IIS Configuration Files and .NET Registration

applicationHost.config is the master IIS configuration file containing all server-level settings: all websites, applications, virtual directories, application pools, global IIS module registrations, MIME type mappings, default document definitions, authentication settings, and security configurations. Located at: C:\Windows\System32\inetsrv\config\applicationHost.config. Every change made in IIS Manager is persisted here. It is an XML file with a strict schema. IIS reads this file at startup to build its internal configuration. Corruption or invalid XML in this file prevents IIS from starting. Its importance is often compared to the Windows registry for IIS — it is the single source of truth for all IIS configuration.

web.config is an XML configuration file placed in the physical root directory of an IIS application (or any subdirectory within it). It configures ASP.NET and IIS settings specific to that application. What it can configure depends on the allowOverride settings in applicationHost.config. Typically, web.config controls: application settings (AppSettings), connection strings, session state provider, authentication settings (when allowed), URL rewrite rules, custom error pages, handler and module registrations, output caching, MIME types, and ASP.NET compilation and globalization settings. Web.config is read by both IIS (for IIS-specific sections like system.webServer) and the .NET runtime (for sections like system.web, appSettings, connectionStrings).

aspnet_regiis.exe is the ASP.NET IIS Registration Tool. It registers the installed .NET Framework version with IIS by updating the script maps, ISAPI handler entries, and module registrations in applicationHost.config. You need to run it: (1) after installing IIS when .NET Framework was already present (installation order matters — ideally install IIS before .NET, but if not, aspnet_regiis fixes it); (2) after a .NET Framework upgrade where handlers need to point to the new version; (3) after repairing an IIS installation where handler mappings were lost. For Server 2012+ with the feature-based installation, running Install-WindowsFeature Web-Asp-Net45 handles the registration automatically — aspnet_regiis is only needed for manual fixes or legacy scenarios.

The .NET Core Hosting Bundle (or "IIS Hosting Bundle") is a Microsoft package that installs three components together: the .NET Runtime (for running .NET Core console apps and services), the ASP.NET Core Runtime (class libraries for web apps), and the IIS ANCM (ASP.NET Core Module v2 — aspnetcorev2.dll). ANCM is registered as a global IIS module in applicationHost.config during installation. Without ANCM, IIS cannot host ASP.NET Core applications — requests return 500.0 ANCM error. After installing the Hosting Bundle, iisreset is required for ANCM to be loaded by existing IIS worker processes. The Hosting Bundle version must be equal to or higher than the .NET version targeted by the application.

machine.config is the highest-level .NET configuration file, applied to all .NET applications on the machine. Located at: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config (for .NET 4.x 64-bit). It sets CLR-wide defaults: connection pooling defaults, HTTP connection limits, cryptographic providers, and other system-wide .NET behaviors. web.config inherits from machine.config and can override some settings. In enterprise environments, machine.config is sometimes modified to: disable legacy TLS versions in the ServicePointManager (forces TLS 1.2 for all .NET outbound connections), increase connection pool limits for database-heavy servers, or change the default thread pool sizes. Changes to machine.config require an IIS restart to take effect for existing application pools.

allowOverride is an attribute on configuration section definitions in applicationHost.config that controls whether web.config files in site directories can override that section's settings. Set via: <section name="requestFiltering" overrideModeDefault="Deny" /> in the config schema section definitions. Values: Allow (default for most sections) = web.config can override; Deny = section is locked and web.config cannot change it (attempting to do so produces 500.19 error code 0x80070021). You can also lock at the location level: <location path="MySite" overrideMode="Deny"><system.webServer><security>...settings...</security></system.webServer></location>. Security hardening practice: lock requestFiltering, directoryBrowse, and authentication sections for shared hosting or when you need to ensure application developers cannot override security policies.

XDT is a transformation syntax for XML files. A transform file (web.Release.config) contains XML instructions using xdt: namespace attributes. Key transforms: xdt:Transform="Replace" replaces a node. xdt:Transform="SetAttributes" updates attribute values on a matching node. xdt:Transform="RemoveAttributes" removes attributes. xdt:Locator="Match(name)" selects the element to transform by attribute value. In CI/CD: the base web.config contains development values. The pipeline applies web.Release.config transformations using the MSBuild "TransformXml" task or msdeploy -setParam. Result: the deployed web.config has production connection strings, disabled debug mode, correct app service URLs. This pattern keeps sensitive production values out of source control — the transform file contains placeholder references while the actual secret values come from CI/CD pipeline variables or Azure Key Vault.

Configuration section groups are logical namespaces in the XML hierarchy. In .NET configuration: system.web contains ASP.NET Framework sections (authentication, compilation, sessionState, httpRuntime). system.webServer contains IIS 7+ sections (handlers, modules, defaultDocument, security, staticContent). connectionStrings is a root-level section group. AppSettings is also root-level (key-value pairs). The grouping matters because: handlers registered under system.webServer/handlers affect the IIS native pipeline for all requests; handlers under system.web/httpHandlers only affect the ASP.NET managed pipeline in Classic mode. Using the wrong section group is a common mistake when migrating from Classic to Integrated pipeline mode — system.web handlers must be duplicated in system.webServer for Integrated mode to work.

