The ASP.

NET configuration system features an extensible infrastructure that enables you to

define configuration settings at the time your ASP.NET applications are first deployed so that you can
add or revise configuration settings at any time with minimal impact on operational Web applications and
servers.

BENEFITS:
The ASP.NET configuration system provides the following benefits:

• Configuration information is stored in XML-based text files. You can use any standard text editor
or XML parser to create and edit ASP.NET configuration files.
• Multiple configuration files, all named Web.config, can appear in multiple directories on an
ASP.NET Web application server. Each Web.config file applies configuration settings to its own
directory and all child directories below it. Configuration files in child directories can supply
configuration information in addition to that inherited from parent directories, and the child
directory configuration settings can override or modify settings defined in parent directories. The
root configuration file named
systemroot\Microsoft.NET\Framework\versionNumber\CONFIG\Machine.config provides
ASP.NET configuration settings for the entire Web server.
• At run time, ASP.NET uses the configuration information provided by the Web.config files in a
hierarchical virtual directory structure to compute a collection of configuration settings for each
unique URL resource. The resulting configuration settings are then cached for all subsequent
requests to a resource. Note that inheritance is defined by the incoming request path (the URL),
not the file system paths to the resources on disk (the physical paths).
• ASP.NET detects changes to configuration files and automatically applies new configuration
settings to Web resources affected by the changes. The server does not have to be rebooted for the
changes to take effect. Hierarchical configuration settings are automatically recalculated and
recached whenever a configuration file in the hierarchy is changed. The <processModel> section
is an exception.
• The ASP.NET configuration system is extensible. You can define new configuration parameters
and write configuration section handlers to process them.
• ASP.NET help protect configuration files from outside access by configuring Internet
Information Services (IIS) to prevent direct browser access to configuration files. HTTP access
error 403 (forbidden) is returned to any browser attempting to request a configuration file
directly.

1
Format of ASP.NET Configuration Files
Configuration information for ASP.NET resources is contained in a collection of configuration files,
each named Web.config. Each configuration file contains a nested hierarchy of XML tags and subtags
with attributes that specify the configuration settings. Because the tags must be well-formed XML, the
tags, subtags, and attributes are case-sensitive. Tag names and attribute names are camel-cased, which
means that the first character of a tag name is lowercase and the first letter of any subsequent
concatenated words is uppercase. Attribute values are Pascal-case, which means that the first character is
uppercase and the first letter of any subsequent concatenated words is uppercase. Exceptions are true and
false, which are always lowercase.
• All configuration information resides between the <configuration> and </configuration> root
XML tags. Configuration information between the tags is grouped into two main areas: the
configuration section handler declaration area and the configuration section settings area.
• Configuration section handler declarations appear at the top of the configuration file between
<configSections> and </configSections> tags. Each declaration contained in a <section> tag
specifies the name of a section that provides a specific set of configuration data and the name of
the .NET Framework class that processes configuration data in that section.
• The configuration section settings area follows the <configSections> area and contains the actual
configuration settings. There is one configuration section for each declaration in the
<configSections> area. Each configuration section contains subtags with attributes that contain
the settings for that section.
• The following Web.config file example declares two configuration <section> handlers. One
manages application settings and the other manages session state.]

<configuration>
<configSections>
<section name="appSettings"
type="System.Configuration.NameValueFileSectionHandler,
System, Version=1.0.3300.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<section name="sessionState"
type="System.Web.SessionState.SessionStateSectionHandler,
System.Web, Version=1.0.3300.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
allowDefinition="MachineToApplication"/>
</configSections>

<appSettings>
<add key="dsn" value="localhost;uid=MyUserName;pwd=;"/>
<add key="msmqserver" value="server\myqueue"/>
</appSettings>

<sessionState cookieless="true" timeout="10"/>

</configuration>

2
• We need to declare a configuration section handler only once. We can place it in the server's root
Machine.config file or in a Web.config file in the virtual directory containing the Web application
files. Configuration files in subdirectories automatically inherit configuration handlers declared in
parent directories.
• Configuration settings are often nested together under section grouping tags. These top-level
section tags typically represent the namespace to which the configuration settings apply. For
example, the top-level <system.net> tag represents the settings for network classes, and the
<system.web> tag represents the settings for the ASP.NET classes.
The following example shows tag nesting.
<configuration>
<configSections>
<sectionGroup name="system.net">
<section name="authenticationModules"
type="System.Net.Configuration.NetAuthenticationModuleHandler,
System, Version=1.0.3300.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"/>
<section name="webRequestModules"
type="System.Net.Configuration.WebRequestModuleHandler,
System, Version=1.0.3300.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"/>
</sectionGroup>

<sectionGroup name="system.web">
<section name="authorization"
type="System.Web.Configuration.AuthorizationConfigHandler,
System.Web, Version=1.0.3300.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"/>
<section name="sessionState"
type="System.Web.SessionState.SessionStateSectionHandler,
System.Web, Version=1.0.3300.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
allowDefinition="MachineToApplication"/>
</sectionGroup>
</configSections>

<system.net>
<! — Net Class Settings would go here. -->
</system.net>
<system.web>
<authorization>
<allow users="*"/> <!-- Allow all users -->
<!-- Allow or deny specific users.
allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>

3
 <sessionState
sqlConnectionString="data source=localhost;
Integrated Security=SSPI;
Initial Catalog=northwind"
cookieless="false"
timeout="10"/></system.web>
</configuration>

The ASP.NET configuration infrastructure makes no assumptions about the types of

configuration data that the infrastructure supports. Configuration section handler classes process all
Web.config data. You can use the predefined configuration section handlers that are supplied with the
.NET Framework or you can create your own handlers to process your own custom configuration data.

Hierarchical Configuration Architecture

ASP.NET applies configuration settings to resources in a hierarchical manner. Web.config files

supply configuration information to the directories in which they are located and to all child directories.
The configuration settings for a Web resource are supplied by the configuration file located in the same
directory as the resource and by all configuration files in all parent directories.
Configuration Inheritance
When the server receives a request for a particular Web resource, ASP.NET computes the
configuration settings for that resource hierarchically, using all the configuration files located in the
virtual directory path for the requested URL. For example, you could have a Web site with the following
file structure, where the application root directory is the application virtual directory (Vdir).

Normally, the last configuration setting overwrites settings for the same section provided in
parent directories, but the section handler might implement a different inheritance scheme.
For example, as the administrator, you could configure the application settings to allow all users
access to the ASP.NET resources in the application root directory (the physical directory mapped by the
application virtual directory) but allow only selected users access to the ASP.NET resources in the two
subdirectories.
Assume that there is a Web.config file in the SubDir1 directory and none in the application root
or SubDir2 directories. In this case, ASP.NET is using two configuration files. The highest-level file is
the one located in the systemroot\Microsoft .NET \Framework\versionNumber\CONFIG directory. This
file, named Machine.config, is at the machine level, and all ASP.NET directories and subdirectories
inherit its settings. Machine.config is shipped with the.NET Framework and contains many default
ASP.NET settings. The default setting for the security configuration section of this file allows all users to
access all URL resources. There is no configuration file in the example's application root directory that
modifies security, so all users have access to the ASP.NET resources in it (because that directory inherits
from the machine-level configuration file). If the Web.config file in the SubDir1 directory contains a
security configuration section that allows access only to certain users, then SubDir2 inherits that setting.
So, all users have access to the ASP.NET resources in the application root directory, but only certain
users have access to the ASP.NET resources in SubDir1 and SubDir2.

