500.19 (0x80070021) high
IIS HTTP Error 500.19: Cannot read configuration file / config section locked
IIS can't apply web.config because a section is locked at a parent level or the file references a module that isn't installed.
What you see
HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid. Config Error: This configuration section cannot be used at this path. Error Code: 0x80070021
What’s actually happening
The site returns a yellow 500.19 page and names the offending config line. The error page is unusually helpful here — it shows the exact <section> and the physical path to the web.config it choked on. 0x80070021 specifically means the section is locked (delegation denied) at machine or applicationHost level; other codes under 500.19 point at malformed XML or a missing handler module instead.
Common causes
- A config section (commonly <system.webServer> children like <handlers>, <modules>, or <rewrite>) is locked with overrideModeDefault="Deny" in applicationHost.config, so the app-level web.config can't override it (this is the 0x80070021 case).
- A required module isn't installed — the classic one is URL Rewrite: web.config has a <rewrite> section but the URL Rewrite module was never added, so IIS doesn't recognize the section.
- ASP.NET / the right .NET hosting bundle isn't registered, so <system.web> or <aspNetCore> sections are unknown.
- Malformed web.config — a stray tag, duplicate element, or bad encoding (BOM) — which throws a different 500.19 code like 0x8007000d.
- NTFS permissions: the IIS app-pool identity (IIS AppPool\YourPool) can't read web.config (rarer, but produces 500.19 with an access error).
How to fix it
- Read the Config Source block on the error page500.19 prints the exact lines of web.config it failed on, with the bad line highlighted, plus the Error Code. Match the code first: 0x80070021 = locked section, 0x8007000d = malformed XML, 0x80070005 = permissions. That tells you which of the fixes below applies before you change anything.
- For 0x80070021, unlock the sectionThe section is locked at a parent level. Unlock it for that path: appcmd unlock config /section:handlers (or modules, or the specific section named). Or in IIS Manager open Feature Delegation and set the feature to Read/Write. Editing applicationHost.config directly, set overrideModeDefault="Allow" on that <section>. Only unlock the specific section the error names.
- Install the missing moduleIf the named section is <rewrite>, install URL Rewrite from the Web Platform Installer or the standalone MSI, then iisreset. For <aspNetCore>, install the .NET Hosting Bundle (not just the runtime) and restart. IIS rejects sections it has no module to handle, so the fix is adding the module, not editing the config.
- Validate the XML if the code is 0x8007000dOpen web.config in an editor that flags XML errors, or run it through any XML validator. Look for unclosed tags, duplicate <add> keys, and a UTF-8 BOM that some editors inject. Save as UTF-8 without BOM.
- Check app-pool read access for 0x80070005Grant the pool identity read on the file: icacls "C:\inetpub\wwwroot\site\web.config" /grant "IIS AppPool\YourAppPool:R". Confirm the app pool's identity in Advanced Settings matches what you granted.
Stop it recurring
Match the error's hex code to its cause before touching anything, and bake required modules (URL Rewrite, .NET Hosting Bundle) into your server image so configs never reference a section IIS can't parse.
Related errors