2

On IIS, I have a site on which I wish to edit the SslFlags.

I want to have these flags being set in the web.config at the site level instead of applicationHost.config.

I managed to have the UI of IIS to behave as expected by declaring the access section in the web.config, and allowing the override of the access section by editing applicationHost.config with the following element:

<section name="access" overrideModeDefault="Allow" />

Editing the SslFlags through the UI will edit the web.config file as expected. The section is not locked and the overridden value is considered.

However, when using the Microsoft.Web.Administration assembly to read and edit these flags by using the following code, the values which are considered are the ones of applicationHost.config, both when reading and editing.

In that first example, I used GetWebConfiguration to get the Configuration.

var serverManager = ServerManager.OpenRemote(serverName);
// Try with GetWebConfiguration
Configuration config = serverManager.GetWebConfiguration(sitename);
ConfigurationSection accessSection = config.GetSection(
                                             "system.webServer/security/access",
                                             sitename);

also, same applies if I retrieve the configuration with GetApplicationHostConfiguration:

config = serverManager.GetApplicationHostConfiguration();            
accessSection = config.GetSection(
                        "system.webServer/security/access",
                        sitename);

I feel like I'm missing something obvious here, but I can't seem to access the values of the SslFlags in Web.config, how can I achieve that?

sharptooth
  • 167,383
  • 100
  • 513
  • 979
Fabio Salvalai
  • 2,479
  • 17
  • 30

1 Answers1

3

The first thing I would recommend is to only unlock sections for the specific web site or application that you want to allow overriding the values. For that you can do it quite easily using AppCmd.exe, for example:

C:\Windows\System32\inetsrv\appcmd.exe unlock config "Default Web Site/" /section:system.webServer/security/access -commit:apphost

Once you do that, then you can use the following code:

using(ServerManager serverManager = new ServerManager()) { 
    Configuration config = serverManager.GetWebConfiguration("Default Web Site");

    ConfigurationSection accessSection = config.GetSection("system.webServer/security/access");
    accessSection["sslFlags"] = @"SslRequireCert";

    serverManager.CommitChanges();
}
Carlos Aguilar Mares
  • 13,411
  • 2
  • 39
  • 36
  • Regarding the first part of your answer, with appcmd.exe, that's precisely what I did, only manually in the .config files. (and IIS behaves accordingly). I also tried, as you mentioned in your answer, to call `GetSection` without specifying a `locationPath`, but the behavior is still the same: the overridden values are considered by IIS, yet not by the retrieved `ConfigurationSection`. – Fabio Salvalai Sep 18 '15 at 09:42
  • 1
    If you do as specified above, that should work, just make sure that you are using the same site name. IIS should work as expected. Not sure what do you mean without a location path, you should NOT be using GetApplicationHostConfiguration(), you should be using GetWebConfiguration as my answer specifies. Explicitly calling GetApplicat... will specifically only read that file and not web.config – Carlos Aguilar Mares Sep 21 '15 at 21:01
  • Thank you @Carlos for your comment, however, if you pay close attention to my initial question, you will see that - unless I misunderstood you - what you advise me to do is exactly what I tried and that failed, so there must be a catch here, not sure what, though. – Fabio Salvalai Sep 22 '15 at 06:04
  • That should work (using GetWebConfiguration(siteName)), the only thing that caught my attention is you are using OpenRemote, are you sure you are looking into the right machine? Another thing to try to make sure you are looking at the right thing is use Configuration Editor, go to the site and navigate to the section. You'll see a drop down where you can choose to read it from AppHost with location path, or from web.config. That uses ServerManager in the exact same way above. – Carlos Aguilar Mares Sep 22 '15 at 17:58
  • Holy Macaroni ! I just realized that in the middle of my desperate attempts, I deleted one crucial part of my code. It now works, with `GetWebConfiguration`. Thank you very much for your help, Carlos ! – Fabio Salvalai Sep 23 '15 at 08:12