4
 Configuration settings for virtual directories are independent of physical directory structure, and
virtual directories must be organized carefully to avoid configuration problems. For example, you could
have an application named MyResource.aspx with the following physical directory structure.
C:\Subdir1\Subdir2\MyResource.aspx
Assume a configuration file is located in Subdir1 and a virtual directory named Vdir1 is mapped
to c:\Subdir1 and a virtual directory named Vdir2 is mapped to c:\Subdir1\Subdir2. If a client accesses the
resource physically located at c:\Subdir1\Subdir2\MyResource.aspx using the URL
http://localhost/vdir1/subdir2/MyResource.aspx, the resource inherits configuration settings from Vdir1.
However, if the client accesses the same resource using the URL http://localhost/vdir2/MyResource.aspx,
it does not inherit settings from Vdir1. Therefore, creating virtual directories in this manner could cause
unexpected results or even an application failure and is not recommended.
Configuration <location> Settings
Configuration settings can be applied to specific resources by using a <location> tag with an
appropriate path attribute. The path attribute can be used to identify a specific file or child directory to
which unique configuration settings apply.
For example, the following configuration file specifies settings at three levels:

• Settings that apply to the current directory and all child directories (everything contained within
the top <configuration> tag).
• Settings that apply to the Sub1 child directory (everything contained within the <location> tag
with a path attribute set to Sub1).
• Settings that apply to the Sub2 child directory (everything contained within the <location> tag
with a path attribute set to Sub2).

<configuration>
<system.web>
<sessionState cookieless="true" timeout="10"/>
</system.web>

<!— Configuration for the "Sub1" subdirectory. -->

<location path="sub1">
<system.web>
<httpHandlers>
<add verb="*" path="Sub1.Scott" type="Sub1.Scott"/>
<add verb="*" path="Sub1.David" type="Sub1.David"/>
</httpHandlers>
</system.web>
</location>

<!— Configuration for the "Sub2" subdirectory. -->

<location path="sub2">
<system.web>
<httpHandlers>
<add verb="*" path="Sub2.Scott" type="Sub2.Scott"/>

5
 <add verb="*" path="Sub2.David" type="Sub2.David"/>
</httpHandlers>
</system.web>
</location>
</configuration>

Creating New Configuration Sections

You can extend the standard set of ASP.NET configuration settings with XML configuration tags
of your own. To do this, you must create your own configuration section handler. The handler must be
a .NET Framework class that implements the IConfigurationSectionHandler interface. The section
handler interprets and processes the settings defined in XML tags within a specific portion of a
Web.config file and returns an appropriate configuration object based on the configuration settings. The
configuration object that the handler class returns can be any data structure; it is not limited to any base
configuration class or configuration format.
The following example defines an IConfigurationSectionHandler interface.
[C#]
namespace System.Web.Configuration
{
public interface IConfigurationSectionHandler
{
public Object Create(Object parent, Object input,
XmlNode node);
}
}

We can also define your own section that uses the same configuration handler as the
<appSettings> section. For example:

<configuration>
<configSections>
<sectionGroup name="myGroup">
<sectionGroup name="nestedGroup">
<section name="mySection" type=
"System.Configuration.NameValueSectionHandler,System"/>
</sectionGroup>
</sectionGroup>
</configSections>

<myGroup>
<nestedGroup>
<mySection>
<add key="key_one" value="1"/>
<add key="key_two" value="2"/>

6
 </mySection>
</nestedGroup>
</myGroup>
</configuration>

We can read the value of the new configuration section defined in the preceding example as follows:
[C#]
NameValueCollection config = (NameValueCollection)
ConfigurationSettings.GetConfig("myGroup/nestedGroup/mySection");
Response.Write("The value of key_one is " + Server.HtmlEncode(config["key_one"]) + "<br>");
Response.Write("The value of key_two is " + Server.HtmlEncode(config["key_two"]) + "<br>");

ASP.NET Settings Schema

The ASP.NET configuration section schema contains elements that control how ASP.NET Web
applications behave. Where a default value is specified for an attribute, the default value is set in the
Machine.config file that is located at
systemroot\Microsoft.NET\Framework\versionNumber\CONFIG\Machine.config.
<configuration>
<location>
<system.web>
<authentication>
<forms>
<credentials>
<passport>
<authorization>
<allow>
<deny>
<browserCaps>
<result>
<use>
<filter>
<case>
<clientTarget>
<add>
<remove>
<clear>
<compilation>
<compilers>
<compiler>
<assemblies>
<add>
<remove>
<clear>
<customErrors>
<error>
<globalization>

7
 <httpHandlers>
<add>
<remove>
<clear>
<httpModules>
<add>
<remove>
<clear>
<httpRuntime>
<identity>
<machineKey>
<pages>
<processModel>
<securityPolicy>
<trustLevel>
<sessionState>
<trace>
<trust>
<webServices>
<protocols>
<add>
<remove>
<clear>
<serviceDescriptionFormatExtensionTypes>
<add>
<remove>
<clear>
<soapExtensionTypes>
<add>
<clear>
<soapExtensionReflectorTypes>
<add>
<clear>
<soapExtensionImporterTypes>
<add>
<clear>
<WsdlHelpGenerator>
</webServices>
</system.web>
</location>
</configuration>

Element Description
<system.web> Specifies the root element for the ASP.NET configuration
section.
<add> for <assemblies> Adds an assembly reference to use during compilation of
a dynamic resource.

