Internal Server Error with web.config ipSecurity

Question

This is my web.config which has some tags for blocking Ipaddress

<configuration>
 <connectionStrings>
    ...
 </connectionStrings>
 <appSettings>
  ....
 </appSettings> 
 <runtime>
   ....
 </runtime>
  <system.webServer>
    <security> 
        <ipSecurity allowUnlisted="false"> 
            <clear/> 
             <add ipAddress="127.0.0.1" allowed="true"/>
             <add ipAddress="83.116.19.53" allowed="true"/> 
        </ipSecurity>  
    </security>
</system.webServer> 
</configuration>

My intention is to block any other IP except the above. The above is the only Ip address I want the website to be accessible from . But with "ipSecurity" tag I am always getting 500 - Internal server error and the site runs fine without it.

I have made sure that "IP and Domains Restrictions" are installed on the server. Please let me know if I am missing anything. Thank you.

Also add `::1` for IPv6 localhost, check your access logs for the site to see what IP address is being blocked if it is still not working after that. If you're on a remote location verify your public ip via something like ipchicken.com — Brock Hensley, Apr 25 '13 at 19:22
Thanks I tried IPv6 localhost but it did not help. From the IIS when I try to click the "IP & Domain Restrictions" it throughs me an error "locking is either by default (overridemodedefault= deny )". — Sruthi, Apr 26 '13 at 08:59

score 42 · Answer 1 · answered Apr 29 '13 at 23:57

42

For others that run into this issue. The cause of the issue is that Feature Delegation doesn't allow the feature to be managed by web.config.

To Fix:

Verify that the Feature is enabled for web.config management

In IIS 7, click on the root server
Double click Feature Delegation (under management)
Scroll down to IPv4 Address and Domain Restrictions
- Change the delegation to Read/Write (in my case it was Read Only, which was the issue)

Hope this helps someone else.

answered Apr 29 '13 at 23:57

Summit

1,223
2
12
15

2

This solved my issue but couldn't see "IPv4 Address and Domain Restrictions" until installed Win7 -> Programs and Features -> World Wide Web Services -> Application Development Features -> ASP and also in World Wide Web Services -> Application Development Features -> Security -> IP Security. – Ricardo stands with Ukraine Feb 10 '15 at 13:41
Thanks! This exactly solve my issue after I have fix the issues in the applicationHost.config – juvchan Oct 22 '15 at 08:25
Absolute legend. I'm sure Brock's answer is also correct, but this is much more succinct. – Matt Canty Nov 17 '15 at 16:50
This answer helped me in 2014, and again in 2020. – Larry Flewwelling Dec 29 '20 at 20:22

score 22 · Answer 2 · answered Nov 14 '15 at 16:14

22

For Windows 10 and Visual Studio 2015 note that the ApplicationHost.config file has been relocated to the .vs\config folder in your project's folder hierarchy. You will need to edit the project specific version of the ApplicationHost.config file found there with...

<section name="ipSecurity" overrideModeDefault="Allow" />

If you only edit the ApplicationHost.config located in your Documents\IISExpress folder this will not affect your existing application (MVC5 appl in my case).

answered Nov 14 '15 at 16:14

Greg Terrell

1,192
13
17

In my case there was no ApplicationHost.config file in the .vs\config folder. In fact there was no config folder under .vs. I had to edit the one on Documents\IISExpress to solve the problem. This is on Win 10 using VS 2019. – Steve Hiner Jul 25 '19 at 22:11
To clarify: "Project-specific" means there is a directory set up specifically for that project. Once I identified the right `applicationhost.config` file, then it worked: `.vs\{project_folder}\config\applicationhost.config`. There may also be one in the main `.vs/config` folder AND in the user `Documents\IISExpress\config` folder. The most specific designation will be used. – Neil Monroe Nov 15 '22 at 21:05

score 11 · Answer 3 · edited Apr 30 '15 at 15:22

11

Open the applicationHost.config file (located at %windir%\system32\inetsrv\config\applicationHost.config) and edit the ipSecurity section.

Change this line:

<section name="ipSecurity" overrideModeDefault="Deny" />

To:

<section name="ipSecurity" overrideModeDefault="Allow" />

edited Apr 30 '15 at 15:22

spongebob

8,370
15
50
83

answered Apr 30 '15 at 14:35

Carlos Silva

187
2
5

If you are working on a 64bit system. Make sure to edit and save it with a program that is 64bit! (like notepad) – Jo VdB Jun 08 '15 at 09:52

Brock Hensley · Accepted Answer · 2013-04-26T12:24:22.090

7

Are you editing the config by hand or through IIS manager?

See this post about that error message as you may not have that feature delegation enabled

http://forums.asp.net/t/1220987.aspx

edited Apr 26 '13 at 12:24

answered Apr 26 '13 at 12:12

Brock Hensley

3,617
2
29
47

The link is down ... :( "The site you're trying to reach is down for maintenance..." – Shubh May 29 '15 at 08:58

Mohit Dharmadhikari · Answer 5 · 2017-08-11T09:58:31.083

6

Try this outside System.Webserver tag

<location path="Default WebSite">
    <system.webServer>
        <security>
            <ipSecurity allowUnlisted="false">
                <clear/>                 
               <add ipAddress="127.0.0.1" allowed="true"/>
             <add ipAddress="83.116.19.53" allowed="true"/> 
            </ipSecurity>
        </security>
    </system.webServer>
</location>

edited Aug 11 '17 at 09:58

answered May 05 '16 at 07:13

Mohit Dharmadhikari

3,750
2
20
27

1

Isn't this setting allowing connection from all sources, because allowUnlisted is set to true? https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/ – Panu Oksala Aug 11 '17 at 09:39
1

@Mino Good Catch! Updated my answer. – Mohit Dharmadhikari Aug 11 '17 at 09:59
This is a better solution because affect only 1 website, all other proposed solutions affects all websites in server, and maybe you can not use in hosting environments. – Javier Cañon Nov 26 '20 at 22:12

garryp · Answer 6 · 2015-05-28T16:00:05.853

Hopefully this will help someone...

I am running IIS express on Windows 7 locally and did the following - Control panel > Programs > Programs and features > Turn Windows features on or off

In the Windows Features dialog ensure the IP Security option is checked:

enter image description here

I also had to open up my applicationhost.config (under %userprofile%\Documents\IISExpress\config) file and change the following:

<section name="ipSecurity" overrideModeDefault="Deny" />

To

<section name="ipSecurity" overrideModeDefault="Allow" />

score 1 · Answer 7 · answered Oct 17 '13 at 23:42

1

Don't forget custom site delegation. This allows you to only allow delegation to sites you intend.

answered Oct 17 '13 at 23:42

mcfea

1,129
15
22

Internal Server Error with web.config ipSecurity

7 Answers7

Linked