PowerShell IIS Set-WebConfigurationProperty - Locked ApplicationHost.config section

Scott picture Scott · Oct 29, 2014 · Viewed 7.5k times · Source

I am writing a PowerShell 3.0 installer for our web applications and web services and am getting tripped up when attempting to set physical path credentials.

My code looks like this:

# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# >>>>>> Path credentials
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

# Set the physical path credentials of the web application (on Basic Settings screen) to Connect As...
$filter="/system.applicationHost/sites/site[@name='{0}' and    @id='1']/application[@path='/{1}']/VirtualDirectory[@path='/']" -f $script:WebSiteName,$appName
Set-WebConfiguration $filter -Value @{userName="$physicalPathCredentialUserID";password="$physicalPathCredentialPassword"} 

When executing, I get an error in PowerShell stating "This configuration section cannot be used at this path. This happens when the section is locked at a parent level". I tried the PSPath and location tags that work when Authentication sections are locked, but those don't seem to have any effect. I thought maybe the -Force option would work, but although no error was thrown, the physical path credentials didn't seem to take.

Without the -Force option, the error is thrown but PowerShell cuts off the message so I can't tell exactly what section it is complaining about, or what parent level is locked. I have to assume it is the Sites section since I am attempting to configure: /configuration/system.applicationHost/sites/application/virtualDirectory

I'm a bit confused about the difference between unlocking and allowing override to get the values to stick. PowerShell WebAdministration is pretty confusing in this area. I don't know why it has to be so confusing to set the values that are corollaries to what can be set in the IIS adminstration UI. Some values use Set-WebConfiguration with an ugly string as shown above, others use Set-WebConfigurationProperty. If locking is a known issue, why isn't unlocking better documented?

I don't want to unlock all sites or all applications. I just want to unlock what I have to in order to set the configuration values on each web application I am installing under Default Web Site.

What is the definitive solution to unlocking or overriding configuration sections as of 2014 and PowerShell 3.0? And which settings accept PSPath and location?

By the way, I have tried variants of the following:

$filter="/system.applicationHost/sites/site[@name='{0}' and    @id='1']/application[@path='/{1}']/VirtualDirectory[@path='/']" -f $script:WebSiteName,$appName
Set-WebConfiguration $filter machine/webroot/appHost -metadata overrideMode -value Allow

but continued to get the locked section message until the filter was backed off to the sites level.

I also tried setting the virtualDirectoryDefaults.userName and virtualDirectoryDefaults.password, which didn't seem to take initially, but after an IISReset I noticed they were indeed added at the bottom of the applicationHost.config file. I don't really want them set as defaults because our apps shouldn't affect other apps on the server.

I appreciate any assistance you can provide. I must be missing something because it shouldn't be so difficult to set these and other web application configuration values.

Regards

Answer

briantist picture briantist · Oct 29, 2014

The sections you are trying to change are set in the IIS machine config. You have to unlock the sections in order to set them per-site.

See: Programmatically unlocking IIS configuration sections in Powershell