8
<add> for <clientTarget> Adds an alias for a specific user agent to an internal
collection of user agent aliases.
<add> for <httpHandlers> Adds a reference to an assembly to use during
compilation of a dynamic resource.
<add> for <httpModules> Adds a reference to an assembly to use during
compilation of a dynamic resource.
<add> for <protocols> Adds a transmission protocol that the .NET Framework
can use to decrypt data sent from a client browser in the
HTTP request.
<add> for Adds a service description format extension to run within
<serviceDescriptionFormatExtensionTypes> the scope of the configuration file.
<add> for <soapExtensionTypes>, Adds a SOAP extension to run with all XML Web
<soapExtensionImporterTypes>, and services within the scope of the configuration file.
<soapExtensionReflectorTypes>
<allow> Allows access to a resource.
<assemblies> Specifies ASP.NET compilation processing directives.
<authentication> Configures ASP.NET authentication support.
<authorization> Configures ASP.NET authorization support.
<browserCaps> Configures the settings for the browser capabilities
component.
<case> Allows pattern matching to stop after processing the first
successful match out of a number of alternatives.
<clear> Removes all references to items appropriate to the parent
tag.
<clientTarget> Adds aliases for specific user agents to an internal
collection of user agent aliases.
<compilation> Contains all the compilation settings used by ASP.NET.
<compiler> Defines a new compiler option.
<compilers> Specifies the compilers that the ASP.NET application
supports.
<credentials> Allows optional definition of name and password
credentials within the configuration file.
<customErrors> Defines custom error messages for an ASP.NET
application and the pages that a browser is redirected to
when errors occur.
<deny> Specifies that access to a resource is denied.
<error> Defines one custom error condition that will be handled

9
 by a custom error page.
<filter> Allows multiple rules to be applied in sequence.
<forms> Configures an ASP.NET application for custom forms-
based authentication.
<globalization> Configures the globalization settings of an application.
<httpHandlers> Maps incoming URL requests to IHttpHandler classes.
<httpModules> Adds, removes, or clears HTTP modules within an
application.
<httpRuntime> Configures ASP.NET HTTP runtime settings. This
section can be declared at the machine, site, application,
or subdirectory level.
<identity> Controls the application identity of the Web application.
<location> Specifies the resource that configuration settings apply to.
<machineKey> Configures keys to use for encryption and decryption of
forms authentication cookie data. This section allows
developers to configure a validation key that performs
message authentication checks on view state data and
forms authentication tickets. It can be declared at the
machine, site, or application levels, but not at the
subdirectory level.
<pages> Identifies page-specific configuration settings.
<passport> Specifies the page to redirect to if the page requires
authentication and the user has not signed on with
Microsoft Passport authentication.
<processModel> Configures the ASP.NET process model settings on
Microsoft Internet Information Services (IIS) Web server
systems.
<protocols> Specifies the transmission protocols that ASP.NET can
use to decrypt data sent from a client browser in the
HTTP request.
<remove> for <assemblies> Removes a reference to an assembly.
<remove> for <clientTarget> Removes an alias for a specific user agent from an
internal collection of user agent aliases.
<remove> for <httpHandlers> Removes a verb/path mapping to an HttpHandler class.
<remove> for <httpModules> Removes a reference to an HttpModule class. The value
of <remove> must exactly match that of a previous
<add> directive.
<remove> for <protocols> Removes a single protocol from a specific application's
list of supported HTML encoding protocols.

10
<remove> for Removes a single service description format extension
<serviceDescriptionFormatExtensionTypes> type from within the scope of the configuration file.
<result> The HttpCapabilitiesBase-derived class used to hold the
results (key-value string pairs) from parsing this section.
This string is used at run time to create the return type.
<securityPolicy> Defines valid mappings of named security levels to policy
files. This section can be declared at the machine, site, or
application levels.
<serviceDescriptionFormatExtensionTypes> Specifies the service description format extensions to run
within the scope of the configuration file.
<sessionState> Configures some session-state settings for the current
application.
<soapExtensionImporterTypes> Specifies the SOAP extensions to run when a service
description for an XML Web service within the scope of
the configuration file is accessed.
<soapExtensionReflectorTypes> Specifies the SOAP extensions to run when a service
description is generated for all XML Web services within
the scope of the configuration file.
<soapExtensionTypes> Specifies the SOAP extensions to run with all XML Web
services within the scope of the configuration file.
<trace> Configures the ASP.NET trace service.
<trust> Configures the code access security permission set used to
run a particular application. This section can be declared
at the machine, site, and application levels.
<trustLevel> Defines the mapping of specific security levels to named
policy files.
<use> Specifies the HTTP request strings sent to this parser.
<user> Allows definition of user name and password credentials
within the configuration file.
<webServices> Controls the settings of XML Web services created using
ASP.NET.
<WsdlHelpGenerator> Specifies the .aspx Help page for an XML Web service.

Syntax of some important elements:

<configuration> Element
The root element in every configuration file used by the common language runtime and .NET Framework
applications.

11
<configuration>
<configuration>
<!-- configuration settings -->
</configuration>

Child Elements

Element
Startup Settings Schema
Runtime Settings Schema
Remoting Settings Schema
Network Settings Schema
Cryptography Settings Schema
Configuration Sections Schema
Trace and Debug Settings All elements in the trace and debug settings schema.
Schema
ASP.NET Settings Schema
Description
All elements in the startup settings schema.
All elements in the runtime settings schema.
All elements in the remoting settings schema.
All elements in the network settings schema.
All elements in the crypto settings schema.
All elements in the configuration section settings schema.
All elements in the ASP.NET configuration schema.

Remarks
Each configuration file must contain exactly one <configuration> element.

<authentication> Element

Configures ASP.NET authentication support. This element can be declared only at the machine,
site, or application level. Any attempt to declare it in a configuration file at the subdirectory or page level
will result in a parser error message.
<configuration>
<system.web>
<authentication>

<authentication mode="Windows|Forms|Passport|None">
<forms name="name"
loginUrl="url"
protection="All|None|Encryption|Validation"
timeout="30" path="/" >
requireSSL="true|false"
slidingExpiration="true|false">
<credentials passwordFormat="Clear|SHA1|MD5">
<user name="username" password="password"/>
</credentials>
</forms>
<passport redirectUrl="internal"/>
</authentication>

12
Required Attribute

Attribute Option Description

Mode Controls the default authentication mode for an application.
Windows Specifies Windows authentication as the default authentication
mode. Use this mode when using any form of Microsoft Internet
Information Services (IIS) authentication: Basic, Digest, Integrated
Windows authentication (NTLM/Kerberos), or certificates.
Forms Specifies ASP.NET forms-based authentication as the default
authentication mode.
Passport Specifies Microsoft Passport authentication as the default
authentication mode.
None Specifies no authentication. Only anonymous users are expected or
applications can handle events to provide their own authentication.

Subtags

Subtag Description
<forms> Configures an ASP.NET application for custom forms-based authentication.
<passport> Specifies the page to redirect to if the page requires authentication and the user has
not signed on with Passport.

Example

The following example configures a site for forms-based authentication, specifies the name of the
cookie that transmits logon information from the client, and specifies the name of the logon page to use if
initial authentication fails. You need to include an <authorization> section to require forms authentication
by all users and to deny anonymous users access to the site.

