5

I'm managing a bunch of IIS 8.5 servers and I'm working on complying with security baselines.

My question is this: If I run a specific appcmd query on one of our IIS servers, I get the following:

C:\>appcmd list config -section:system.web/authentication <system.web> <authentication mode="Forms"> <forms requireSSL="true"> <credentials> </credentials> </forms> <passport /> </authentication> </system.web> C:\>

What I need to do is find the actual configuration file that appcmd is reading from here, so I can update the relevant section manually (updating using appcmd itself causes all kinds of problems). I can't find it. I've checked the following files so far:

  • %SYSTEMROOT%\System32\inetsrv\config\applicationHost.config
  • %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config\web.config
  • %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
  • %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
  • %WEBROOT%\web.config
  • %WEBROOT%\old application path\web.config
  • new application path\web.config

I can't think of any other places to look. Most of those files don't even have a <system.web> section and none of them have the word "credentials" in them anywhere.

Where is appcmd reading from to generate the output above?

Edit:

I'm still looking into this, and just found the following here, which might be the answer:

Default Configuration

The following default credentials element is not explicitly configured in the Machine.config or root Web.config file. However, it is the default configuration that is returned by the application. <credentials passwordFormat="SHA1" />

Improve this question

1 Answer 1

Reset to default
3

Check:

%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

System.web is a dot.NET setting, so it should be in the global web.config file, it seems it is only in the 64bit version, not the 32bit framework.

Improve this answer
5
  • 1
    Upvoted as a good place to check, not accepted as it isn't the right answer in this case. I added both the file you suggest and the machine.config in the same folder as places I've already checked. Commented Nov 17, 2017 at 17:09
  • When I change the system.web/authentication settings in the GUI, it changes the file I mentioned. Can you confirm that? Commented Nov 20, 2017 at 6:03
  • I'm looking for the <credentials> element specifically. Can you change that element in the GUI? If so, where? Commented Nov 20, 2017 at 20:07
  • Can you edit your question to state what you are actually try to achieve? What settings do you want to change/add? Commented Nov 21, 2017 at 4:43
  • What I'm trying to achieve is an understanding of how this works so I can write an intelligent request for a waiver for the security and compliance team. They keep saying "just edit the file" and I'm like "just tell me what file to edit" and they don't know and I can't find it either. Commented Dec 4, 2017 at 20:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.