Resolving IIS Configuration Error: This Configuration Section Cannot Be Used at This Path

Abstract: This paper provides an in-depth analysis of the common IIS configuration section locking error 0x80070021, explaining the root causes stemming from parent-level locking mechanisms. Through systematic solutions including unlocking the system.webServer/handlers section using IIS Configuration Editor, modifying overrideModeDefault settings in applicationHost.config, and utilizing command-line tools to unlock configuration sections. The article combines practical case studies to offer comprehensive guidance from diagnosis to resolution, while comparing configuration differences across environments to help developers completely resolve configuration locking issues in production environments.

Problem Background and Error Analysis

When deploying websites in Windows Server 2012 R2 IIS 8 environments, a common configuration error occurs: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false". The error code is 0x80070021, specifically pointing to the handlers configuration section in the web.config file.

The core mechanism of this error lies in IIS's hierarchical configuration system. applicationHost.config serves as the server-level root configuration file, defining default locking behaviors for various configuration sections. When a section is set to overrideModeDefault="Deny" in applicationHost.config, all subordinate configuration files (including web.config) cannot override that section's settings.

Detailed Explanation of Configuration Locking Mechanism

IIS configuration system employs an inheritance model where applicationHost.config resides at the top of the configuration hierarchy. Each configuration section can control its override capability through the following methods:

overrideModeDefault attribute: Set in the section definition within applicationHost.config with values of "Allow" or "Deny"
location tags: Set override mode for specific paths
Legacy allowOverride attribute: Compatibility settings for older IIS versions

When the handlers section's overrideModeDefault is set to "Deny", any attempt to modify handlers configuration in web.config triggers the 0x80070021 error. This design ensures server-level security and stability by preventing applications from accidentally modifying critical configurations.

Implementation of Solution Steps

Method 1: Using IIS Manager Graphical Interface

Unlocking configuration sections through IIS Management Console is the most intuitive approach:

Navigate to the server node in the connections tree and select the target website
Find and double-click "Configuration Editor" under Management in the right panel
Select system.webServer/handlers from the section dropdown at the top
Choose "ApplicationHost.Config" from the dropdown on the right side
Click the "Unlock Section" button under the "Section" heading in the rightmost pane
After successful unlocking, the website should run normally

Method 2: Direct Modification of applicationHost.config File

For users familiar with configuration file structures, directly edit %windir%\system32\inetsrv\config\applicationHost.config:

<sectionGroup name="system.webServer">
  <sectionGroup name="handlers">
    <section name="handlers" overrideModeDefault="Allow" />
  </sectionGroup>
</sectionGroup>

After changing overrideModeDefault from "Deny" to "Allow", save the file and restart IIS services for changes to take effect.

Method 3: Using Command Line Tools

The appcmd command-line tool provides quick unlocking of configuration sections:

%windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/handlers

This command directly modifies the corresponding settings in applicationHost.config without manual file editing.

Environment Difference Analysis and Best Practices

Configuration differences between development, testing, and production environments are common causes of such issues. Development environments typically have more relaxed permission settings, while production environments enforce stricter locking policies for security reasons.

Recommended best practices include:

Environment Consistency Management: Ensure IIS configurations remain synchronized across all environments
Configuration Version Control: Include applicationHost.config in version control systems
Principle of Least Privilege: Only unlock necessary configuration sections, avoid excessive permission relaxation
Change Review Process: Establish strict review mechanisms for production environment configuration modifications

Troubleshooting and Deep Diagnostics

When standard solutions prove ineffective, deeper diagnostics are required:

Check for conflicting location tag settings
Verify completeness of IIS feature installation, ensuring all necessary application development features are enabled
Use IIS configuration log analysis tools to trace configuration inheritance paths
Compare applicationHost.config differences between working and non-working environments

Through systematic approaches, IIS configuration section locking issues can be completely resolved, ensuring stable website operation across various environments.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.