<configuration>
<system.web>
<authentication mode="Forms">
<forms name="401kApp" loginUrl="/login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config

13
Configuration Section Handler: System.Web.Configuration.AuthenticationConfigHandler

<authorization> Element
Configures ASP.NET authorization support. The <authorization> tag controls client access to
URL resources. This element can be declared at any level (machine, site, application, subdirectory, or
page).
<configuration>
<system.web>
<authorization>

<authorization>
<allow users="comma-separated list of users"
roles="comma-separated list of roles"
verbs="comma-separated list of verbs"/>

<deny users="comma-separated list of users"

roles="comma-separated list of roles"
verbs="comma-separated list of verbs"/>
</authorization>

Subtags

Subtag Description
<allow> Allows access to a resource based on the following:
users: A comma-separated list of user names that are granted access to the resource. A
question mark (?) allows anonymous users; an asterisk (*) allows all users.
roles: A comma-separated list of roles that are granted access to the resource.
verbs: A comma-separated list of HTTP transmission methods that are granted access to the
resource. Verbs registered to ASP.NET are GET, HEAD, POST, and DEBUG.
<deny> Denies access to a resource based on the following:
users: A comma-separated list of user names that are denied access to the resource. A
question mark (?) indicates that anonymous users are denied access; an asterisk (*) indicates
that all users are denied access.
roles: A comma-separated list of roles that are denied access to the resource.
verbs: A comma-separated list of HTTP transmission methods that are denied access to the
resource. Verbs registered to ASP.NET are GET, HEAD, POST, and DEBUG.

Remarks

At run time, the authorization module iterates through the <allow> and <deny> tags until it finds the first
access rule that fits a particular user. It then grants or denies access to a URL resource depending on
whether the first access rule found is an <allow> or a <deny> rule. The default authorization rule in the
Machine.config file is <allow users="*"/> so, by default, access is allowed unless configured otherwise.
Example
The following example allows access to all members of the Admins role and denies access to all users.
<configuration>
<system.web>

14
 <authorization>
<allow roles="Admins"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.AuthorizationConfigHandler

<compilation> Element
Configures all the compilation settings that ASP.NET uses.

<configuration>
<system.web>
<compilation>

<compilation debug="true|false"
batch="true|false"
batchTimeout="number of seconds"
defaultLanguage="language"
explicit="true|false"
maxBatchSize="maximim number of pages per
batched compilation"
maxBatchGeneratedFileSize="maximum combined size (in KB) of the generated source file per
batched compilation"
numRecompilesBeforeAppRestart="number"
strict="true|false"
tempDirectory="directory under which the ASP.NET temporary
files are created">
<compilers>
<compiler language="language"
extension="ext"
type=".NET Type"
warningLevel="number"
compilerOptions="options"/>
</compilers>

<assemblies>
<add assembly="assembly"/>
<remove assembly="assembly"/>
<clear/>
</assemblies>
</compilation>

Optional Attributes

15
Attribute Option Description
debug Specifies whether to compile retail binaries or debug
binaries. The default is false.
true Specifies compilation of debug binaries.
false Specifies compilation of retail binaries.
defaultLanguage Specifies the default programming language, such as "C#"
or "PERL", to use in dynamic compilation files. Language
names are defined using the <compiler> subtag. The default
is vb.
explicit Indicates the setting of the Microsoft Visual Basic explicit
compile option. The default is true.
true Indicates that the Visual Basic explicit compile option is
enabled and that all variables must be declared using a Dim,
Private, Public, or ReDim statement.
false Indicates that the Visual Basic explicit compile option is
disabled.
batch Indicates whether batching is supported.
true Indicates that batching is supported.
false Indicates that batching is not supported.
batchTimeout Indicates the time-out period, in seconds, for batch
compilation. If compilation cannot be completed within the
time-out period, the compiler reverts to single compilation
mode for the current page.
maxBatchGeneratedFileSize Specifies the maximum size (in KB) of the generated source
files per batched compilation.
maxBatchFileSize Specifies the maximum number of pages per batched
compilation.
numRecompilesBeforeApprestart Indicates the number of dynamic recompiles of resources
that can occur before the application restarts. This attribute
is supported at the global and application level but not at the
directory level.
strict Indicates the setting of the Visual Basic strict compile
option.
true Indicates that the Visual Basic strict compile option is
enabled.
false Indicates that the Visual Basic strict compile option is
disabled.
tempDirectory Specifies the directory to use for temporary file storage
during compilation.

16
Subtags

Subtag Description
<compilers> Defines a new compiler option.
<assemblies> Specifies ASP.NET compilation processing directives.

Example

The following example configures compilation settings for an application.

<configuration>
<system.web>
<compilation defaultLanguage="VB"
debug="true"
numRecompilesBeforeAppRestart="15">
<compilers>
<compiler language="VB;VBScript"
extension=".cls"
type="Microsoft.VisualBasic.VBCodeProvider,system,
Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"/>
<compiler language="C#;Csharp"
extension=".cs"
type="Microsoft.CSharp.CSharpCodeProvider,system,
Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"/>
</compilers>

<assemblies>
<add assembly="ADODB"/>
<add assembly="*"/>
</assemblies>
</compilation>
</system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.CompilationConfigHandler

<customErrors> Element
Provides information about custom error messages for an ASP.NET application.

17
<configuration>
<system.web>
<customErrors>
<customErrors defaultRedirect="url"
mode="On|Off|RemoteOnly">
<error statusCode="statuscode"
redirect="url"/>
</customErrors>

Required Attribute

Attribute Option Description

Mode Specifies whether custom errors are enabled, disabled, or shown
only to remote clients.
On Specifies that custom errors are enabled. If no defaultRedirect is
specified, users see a generic error.
Off Specifies that custom errors are disabled. This allows display of
detailed errors.
RemoteOnly Specifies that custom errors are shown only to remote clients and
ASP.NET errors are shown to the local host. This is the default.

Optional Attribute

Attribute Description
defaultRedirect Specifies the default URL to direct a browser to if an error occurs. When
defaultRedirect is not specified, a generic error is displayed instead. The URL may
be absolute (for instance, http://www.contoso.com/ErrorPage.htm) or it may be
relative. A relative URL such as /ErrorPage.htm is relative to the Web.config file
that specified the defaultRedirect URL, not to the Web page in which the error
occurred. A URL starting with a tilde (~),such as ~/ErrorPage.htm, means that the
specified URL is relative to the root path of the application.

Subtag

Subtag Description
<error> The error subtag can appear multiple times. Each appearance defines one custom
error condition.

Remarks

The <customErrors> element does not apply to errors that occur in XML Web services.

