Internal Server Error with web.config ipSecurity

This is my web.config which has some tags for blocking Ipaddress

        <ipSecurity allowUnlisted="false"> 
             <add ipAddress="" allowed="true"/>
             <add ipAddress="" allowed="true"/> 

My intention is to block any other IP except the above. The above is the only Ip address I want the website to be accessible from . But with “ipSecurity” tag I am always getting
500 – Internal server error and the site runs fine without it.

I have made sure that “IP and Domains Restrictions” are installed on the server.
Please let me know if I am missing anything.
Thank you.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

For others that run into this issue. The cause of the issue is that Feature Delegation doesn’t allow the feature to be managed by web.config.

To Fix:

Verify that the Feature is enabled for web.config management

  • In IIS 7, click on the root server
  • Double click Feature Delegation (under management)
  • Scroll down to IPv4 Address and Domain Restrictions
    • Change the delegation to Read/Write (in my case it was Read Only, which was the issue)

Hope this helps someone else.

Method 2

For Windows 10 and Visual Studio 2015 note that the ApplicationHost.config file has been relocated to the .vsconfig folder in your project’s folder hierarchy. You will need to edit the project specific version of the ApplicationHost.config file found there with…

<section name="ipSecurity" overrideModeDefault="Allow" />

If you only edit the ApplicationHost.config located in your DocumentsIISExpress folder this will not affect your existing application (MVC5 appl in my case).

Method 3

Open the applicationHost.config file (located at %windir%system32inetsrvconfigapplicationHost.config) and edit the ipSecurity section.

Change this line:

<section name="ipSecurity" overrideModeDefault="Deny" />

<section name="ipSecurity" overrideModeDefault="Allow" />

Method 4

Are you editing the config by hand or through IIS manager?

See this post about that error message as you may not have that feature delegation enabled

Method 5

Try this outside System.Webserver tag

<location path="Default WebSite">
            <ipSecurity allowUnlisted="false">
               <add ipAddress="" allowed="true"/>
             <add ipAddress="" allowed="true"/> 

Method 6

Hopefully this will help someone…

I am running IIS express on Windows 7 locally and did the following – Control panel > Programs > Programs and features > Turn Windows features on or off

In the Windows Features dialog ensure the IP Security option is checked:

enter image description here

I also had to open up my applicationhost.config (under %userprofile%DocumentsIISExpressconfig) file and change the following:

<section name="ipSecurity" overrideModeDefault="Deny" />

<section name="ipSecurity" overrideModeDefault="Allow" />

Method 7

Don’t forget custom site delegation. This allows you to only allow delegation to sites you intend.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x