2
votes

Before anyone gets confused, this is for IIS Express, not IIS.

We have an MVC5 app that requires SSL Client Certificate authentication. In development, this runs within the Azure Emulator, in VS2013 which runs under Admin privileges (for port 80/443).

When we launch the App inside VS2013 (F5) it runs it within the Azure Emulator but it immediately throws an HTTP Error 500.19 - Internal Server Error with details

This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

And the config source is our MVC5 app's web.config, at the following line:

<security>
    <access sslFlags="SslNegotiateCert" />
</security>

Interestingly, I have already setup the c:\users\<my_username>\Documents\IISExpress\Config\applicationhost.config to have

<section name="access" overrideModeDefault="Allow" />

There isn't much documentation on this but whatever we can glean off Google indicates that for regular IIS Express, that should be sufficient. I suspect running IIS Express within the Azure Emulator+Admin privileges breaks something but can't diagnose this.

Does anyone have an idea how to get this working?

1

1 Answers

4
votes

Ok, so this question and it's answer helped a lot. As suspected, the c:\users\<my_username>\Documents\IISExpress\Config\applicationhost.config doesn't seems to matter since Azure Emulator seems to spawn another instance of IIS Express which doesn't care about that file.

The proper way seems to be to "unlock" that setting via AppCmd.exe, so the solution is as follows:

  1. Add a startup task inside your Azure Cloud Service.

    • Edit ServiceDefinition.csdef
    • Add the following to your Role (for me this went inside <Webrole> ... </WebRole>
    <Startup>
    <Task commandLine="UnlockSslSettingsSection.cmd" executionContext="elevated" taskType="simple" />
    </Startup>
    
  2. Add a UnlockSslSettingsSection.cmd file to your solution's project and then add the following two lines (both lines are critical, don't refactor).

    IF NOT DEFINED APPCMD SET APPCMD=%SystemRoot%\system32\inetsrv\AppCmd.exe 
    %APPCMD% unlock config /section:system.webServer/security/access
    
  3. Inside solution explorer, go to project, right click the UnlockSslSettingsSection.cmd => properties => set 'Copy to Output Directory' as 'Copy always'