Example

18
The following example specifies the error handling pages to use for an ASP.NET application.
<configuration>
<system.web>
<customErrors defaultRedirect="GenericError.htm"
mode="RemoteOnly">
<error statusCode="500"
redirect="InternalError.htm"/>
</customErrors>
</system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.CustomErrorsConfigHandler

<globalization> Element
Configures the globalization settings of an application.
<configuration>
<system.web>
<globalization>

<globalization requestEncoding="any valid encoding string"

responseEncoding="any valid encoding string"
fileEncoding="any valid encoding string"
culture="any valid culture string"
uiCulture="any valid culture string"/>

Optional Attributes

Attribute Description
requestEncoding Specifies the assumed encoding of each incoming request, including posted
data and the query string. If the request comes with a request header containing
an Accept-Charset attribute, it overrides the requestEncoding in
configuration. The default encoding is UTF-8, specified in the <globalization>
tag included in the Machine.config file created when the .NET Framework is
installed. If request encoding is not specified in a Machine.config or
Web.config file, encoding defaults to the computer's Regional Options locale
setting. In single-server applications, requestEncoding and responseEncoding
should be the same. For the less common case (multiple-server applications
where the default server encodings are different), you can vary the request and
response encoding using local Web.config files.
responseEncoding Specifies the content encoding of responses. The default encoding is UTF-8,
specified in the <globalization> tag included in the Machine.config file created
when the .NET Framework is installed. If response encoding is not specified in
a Machine.config or Web.config file, encoding defaults to the computer's
Regional Options locale setting. In single-server applications,

19
 requestEncoding and responseEncoding should be the same. For the less
common case (multiple-server applications where the default server encodings
are different), you can vary the request and response encoding using local
Web.config files.
fileEncoding Specifies the default encoding for .aspx, .asmx, and .asax file parsing. Unicode
and UTF-8 files saved with the byte order mark prefix will be automatically
recognized regardless of the value of fileEncoding.
Culture Specifies the default culture for processing incoming Web requests. For valid
culture strings, see System.Globalization.CultureInfo Class.
uiCulture Specifies the default culture for processing locale-dependent resource searches.
For valid culture strings, see System.Globalization.CultureInfo Class.

Remarks

If the server or application fileEncoding attribute setting is configured to use UTF-16 and UTF-
16 is not the encoding used for an .aspx page in the scope of the configuration file, the output sent to the
client browser will be corrupted and might possibly display the source code of the page. Please ensure
that the configured fileEncoding value matches the encoding being used in the page.

Example

The following example specifies the default request and response encoding for an ASP.NET
application.
<configuration>
<system.web>
<globalization
requestEncoding="iso-8859-1"
responseEncoding="iso-8859-1"/>
</system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.GlobalizationConfigHandler

<httpHandlers> Element
Maps incoming requests to the appropriate IHttpHandler or IHttpHandlerFactory class, according
to the URL and the HTTP verb specified in the request.
<configuration>
<system.web>
<httpHandlers>

20
<httpHandlers>
<add verb="verb list"
path="path/wildcard"
type="type,assemblyname"
validate="true|false"/>
<remove verb="verb list"
path="path/wildcard"/>
<clear/>
</httpHandlers>

Subtags

Subtag Description
<add> Specifies verb/path mapping to an IHttpHandler or IHttpHandlerFactory class.
<remove> Removes a verb/path mapping to an IHttpHandler class. The <remove> directive must
exactly match the verb/path combination of a previous <add> directive. Wildcard
characters are not supported.
<clear> Removes all IHttpHandler mappings currently configured or inherited by the specified
Web.config file.

Remarks

The <httpHandlers> settings are inherited by subdirectories.

The <add> directives are processed in top-down sequential order. If two or more <add>
subelements specify the same verb/path combination, the final <add> overrides all others.
It should be noted that Microsoft Internet Information Services (IIS) has its own concept of
mapping extensions to ISAPIs. For the settings for a given extension in this section to take effect, the
extension must be mapped in IIS to ASP.NET ISAPI. For nonstandard extensions (something other
than .aspx, .asmx, .asax, and so on), the user must configure IIS.

Example

The following example maps all HTTP requests for files with file name extension .New to the
class MyHandler.New and for HTTP GET and HTTP HEAD requests for files with file name
extension .MyNewFileExtension to the class MyHandler.MNFEHandler. Both classes are in the assembly
MyHandler that is in the file MyHandler.dll.

<configuration>
<system.web>
<httpHandlers>
<add verb="*"
path="*.New"
type="MyHandler.New,MyHandler"/>
<add verb="GET,HEAD"
path="*.MyNewFileExtension"

21
 type="MyHandler.MNFEHandler,MyHandler.dll"/>
</httpHandlers>
<system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.HttpHandlersConfigHandler.

<httpModules> Element
Configures the HTTP modules within an application.
<configuration>
<system.web>
<httpModules>
<httpModules>
<add type="classname,assemblyname" name="modulename"/>
<remove name="modulename"/>
<clear/>
</httpModules>

Subtags

Subtag Description
<add> Adds an HttpModule class to an application.
Note that if an identical verb/path combination has been specified earlier (for example in a
Web.config file in a parent directory), the second call to <add> overrides the previous
setting.
<remove> Removes an HttpModule class from an application.
<clear> Removes all HttpModule mappings from an application.

Example

The following example adds three HttpModule references to the ASP.NET application.
<configuration>
<system.web>
<httpModules>
<add type="System.Web.Caching.OutputCacheModule"
name="OutputCache"/>
<add type="System.Web.SessionState.SessionStateModule"
name="Session"/>
<add type=Selector, selector.dll"
name="Selector"/>
</httpModules>

22
 </system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.HttpModulesConfigHandler

<httpRuntime> Element
Configures ASP.NET HTTP runtime settings. This section can be declared at the machine, site,
application, and subdirectory levels.
<configuration>
<system.web>
<httpRuntime>
<httpRuntime useFullyQualifiedRedirectUrl="true|false"
maxRequestLength="size in kbytes"
executionTimeout="seconds"
minFreeThreads="number of threads"
minFreeLocalRequestFreeThreads="number of threads"
appRequestQueueLimit="number of requests"
versionHeader="version string"/>

Optional Attributes

Attribute Option Description

appRequestQueueLimit The maximum number of requests that ASP.NET will
queue for the application. When there are not enough free
threads to process a request, the requests are queued.
Incoming requests will be rejected with a "503 - Server
Too Busy" error when the queue exceeds the limit
specified in this setting.
executionTimeout Indicates the maximum number of seconds that a request
is allowed to execute before being automatically shut
down by ASP.NET.
Enable Specifies whether the App Domain is enabled. at the
current node and at the child node level. The default value
is true.
true Specifies that the App Domain be enabled.
false Specifies that the App Domain be disabled. The
application is not loaded in memory and any client request
will cause a 404 error to be issued.
idleTimeOut Specifies the App Domain idle time before it is shut down.
The default value is 20 minutes.

23
enableKernelModeCache Specifies whether output caching is enabled. At this time,
this attribute is only relevant when IIS version 6.0 or later
is installed. The output caching configuration and type of
request determines whether content can be cached.
In order to cache a response, the following criteria need to
be met:

• Caching must be explicitly enabled by a page

directive or by the use of the caching API.
• Caching must have an expiration policy so that
the kernel knows when to discard it.
• Caching cannot have any variable headers or
parameters.

