Keywords: HTTP Error 500.19 | Error Code 0x80070021 | IIS Configuration Locking | ASP.NET Web API | Configuration Section Locking
Abstract: This technical article provides an in-depth analysis of HTTP Error 500.19 with error code 0x80070021 encountered when deploying ASP.NET Web API applications in IIS. The error typically results from configuration sections being locked at parent levels. Based on practical case studies, the article explains the root causes and offers comprehensive solutions through enabling necessary IIS roles and features, while comparing strategies for different error codes to help developers quickly identify and resolve similar configuration issues.
Problem Background and Error Analysis
When deploying simple Web API projects developed in Visual Studio 2013 to local IIS, many developers encounter HTTP Error 500.19 accompanied by error code 0x80070021. The error message clearly states: "This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false"."
From the error details, the issue occurs in the handlers section of the system.webServer configuration, specifically when attempting to remove the ExtensionlessUrlHandler-Integrated-4.0 handler, triggering configuration locking restrictions. This locking mechanism is an IIS security feature that prevents lower-level configurations from accidentally overriding important higher-level settings.
Deep Analysis of Error Code 0x80070021
Error code 0x80070021 has specific meaning in IIS configuration errors. According to Microsoft official documentation, this HRESULT code indicates that a configuration section is locked at a higher level in the configuration hierarchy. IIS configuration system employs a hierarchical structure, from machine-level ApplicationHost.config to site-level Web.config, with locking mechanisms ensuring critical configurations aren't accidentally modified.
In practical cases, when transitioning from development environment (Visual Studio IIS Express) to production environment (full IIS), certain configuration sections available in development may be locked in full IIS installations. Particularly, configuration sections related to URL rewriting and handler mappings are often restricted at application pool or site levels.
Solution: Enabling Necessary IIS Features
Based on best practices in Windows Server 2012 and IIS 8.5 environments, resolving this issue requires ensuring all necessary IIS roles and features are properly installed:
// Add roles and features via Server Manager
// 1. In Roles section select: Web Server
// - Under Security subsection select all relevant features
// - Under Application Development select: .NET Extensibility 4.5, ASP.NET 4.5, and both ISAPI entries
// 2. In Features section select: .NET 3.5, .NET 4.5, ASP.NET 4.5
// 3. In Web Server section select: Web Server (all), Management Tools, Windows Authentication (if used)The core of this solution lies in ensuring IIS has all components required to handle ASP.NET 4.5 applications. Missing .NET Extensibility or specific ISAPI support often leads to configuration section locking, as IIS cannot recognize or process these configuration directives.
How Configuration Locking Works
IIS configuration locking is implemented through the overrideMode attribute, which can be set to Allow or Deny. When a configuration section is set to overrideMode="Deny" in ApplicationHost.config, any attempt to modify that section in Web.config triggers error 0x80070021.
Configuration locking status can be checked through:
<!-- Look for similar configurations in ApplicationHost.config -->
<location path="" overrideMode="Deny">
<system.webServer>
<handlers>
<!-- Handler configurations -->
</handlers>
</system.webServer>
</location>Alternative Solutions and Considerations
Beyond enabling necessary IIS features, several other resolution approaches exist:
For WCF service hosting scenarios, HTTP activation might need enabling. Through "Turn Windows Features on or off," navigate to WCF section under .NET Framework 4.5 Advanced Services, and check HTTP Activation option. This approach is particularly suitable for applications involving web service communications.
Regarding permission configuration, ensure the IIS_IUSRS group has read permissions for relevant configuration files. Use Windows Explorer to locate folders containing ApplicationHost.config or Web.config, add <computername>\IIS_IUSRS in Security tab, and grant read permissions.
Comparative Analysis of Error Codes
Understanding differences between error codes facilitates rapid problem diagnosis:
- 0x8007000d: Configuration file contains malformed or unrecognized XML elements
- 0x80070021: Configuration section locked at parent level (main issue discussed herein)
- 0x80070005: Insufficient permissions to access configuration files
- 0x800700b7: Duplicate entries exist for configuration section
- 0x8007007e: References to invalid or non-existent modules/DLLs
Preventive Measures and Best Practices
To avoid similar configuration issues, the following preventive measures are recommended:
Before deployment, use IIS Manager to verify application pool .NET version and hosting pipeline mode settings. Ensure development and production environment IIS configurations are as consistent as possible. Regularly backup IIS configuration files, particularly creating virtual machine snapshots before Windows updates.
For team development environments, establish standard IIS feature installation checklists, ensuring all developers and servers have identical feature configurations. Use configuration transformation tools to manage configuration differences between environments, avoiding errors from manual configuration file modifications.
By adopting systematic approaches to handle IIS configuration issues, deployment obstacles can be significantly reduced, enhancing application reliability and maintainability.