0

Are there any special considerations that need to be made when upgrading websites from

Windows 2008 R2 / IIS 7.5

to

Windows 2012 / IIS 8.0 ?

Some information that might be pertinent, I don't know, but in my sites, I use Negotiate:Kerberos as my Windows Authentication Provider and that is combined with an SPN inside my Service Endpoint Identity.

Here's my error:

This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Now, the error is complaining about this line under the <system.webServer> config section:

<windowsAuthentication enabled="true" authPersistNonNTLM="true" useKernelMode="false">

Here is a condensed version of the <system.webServer> config section :

<system.webServer>

    <security>
        <authentication>

            <anonymousAuthentication enabled="false" />
            <basicAuthentication enabled="false" />
            <clientCertificateMappingAuthentication enabled="false" />
            <digestAuthentication enabled="false" />
            <iisClientCertificateMappingAuthentication enabled="false" />

            <windowsAuthentication enabled="true" 
                                   authPersistNonNTLM="true" 
                                   useKernelMode="false">

                <extendedProtection tokenChecking="None" />

                <providers>

                    <clear />
                    <add value="Negotiate:Kerberos" />

                </providers>

            </windowsAuthentication>

        </authentication>
    </security>

    <!--required for impersonation-->
    <validation validateIntegratedModeConfiguration="false" />

</system.webServer>

Here is a condensed version of the <system.serviceModel> config section :

<system.serviceModel>
    <services>
        <service name="Deploy.Web.Services.Service" 
                 behaviorConfiguration="DeployServiceBehavior">

            <endpoint binding="basicHttpBinding" 
                      bindingConfiguration="DeployBasicHttpBinding" 
                      behaviorConfiguration="DeployEndpointBehavior" 
                      contract="Deploy.Web.Services.IService">

                <identity>

                    <dns value="" />
                    <servicePrincipalName value="HTTP/SERVERNAME" />

                </identity>

            </endpoint>

        </service>
    </services>
</system.serviceModel>
Code Maverick
  • 20,171
  • 12
  • 62
  • 114

1 Answers1

0

We figured it out!

Inside of IIS 8.0 > Server Parent Node > Features View > Management Section > Feature Delegation :

Authentication - Windows was set to Read Only instead of Read/Write. Once we changed it to Read/Write, the sites started working again.

So lesson learned, that's one more area you need check when upgrading!

Code Maverick
  • 20,171
  • 12
  • 62
  • 114
  • It might have helped if you actually posted the error – Erik Funkenbusch Dec 23 '14 at 19:16
  • @ErikFunkenbusch - I found and added the error message. It wasn't on my machine, so I couldn't screenshot it like I normally would. I'd appreciate an upvote for finding the solution on our own, if you wouldn't mind =D – Code Maverick Dec 23 '14 at 19:28