• The request must not require any authentication.

true Specifies that caching be enabled.

false Specifies that caching be disabled.
maxRequestLength Indicates the maximum file upload size supported by
ASP.NET. This limit can be used to prevent denial of
service attacks caused by users posting large files to the
server. The size specified is in kilobytes. The default is
4096 KB (4 MB).
minFreeLocalRequestFreeThreads The minimum number of free threads that ASP.NET keeps
available to allow execution of new local requests. This
number of threads is kept reserved for requests coming
from the local host, in case some requests issue child
requests to the local host during their processing. This
avoids a possible deadlock with recursive reentry into the
Web server.
minFreeThreads The minimum number of free threads to allow execution
of new requests. ASP.NET keeps this many threads free
for requests that require additional threads to complete
their processing.
useFullyQualifiedRedirectUrl Indicates whether client-side redirects are fully qualified
(in {HYPERLINK "http://server/path" } form, which is
necessary for some mobile controls) or whether relative
redirects are instead sent to the client.
true Specifies that client-side redirects need to be sent fully
qualified. This is achieved by automatically converting all
redirects that are not fully qualified to fully qualified form.
false Specifies that client-side redirects do not need to be
automatically converted to the fully qualified form. false is

24
 the default.
versionHeader Specifies the value of a version header that ASP.NET
sends with every response. This attribute is used by
Microsoft Visual Studio .NET to determine which version
of ASP.NET is in use. It is not necessary for production
sites and can be disabled either by removing the attribute
from Web.config or Machine.config, or setting the
attribute to an empty string (versionHeader="").

Example

The following example specifies HTTP runtime parameters for an ASP.NET application.
<configuration>
<system.web>
<httpRuntime maxRequestLength="4000"
useFullyQualifiedRedirectUrl="true"
executionTimeout="45"
versionHeader="1.1.4128"/>
</system.web>
</configuration>

Requirements

Contained Within: <system.web>

Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.HttpRuntimeConfigurationHandler

<processModel> Element
Configures the ASP.NET process model settings on a Microsoft Internet Information Services
(IIS) Web server. The <processModel> section can be set only within the Machine.config file and affects
all ASP.NET applications running on the server.
<configuration>
<system.web>
<processModel>
<processModel enable="true|false"
timeout="hrs:mins:secs|Infinite"
idleTimeout="hrs:mins:secs|Infinite"
shutdownTimeout="hrs:mins:secs|Infinite"
requestLimit="hrs:mins:secs|Infinite"

25
 requestQueueLimit="num|Infinite"
restartQueueLimit="num|Infinite"
memoryLimit="percent"
cpuMask="num"
webGarden="true|false"
userName="username"
password="password"
logLevel="All|None|Errors"
clientConnectedCheck="hrs:mins:secs|Infinite"
responseDeadlockInterval="hrs:mins:secs|Infinite"
responseRestartDeadlockInterval="hrs:mins:secs|Infinite"
comAuthenticationLevel="Default|None|Connect|Call|
Pkt|PktIntegrity|PktPrivacy"
comImpersonationLevel="Default|Anonymous|Identify|
Impersonate|Delegate"
maxWorkerThreads="num"
maxIoThreads="num"/>

Optional Attributes

Attribute Option Description

clientConnectedCheck Specifies how long a request is left in the queue
before ASP.NET does a client connected check.
comAuthenticationLevel Specifies the level of authentication for DCOM
security. The default is Connect.
Default Specifies that DCOM determines the authentication
level using its normal security negotiation algorithm.
None Specifies no authentication.
Connect Specifies that DCOM authenticates the credentials of
the client only when the client establishes a
relationship with the server.
Call Specifies that DCOM authenticates the credentials of
the client when the server receives the request at the
beginning of each remote procedure call.
Pkt Specifies that DCOM authenticates that all data
received is from the expected client. Datagram
transports always use Pkt authentication.
PktIntegrity Specifies that DCOM authenticates and verifies that
none of the data transferred between the client and the
server has been modified.
PktPrivacy Specifies that DCOM authenticates all previous levels
and encrypts the argument value of each remote
procedure call.
comImpersonationLevel Specifies the authentication level for COM security.

26
 Default Specifies that DCOM determines the impersonation
level using its normal security negotiation algorithm.
Anonymous Specifies that the client is anonymous to the server.
The server can impersonate the client, but the
impersonation token will not contain any information.
Anonymous is not supported in version 1.1.
Identify Specifies that the server can obtain the client's
identity. The server can impersonate the client for
access control list (ACL) checking, but it cannot
access system objects as the client.
Impersonate Specifies that the server process can impersonate the
client's security context while acting on behalf of the
client. This level of impersonation can be used to
access local resources such as files. When
impersonating at this level, the impersonation token
can be passed across only one machine boundary.
Delegate Specifies that the server process can impersonate the
client's security context while acting on behalf of the
client. The server process can also make outgoing
calls to other servers while acting on behalf of the
client, using cloaking. The server can use the client's
security context on other computers to access local
and remote resources as the client. When
impersonating at this level, the impersonation token
can be passed across any number of machine
boundaries.
cpuMask Specifies which processors on a multiprocessor server
are eligible to run ASP.NET processes. The cpuMask
value specifies a bit pattern that indicates the CPUs
eligible to run ASP.NET threads. For example, the
cpuMask hexadecimal value 0x0d represents the bit
pattern 1101. On a computer with four CPUs, this
indicates that ASP.NET processes can be scheduled
on CPUs 0, 2, and 3, but not on CPU 1. ASP.NET
launches one worker process for each eligible CPU. If
the webGarden attribute (see below) is set to true,
the cpuMask limits worker processes to the number
of eligible CPUs. (The maximum allowed number of
worker processes is equal to the number of CPUs.) By
default, all CPUs are enabled and ASP.NET launches
one process for each CPU. If webGarden is set to
false, the cpuMask attribute is ignored and only one
worker process will run.
Enable Specifies whether the process model is enabled.
true Indicates that the process model is enabled.

27
 false Indicates that the process model is not enabled.
idleTimeout Specifies the period of inactivity, in hr:min:sec string
format, after which ASP.NET automatically ends the
worker process. The default is Infinite.
logLevel Specifies event types to be logged to the event log.
All Specifies that all process events are logged.
None Specifies that no events are logged.
Errors Specifies that only unexpected shutdowns, memory
limit shutdowns, and deadlock shutdowns are logged.
Errors is the default.
maxWorkerThreads 5 to 100 Configures the maximum amount of worker threads
to be used for the process on a per-CPU basis. For
example, if this value is 25 on a single-processor
server, ASP.NET uses the runtime APIs to set the
process limit to 25. On a two-processor server, the
limit is set to 50. The default is 20. The value of
maxWorkerThreads must be equal to or greater than
the minFreeThread attribute setting in the
<httpRuntime> configuration section.
maxIoThreads 5 to 100 Configures the maximum number of I/O threads to be
used for the process on a per-CPU basis. For example,
if this value is 25 on a single-processor server,
ASP.NET uses the runtime APIs to set the process
limit to 25. On a two-processor server, the limit is set
to 50. The default is 20. The value of maxIoThreads
must be equal to or greater than the minFreeThread
attribute setting in the <httpRuntime> configuration
section.
memoryLimit Specifies the maximum allowed memory size, as a
percentage of total system memory, that the worker
process can consume before ASP.NET launches a
new process and reassigns existing requests. The
default is 60 percent.
Password If present (and in conjunction with a userName), this
attribute causes the worker process to run with the
configured Windows identity. The default value is
AutoGenerate. See userName for more details on
the special names System and Machine, which do not
require a password, and for information about storing
encrypted worker process credentials in the registry.
pingFrequency Specifies the time interval, in standard process model
format (hr:min:sec), at which the ISAPI extension
pings the worker process to see if it is running. If it is
not running for the pingTimeout interval, the worker

