IIS 7.0 : Managing Configuration - Delegating Configuration (part 1)

4/21/2011 4:18:07 PM
The new configuration system in IIS 7.0 was designed to provide rich support for feature delegation. This term has a special meaning in IIS 7.0—the ability to designate features that Web site administrators or application managers can control at the site or application level—without making them administrators on the server. As you will see, feature delegation works hand in hand with remote administration and is built into the IIS Manager, which allows you to configure delegation and at the same time respects delegation settings, limiting access to locked or limited features.

Feature delegation is implemented in two ways. First, the configuration hierarchy itself allows configuration to be specified in distributed web.config files, which are typically under control of the site administrator or application developer who do not have to be server administrators to set or change configuration therein. The server administrator has control over what configuration can be set in the delegated manner in web.config files, versus what configuration can only be set by a server administrator in applicationHost.config. This control is accomplished through configuration locking, which can be done at the section level by locking the section in applicationHost.config or at the granular level by locking specific configuration settings in a particular configuration section.

The second way is implemented by IIS Manager, which subsumes the configuration section locking mechanism and provides a way to manage the delegation of the underlying configuration and the corresponding IIS Manager UI features for seamless integration with remote administration through the tool. Managing feature delegation through the IIS Manager has the advantage of ensuring correctly configured delegation. The IIS Manager will respect delegation settings so that a remote user cannot see features that are hidden (marked as Not Delegated in the IIS Manager), and cannot make changes to features that are marked as Read Only in the IIS Manager.


Any user that can upload a web.config can overwrite IIS 7.0 and ASP.NET settings in web.config. If you use the IIS Manager to write configuration, these settings will be properly maintained and users will only be allowed to change configuration for which they have access. If a web.config file is created outside of using the IIS Manager and then uploaded to the site, it may contain configuration settings that are not permitted by the delegation settings. In this event, IIS 7.0 will present a configuration locking error, and the previous, correct, web.config details may be lost, since the original web.config has been overwritten.

When you delegate control to others, there will be a strong incentive for them to control their site or application configuration using the IIS Manager, as it will show only features that the user has the right to see or control.

Delegation Settings in the IIS Manager

Let’s examine the various settings in the IIS Manager related to delegation. Figure 1 shows the results you’ll see if you select the server node in the tree view and then Feature Delegation from the features pane.

Figure 1. Feature Delegation in the IIS Manager.

The Delegation column lists the current delegation setting for each feature. The names for these various states for delegation may not be as clear as they might be to describe what’s going on, so you should not try to infer a great deal from the terms:

  • Not Delegated When a feature is marked as Not Delegated, the corresponding configuration section will be locked in applicationHost.config by placing it inside a <location> tag with the overrideMode value set to Deny. When a feature is marked as Not Delegated, any changes you make to this feature at server level (that is, with the server icon selected in the tree view) will be recorded in applicationHost.config. Changes at the site or application level can only be made by the server administrator and will be recorded in applicationHost.config using <location> tags to apply them to the required path. When using the IIS Manager to connect to the site or application, remote users will not be able to see the corresponding feature icon or change its settings. If a web.config file is uploaded that contains settings for a Not Delegated feature, a configuration error occurs.

  • Read Only This is the same as Not Delegated, except that remote users will be able to see this feature; however, they cannot change any values. This is a useful setting when you want users to know, for example, what authentication methods are available to them, but you don’t want them to be able to turn them on or off.

  • Read/Write When a feature is marked as Read/Write, the configuration section will be unlocked for distributed web.config files. This is accomplished by placing the configuration section in a <location> tag with the overrideMode value set to Allow. Any changes you make to this at feature at server level will be recorded in applicationHost.config. Changes to this feature at the site or application level will be recorded in the appropriate web.config. (A reference to site level designates the web.config in the site root. The application level refers to the web.config file that resides in a folder within the site that has been designated as an application.) When using the IIS Manager to connect to the site or application, remote users will be able to see and change the settings.

Additional delegation values may be provided by third-party extensions to the tool that have extension-specific meaning.

