.applicationHost element. This can be overridden from the web application’s web.config as well. In web.config file, sytsem.webServer is the direct child of configuration element.

There are many attributes can be defined with sytsem.webServer element like defaultDocument, Caching, modules, handlers etc. But in this post, we’ll focus on security. As we already discusses all the elements under sytsem.webServer element in ApplicationHost.config can be overridden using application’s web.config. But it requires few configuration changes. We;ll discuss it coming section.

So when we create an application at IIS and enable the windows authentication then it is stored ApplicationHost.config as

<location path="Default Web Site/MyApplication">
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />

It shows that windowsAuthentication is enabled and anonymousAuthentication is disabled. If we make any changes here or from IIS, both will be in sync. Now if we want to override it from our application and don’t want to make the changes in applicationHost file many times then we need to unlock this section so that it can be overridden. By Default it is not allowed to override from web.config due to security reasons. To make it override-able change the first line in applicationHost.config file

<location path="Default Web Site/MyApplication" <strong>overrideMode="Allow"</strong>>

Now we can override it from our application. So lets add the below


<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="false" />

then if we go and check the authentication at IIS, then it will displayed as


And if we make any changes in IIS or change in web.config it will be in sync.

It means we can control the setting of IIS using our web.config file and we do not need to go our web server again and again if we want to make any changes in the these setting. Just deploy the application and configuration, all will be set at IIS as well.

As we already discussed that by default ApplicationHost.config cannot be overridden. It is locked and we can go unlock that file then it can be overridden. Unlocking can be dome at granular (section) level. Means unlock only the section that you want to override as I did in above section. It prevents from unknowingly overriding the section that are not intended to be overridden.

Hope you guys have enjoyed the post.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s