28
 process is restarted. The default is 30 seconds.
pingTimeout Specifies the time interval, in standard process model
format (hr:min:sec), after which a nonresponsive
worker process is restarted. The ISAPI extensions
ping the worker process at the pingFrequency
interval. If the worker process does not respond
within the pingTimeout interval, the process is
restarted. The default is 5 seconds.
requestLimit Specifies the number of requests allowed before
ASP.NET automatically launches a new worker
process to take the place of the current one. The
default is Infinite.
requestQueueLimit Specifies the number of requests allowed in the queue
before ASP.NET begins returning "503 – Server Too
Busy" errors to new requests. The default is 5000.
responseDeadlockInterval Specifies the time interval, in standard process model
format (hr:min:sec), after which the process will be
restarted if the following conditions are met:

• There are queued requests.

• There has not been a response during this
interval.

The default is 3 minutes.

responseRestartDeadlockInterval
serverErrorMessageFile
shutdownTimeout
Timeout
This attribute is no longer used by ASP.NET and is
provided for backward compatibility only. It will not
cause a configuration error if it is already present in a
configuration file. All recycling in the event of a
deadlock condition is now controlled by the
responseDeadlockInterval attribute.
If present, specifies the contents of a file to use
instead of the default "Server Unavailable" message
in the event of a fatal error. The file location is
relative to Machine.config or can be an absolute file
path. If this attribute is not present, the default "Server
Unavailable" message will be used.
Specifies the number of minutes allowed for the
worker process to shut itself down. When the timeout
expires, ASP.NET shuts down the worker process.
The time is expressed in hr:min:sec string format. The
default is 5 seconds, or 0:00:05.
Specifies the number of minutes until ASP.NET
launches a new worker process to take the place of the

29
 current one. The default is Infinite.
Username If present, the userName attribute runs the ASP.NET
worker process with a Windows identity different
from that of the default process identity. By default,
userName is set to the special value Machine, and
the process runs under a user account named
ASPNET that is created automatically when
ASP.NET is installed. The password for the ASPNET
account is cryptographically generated at the time of
installation. If valid credentials are presented in the
userName and password attributes, the process is
run with the given account. One other special value
for userName is System, with the password
AutoGenerate, which runs the process as an
administrative account and allows all ASP.NET user
code running under the process to have full
administrative privileges. See the Remarks section
below for information about using ASP.NET on a
server that is a domain controller.
userName and password are stored in clear text in
the configuration file. Although IIS will not
transmit .config files in response to a user agent
request, configuration files can be read by other
means, for instance by an authenticated user with
proper credentials on the domain that contains the
server. For security reasons, the processModel section
supports storage of encrypted userName and
password attributes in the registry. The credentials
must be in REG_BINARY format encrypted by the
Windows 2000 and Windows XP Data Protection API
(DPAPI) encryption functions. For more information,
see the Remarks and Example sections below.
webGarden Controls CPU affinity when used in conjunction with
the cpuMask attribute. (A multiprocessor Web server
is called a Web garden).
true Indicates that the cpuMask attribute is used to
specify which CPUs are eligible to run ASP.NET
processes.
false Indicates that CPU usage is scheduled by the
Windows operating system. The cpuMask attribute is
ignored and only one worker process will run. The
default is false.

Remarks

30
 The managed code configuration system does not read the <processModel> configuration
settings. Instead, they are read directly by the aspnet_isapi.dll unmanaged DLL. Changes to this section
are not applied until IIS is restarted.
If we install the .NET Framework version 1.1 on a domain controller, the installation does not
create the local ASPNET account. Instead, ASP.NET applications run under other identities. On
Windows 2000 domain controller servers, ASP.NET applications run under the IWAM_machinename
identity. On Windows 2003 domain controller servers, ASP.NET applications run under the NETWORK
SERVICE identity (regardless of the IIS isolation mode). Under some circumstances, running ASP.NET
on a domain controller requires that you take extra steps to make the installation work properly. For more
information about potential problems running version 1.1 on a domain controller, see article Q824308,
"IWAM Account is Not Granted the Impersonate Privilege for ASP.NET 1.1 on Windows 2000 Domain
Controller with SP4," in the Microsoft Knowledge Base at http://support.microsoft.com. For more
information about running version 1.0 of the .NET Framework on a domain controller, see article
Q315158, "ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller," in
the Microsoft Knowledge Base at http://support.microsoft.com.
When ASP.NET is running under IIS version 6 in native mode, the IIS 6 process model is used
and the settings in the <processModel> section are ignored. To configure the process identity, cycling, or
other process model values, use the Internet Services Manager user interface to configure the IIS worker
process for your application.
Time values are in the form "hours:minutes:seconds". If a single number with no colons is given,
the value is assumed to be minutes; thus timeout="4" is equivalent to timeout="00:04:00".
If an ASP.NET application is causing the ASP.NET worker process (aspnet_wp.exe on Windows
2000 and Windows XP Professional, w3wp.exe on Windows Server 2003 family) to restart with an error
message indicating that the restart was due to a suspected deadlock state, you should increase the
responseDeadlockInterval setting.
Storing a User Name and Password in the Registry
To encrypt the user name and password and store them in the registry, set the userName and password
as follows.
userName="registry:HKLM\Software\AspNetProcess,Name"
password="registry:HKLM\Software\AspNetProcess,Pwd"

The portion of the string after the keyword registry and before the comma indicates the name of
the registry key that ASP.NET opens. The portion after the comma contains a single string value name
from which ASP.NET will read the credentials. The comma is required, and the credentials must be
stored in the HKLM hive. If the configuration format is incorrect, ASP.NET will not launch the worker
process and the current account creation failure code path will be followed.
The credentials must be in REG_BINARY format, containing the output of a call to the Windows
API function CryptProtectData. You can create the encrypted credentials and store them in the registry
with the ASP.NET Set Registry console application (Aspnet_setreg.exe), which uses CryptProtectData
to accomplish the encryption. To download Aspnet_setreg.exe, along with the Visual C++ source code
and documentation, visit the Web site www.asp.net and search for "aspnet_setreg".
We should configure access to the key storing the encrypted credentials so that access is provided
only to Administrators and SYSTEM. Because the key will be read by the ASP.NET process running as
SYSTEM, you should set the following permissions:
Administrators:F

31
SYSTEM:F
CREATOR OWNER:F
ProcessAccount: R
This provides two lines of defense to help protect the data:

• The ACL permissions require the identity accessing the data to be an Administrator.
• An attacker must run code on the server (CryptUnprotectData) to recover the credentials for the
account.