Default Settings for Delegated Configuration

As mentioned, certain settings in IIS 7.0 are delegated by default, whereas others are specifically locked down. Table 1 is from a prerelease version of the IIS 7.0 Hosting Deployment Guide, which can be located on The information in the table details which features are delegated and why. You may want to make different decisions than the IIS team regarding these default settings, but a great deal of thought has gone into these settings, so we would advise not making changes to the global settings without good reason.

Table 1. Features and Delegated Settings
FeatureDelegated SettingReason
.NET CompilationRead Only (changed from Read/Write)Specifies settings for ASP.NET compilation processing directives like the temporary compilation directory. Prevents users from setting the temporary compilation directory manually.
.NET GlobalizationRead/WriteSpecifies settings for default culture and globalization properties for Web requests.
.NET ProfileRead/WriteSpecifies settings for user-selected options in ASP.NET applications.
.NET RolesRead/WriteSpecifies settings for groups for use with .NET users and forms authentication.
.NET Trust LevelsRead Only (changed from Read/Write)Specifies the trust level. By locking down the trust level when you follow the ASP.NET guidance in this document, you will be setting this to Read Only and locking it for the server. Prevents Web site owners from setting the trust level to a higher level than set by the server administrator. For example, if a custom trust level is set by the administrator, this setting should be set to Read Only so it cannot be overridden.
.Net UsersConfiguration Read/WriteSpecifies settings for management of users who belong to roles and use forms authentication.
Application SettingsRead/WriteSpecifies settings for storing data (name and value pairs) that managed code applications can use at run time.
ASPRead OnlySpecifies Classic ASP settings.
ASP.NET ImpersonationRead/WriteSpecifies impersonation settings. Site owners can use this to run their site under a different security context.
Authentication—AnonymousRead OnlySpecifies anonymous authentication settings.
Authentication—FormsRead/WriteSpecifies forms authentication settings.
Authentication—WindowsRead OnlySpecifies Windows authentication settings.
Authorization RulesRead/WriteSpecifies the list of Allow or Deny rules that control access to content.
CGIRead OnlySpecifies properties for CGI applications. Should be left set to Read Only to prevent users from changing settings.
CompressionRead/WriteSpecifies settings to configure compression.
Connection StringsRead/WriteSpecifies connection strings that applications can use.
Default DocumentRead/WriteSpecifies default documents for the Web site. By leaving this Read/Write, users will be able to specify a custom default document for their site without contacting the server administrator.
Directory BrowsingRead/WriteSpecifies directory browsing settings.
Error PagesRead OnlySpecifies what HTTP error responses are returned.
Failed Request Tracing RulesRead/WriteSpecifies settings for failed request tracing rules. Enables users to create rules for tracing requests based on parameters like time taken or status code and to diagnose problems with their site.
Feature DelegationRemove Delegation (changed from Read/Write)Specifies settings for delegating features to applications. It can be turned off unless server administrators want to enable this feature for site owners.
Handler MappingsRead/Write 
HTTP Response HeadersRead/WriteSpecifies HTTP headers that are added to responses from the Web server.
ISAPI FiltersRead OnlySpecifies ISAPI filters that process requests made to the site or server, such as ASP.NET.
LoggingRemove Delegation 
Machine KeyRead/WriteSpecifies hashing and encryption settings for applications services, such as view state, forms authentication, and membership and roles.
MIME TypesRead OnlySpecifies what file types can be served as static files.
ModulesRead/WriteSpecifies native and managed code modules that process requests made to the site or server.
Output CachingRead/WriteSpecifies rules for caching output.
Pages and ControlsRead/WriteSpecifies page and control settings for applications.
Redirect RulesRead/WriteSpecifies settings for redirecting requests to another file or URL.
Session StateRead/WriteSpecifies session state and forms authentication cookie settings.
SMTP E-mailRead/WriteSpecifies e-mail address and delivery options for e-mail sent from the site.
SSL SettingsRead OnlySpecifies settings for SSL.
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th