14

I just added this to my web.config:

<security>
  <ipSecurity allowUnlisted="false">
    <!-- The following IP addresses are granted access, all else denied -->
    <add allowed="true" ipAddress="123.123.105.0" subnetMask="255.255.255.0" />
    <add allowed="true" ipAddress="123.123.100.0" subnetMask="255.255.255.0" />
  </ipSecurity>
</security>

Works exactly as intended, only over that certain IP range. BUT, now when I go to test this in Visual Studio via iisExpress over localhost it of course gives me issues. Here is the 500.19 error I receive:

This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

I have setup IPSecurity on my localmachine in the services panel, so that is enabled, and I have monkeyed around with options in the ipSecurity block such as adding 'localhost' as a domainName value - but alas no luck. .... help me StackOverflow, you're my only hope! ;)

cardiac7
  • 491
  • 1
  • 9
  • 26

2 Answers2

17

I just ran into the same situation. I googled around and found that all you have to do is edit the applicationhost.config file for IIS Express found here:

%userprofile%\Documents\IISExpress\config\applicationhost.config

Open it up and look for the ipSecurity section that is inside the system.webServer section and change overrideModeDefault from "Deny" to "Allow". You do not need to add the IIS IP Security from Windows Features.

<sectionGroup name="system.webServer">
  <sectionGroup name="security">
    ...
    <section name="ipSecurity" overrideModeDefault="Allow" />
    ...
  </sectionGroup>
</sectionGroup>

Hope this helps!

NOTE: For Windows 10 and Visual Studio 2015 (or later version) please note that the ApplicationHost.config file has been relocated to the .vs\config folder in your project's folder hierarchy.

JeeShen Lee
  • 3,476
  • 5
  • 39
  • 59
AbeyMarquez
  • 625
  • 4
  • 13
  • Did that, and it seems to have gotten me a bit closer - now I receive the following error: HTTP Error 403.503 - Forbidden You do not have permission to view this directory or page. – cardiac7 May 12 '14 at 14:47
  • 2
    The 403.502 and 503 codes are related to the IP restriction module in IIS. I believe you may be blocking yourself out. (http://forums.iis.net/p/1210696/2075884.aspx?Re+IIS+8+IP+Restrictions+HTTP+403+503+Code) EDIT: Oh wait! You have to add localhost to your allow list. – AbeyMarquez May 21 '14 at 22:39
  • 4
    There must be something more to it. I've already tried this on two different PCs - and it doesn't work. I'm still getting the same error message "This configuration section cannot be used at this path. This happens when..." on both. – Gustin May 23 '16 at 10:30
  • 8
    See this answer - http://stackoverflow.com/a/33710459/261690 - under VS2015 the applicationhost.config is now in a project-specific location. – Matt Whitfield Aug 10 '16 at 23:00
  • look for this section in the file: sectionGroup name="system.webServer" – Rob Sedgwick Mar 06 '17 at 14:43
2

Add 127.0.0.1 to your allowed ips like so:

<add allowed="true" ipAddress="127.0.0.1" />

Thanks to @AbeyMarquez, I thought your comment warranted more attention as it solved my problem. Thanks!

patrickbadley
  • 2,510
  • 2
  • 29
  • 30