Examples

The following example specifies several <processModel> configuration settings.

<configuration>
<system.web>
<processModel
enable="true"
timeout="15"
idleTimeout="25"
shutdownTimeout="5"
requestLimit="1000"
requestQueueLimit="500"
responseDeadlockInterval="00:03:00"
responseRestartDeadlockInterval="Infinite"
memoryLimit="20"
webGarden="true"
maxWorkerThreads="25"
maxIoThreads="25"/>
</system.web>
</configuration>
The following example specifies that the encrypted username and password are stored in the registry
under the user-defined key AspNetProcess.
<configuration>
<system.web>
<processModel>
userName="registry:HKLM\Software\AspNetProcess,Name"
password="registry:HKLM\Software\AspNetProcess,Pwd"
</processModel>
</system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config
Configuration Section Handler: System.Web.Configuration.ProcessModelConfigurationHandler

32
<sessionState> Element
Configures session state settings for the current application.
<configuration>
<system.web>
<sessionState>

<sessionState mode="Off|InProc|StateServer|SQLServer"
cookieless="true|false"
timeout="number of minutes"
stateConnectionString="tcpip=server:port"
sqlConnectionString="sql connection string"
stateNetworkTimeout="number of seconds"/>

Required Attributes

Attribute Option Description

mode Specifies where to store the session state.
Off Indicates that session state is not enabled.
InProc Indicates that session state is stored locally.
StateServer Indicates that session state is stored on a remote server.
SQLServer Indicates that session state is stored on the SQL Server.

Optional Attributes

Attribute Option Description

cookieless Specifies whether sessions without cookies should be used to
identify client sessions.
True Indicates that sessions without cookies should be used.
False Indicates that sessions without cookies should not be used. The
default is false.
timeout Specifies the number of minutes a session can be idle before it is
abandoned. The default is 20.
stateConnectionString Specifies the server name and port where session state is stored
remotely. For example, "tcpip=127.0.0.1:42424". This attribute is
required when mode is StateServer.
sqlConnectionString Specifies the connection string for a SQL Server. For example, "data
source=localhost;Integrated Security=SSPI;Initial
Catalog=northwind". This attribute is required when mode is
SQLServer.
stateNetworkTimeout When using StateServer mode to store session state, specifies the
number of seconds the TCP/IP network connection between the

33
 Web server and the state server can be idle before the session is
abandoned. The default is 10.

Remarks

To use StateServer mode

1. Make sure ASP.NET state service is running on the remote server that will store session state
information. This service is installed with ASP.NET and is located by default at
<Drive>:\systemroot\Microsoft.NET\Framework\version\aspnet_state.exe.
2. In the application's Web.config file, set mode=StateServer and set the stateConnectionString
attribute. For example, stateConnectionString="tcpip=dataserver:42424".

To use SQLServer mode

1. Run InstallSqlState.sql (installed by default

in<Drive>:\systemroot\Microsoft.NET\Framework\version) on the computer running SQL
Server that will store the session state. This creates a database called ASPState with new stored
procedures and ASPStateTempApplications and ASPStateTempSessions tables in the TempDB
database.
2. In the application's Web.config file, set mode=SQLServer and set the sqlConnectionString
attribute. For example, sqlConnectionString="data source=localhost;Integrated
Security=SSPI;Initial Catalog=northwind".

Example

The following example specifies several session state configuration settings.

<configuration>
<system.web>
<sessionState mode="InProc"
cookieless="true"
timeout="20"/>
</sessionState>
</system.web>
</configuration>

Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.SessionState.SessionStateSectionHandler

<webServices> Element

34
Controls the settings of XML Web services created using ASP.NET.
<configuration>
<system.web>
<webServices>
<webServices>
<protocols>
<add name="protocol name"/>
</protocols>
<serviceDescriptionFormatExtensionTypes>
</serviceDescriptionFormatExtensionTypes>
<soapExtensionTypes>
<add type="type"/>
</soapExtensionTypes>
<soapExtensionReflectorTypes>
<add type="type"/>
</soapExtensionReflectorTypes>
<soapExtensionImporterTypes>
<add type="type"/>
</soapExtensionImporterTypes>
<wsdlHelpGenerator href="help generator file"/>
</webServices>

Subtags

Subtag Description
<protocols> Specifies the transmission protocols that ASP.NET can
use to decrypt data sent from a client browser in the
HTTP request. The data sent in an HTTP request to an
XML Web service can contain method calls and
parameters.
<serviceDescriptionFormatExtensionTypes> Specifies the service description format extension to run
within the scope of the configuration file.
<soapExtensionTypes> Specifies the SOAP extensions to run with all XML Web
services within the scope of the configuration file.
<soapExtensionReflectorTypes> Specifies the SOAP extensions to run when a service
description is generated for all XML Web services within
the scope of the configuration file.
<soapExtensionImporterTypes> Specifies the SOAP extensions to run when a service
description for an XML Web service within the scope of
the configuration file is accessed to create a proxy class.
<wsdlHelpGenerator> The XML Web service Help page (an .aspx file) that is
displayed to a browser when the browser navigates
directly to an ASMX page.

Example

35
The following example specifies XML Web service configuration settings.

<configuration>
<system.web>
<webServices>
<protocols>
<add name="HttpGet"/>
<add type="HttpPost"/>
<add type="Documentation"/>
</protocols>
<serviceDescriptionFormatExtensionTypes>
</serviceDescriptionFormatExtensionTypes>
<soapExtensionTypes>
</soapExtensionTypes>
<soapExtensionReflectorTypes>
</soapExtensionReflectorTypes>
<soapExtensionImporterTypes>
</soapExtensionImporterTypes>
<wsdlHelpGenerator href="DefaultSdlHelpGenerator.aspx"/>
</webServices>
<system.web>
</configuration>

Requirements

Contained Within: <system.web>

Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler:
System.Web.Services.Configuration.WebServicesConfigurationSectionHandler

Conclusion:

After an application is designed and developed,it needs to be deplopyed on an application.The

application deployment process requires a rich and flexible configuration system.The configuration
system should enable developers to easily associate settings with an installable application without having
to embed values into code.The system should also enable administrators to easily adjust or customize
these values after the deployment of the application on the application web server.
ASP.NET is designed to to provide developers with rich support of designing,developing and
deploying web applications..For application deployment,ASP.NET provides a rich set of configuration
settings.These settings have been written in XML files and are named web.config.

36
***********************************

37