Use the RSA Protected Configuration Provider or DPAPI (Data Protection API). For IIS on a single server: DPAPI encryption ties the encrypted section to the machine — only that server can decrypt it. Command: aspnet_regiis -pef "connectionStrings" C:\inetpub\wwwroot\MySite -prov "DataProtectionConfigurationProvider". For a web farm: use RSA (machine key-store encryption that can be exported to other servers) or shared Certificate-based encryption. After encryption, the web.config connectionStrings section becomes encrypted XML — the .NET config system decrypts it in memory at runtime; the application code still reads ConfigurationManager.ConnectionStrings["DB"] normally without modification. Never store plaintext passwords in web.config for production — use encrypted config sections, environment variables, or Azure Key Vault references (for cloud deployments).

HTTP 404.17 is "Dynamic content mapped to the static file handler." It means IIS received a request for a .aspx, .asmx, or similar extension but no handler is mapped to process it — the request fell through to the StaticFileModule which cannot execute dynamic content and returns 404.17. Root cause: ASP.NET is not registered with IIS. Fix: for .NET 4.x, run %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru. On Server 2012+, ensure the IIS features "ASP.NET 4.5", "ISAPI Extensions", and "ISAPI Filters" are all installed: Install-WindowsFeature Web-Asp-Net45 -IncludeAllSubFeature. After installing features, the handler mappings for .aspx → aspnet_isapi.dll appear in applicationHost.config and IIS routes dynamic requests to the CLR instead of the static file handler.

Error code 0x80070021 is ERROR_LOCK_VIOLATION — the configuration section referenced in web.config is locked at a higher level in applicationHost.config. Specifically, the application's web.config is attempting to set a configuration section that has overrideModeDefault="Deny" (or has been locked via a location tag). Resolution: (1) If the web.config change is legitimate (e.g., enabling Windows Authentication for this specific app): unlock the section in applicationHost.config using IIS Manager → Feature Delegation (server-level), change the section's override mode to Allow for that site. (2) If the web.config shouldn't be changing that section: remove the offending section from web.config — the application should inherit the server policy. (3) Use appcmd to check: appcmd list config "MySite/" /section:system.webServer/security/authentication and look for locked="true" attributes.

Error 0xC00CE55D is a malformed XML error — the web.config contains invalid XML syntax. The page text often says "Config Error: There is a duplicate 'X' attribute" or "Cannot read configuration file due to insufficient permissions." Steps: (1) Open web.config in a text editor and look for obvious syntax issues: unclosed tags, duplicate attribute names, wrong encoding, or copy-paste artifacts. (2) Validate the XML locally: [xml](Get-Content web.config) in PowerShell — any XML parse error is displayed with line number. (3) Compare with a reference copy from source control or the last known good backup. (4) If edited via RDP and the file got corrupted during copy-paste: re-upload from the CI/CD pipeline or restore from the appcmd backup. (5) Use the Server Manager's Configuration Editor in IIS Manager to make future changes instead of raw text editing — it validates schema before saving.

HTTP 502.5 is "ANCM Out-Of-Process Startup Failure" or "Process Failure" — the ANCM was unable to start the application process. After a .NET version upgrade, the most common causes are: (1) The .NET 8 Hosting Bundle is not installed on the server — the app tries to start with .NET 8 runtime but it doesn't exist. Fix: install the .NET 8 Hosting Bundle and run iisreset. (2) The web.config still references .NET 6 process arguments or process path that doesn't work for .NET 8. (3) Application dependency missing for .NET 8 — a NuGet package that was compatible with 6 is incompatible or not updated for 8. Diagnosis: enable stdout logging in web.config (stdoutLogEnabled=true, stdoutLogFile=.\logs\stdout) and create the logs directory with write permissions for the app pool. The stdout log will show the exact startup exception from the .NET runtime.

Short-term fix: use XDT transforms. Create web.Dev.config, web.Staging.config, web.Release.config transform files next to the base web.config. The pipeline selects the correct transform based on the build configuration (Debug for Dev, Release/Prod for prod). Long-term best practice: remove connection strings from web.config entirely and use environment-specific injection: On IIS, set Environment Variables on the app pool (IIS Manager → App Pool → Advanced Settings → Environment Variables). In ASP.NET Core, use IConfiguration which automatically reads environment variables — these override web.config settings without file changes. In Azure App Service, Application Settings override web.config at runtime. In Windows on-prem enterprise: use Web.config transforms in the pipeline with the actual secrets coming from a secret manager (HashiCorp Vault, CyberArk, or Azure Key Vault) — never commit environment-specific secrets to source control.

Recovery steps in order: (1) Check appcmd backups: dir %windir%\System32\inetsrv\backup\. If backups exist: appcmd restore backup "BackupName". IIS should start after restore. (2) If no backup: check if there is a redirection.config at the same path — it redirects to a shared config location (web farms), which may be intact. (3) Roll back to the file that was present before the corruption from your change management backup (filesystem backup, shadow copies: vssadmin list shadows). (4) If no backups: copy applicationHost.config from another identical server in the farm (same IIS version, same features installed) — you will need to re-add your site and pool configurations but IIS will start. (5) Last resort: reinstall IIS. Use Get-WindowsFeature Web-* output (saved beforehand ideally) to reinstall the exact same feature set and then reconfigure from scratch. Lesson: create automated appcmd backups before every IIS configuration change in your runbooks.