IIS complains about a locked section - how can I find out where it's locked?

Worked out these steps which fix the issue for me:

1. Open IIS Manager
2. Click the server name in the tree on the left
3. Right hand pane, Management section, double click Configuration Editor
4. At the top, choose the section system.webServer/security/authentication/anonymousAuthentication
5. Right hand pane, click Unlock Section
6. At the top, choose the section system.webServer/security/authentication/windowsAuthentication
7. Right hand pane, click Unlock Section

This solved my error on Windows Server 2012, IIS 8.5. Should work for other versions too.

1. Go to Server Manager, click add Roles and Features
2. In the roles section choose: Web Server
3. Under Security sub-section choose everything (I excluded digest, IP restrictions and URL authorization as we don't use them)
4. Under Application Development choose .NET Extensibility 4.5 and ASP>NET 4.5, both ISAPI entries
5. In the Features section choose: NET 3.5, .NET 4.5, ASP.NET 4.5
6. In the Web server section choose: Web Server (all), Management Tools (IIS Management Console and Management Service), Windows

Configuration locking can happen at:

1. Applicationhost.config (config string: MACHINE/WEBROOT/APPHOST)

2. a Site Web.config file (MACHINE/WEBROOT/APPHOST/Web Site Name)

3. Any App web.config file that (MACHINE/WEBROOT/APPHOST/Site Name/App Name)

Locking a section (section: IIS configuration section, eg <asp>) lets you deny the ability to configure those settings to anyone at a lower level in the hierarchy than you.

Using the GUI's Feature Delegation thingo isn't wrong, and does a very similar thing to what AppCMD does, under the covers - sets OverrideMode for a given section in a <location> tag at whatever level of config you're focused on.

APPCMD can be used to unlock files, but pay attention to where it says it's doing it - it's not as smart as the GUI about this.

Adding -commit:apphost to the end of your APPCMD UNLOCK command targets Applicationhost.config, which is the key file for IIS operation (replaces the metabase from earlier versions; stores all centralized settings but allows overrides (if you do) in web.config files).

Without -commit:apphost, APPCMD will target the closest logical spot for a web.config file - whether at the site or app level, and indicate it's changed the setting using a configuration string like the above set. (Aside: you can still target just the settings in sub web sites, but commit to apphost - it uses location tags to accomplish that)

So if it said (memory paraphrase) "Changes committed to MACHINE/WEBROOT/APPHOST" , that'd mean the top level of the IIS hierarchy.

If it says "committed to MACHINE/WEBROOT/APPHOST/Dodgy Web Site", that'd mean it looked up the physical path behind Dodgy Web Site, and wrote a web.config file (or updated it) in that location.

If you are using IISExpress and Visual Studio 2015, the applicationHost.config is stored in $(solutionDir).vs\config\applicationhost.config (thanks to Nime Cloud's answer).

Just change overrideModeDefault="Allow" wherever appropriate.

<sectionGroup name="security">
    <section name="access" overrideModeDefault="Deny" />
    <section name="applicationDependencies" overrideModeDefault="Deny" />
    <sectionGroup name="authentication">
        <section name="anonymousAuthentication" overrideModeDefault="Allow" />
etc...

Try in your Applicaiton Pool, Disable 32-bit applications support IIS Manager -> Application Pools -> select [Your AppPool] -> Advanced Settings -> Enable 32-Bit Applications - change it to 'False'