Shared configuration and password expiration.

Most of you have probably heard of shared configuration.  It is a simple and convenient way to centralize IIS configuration among multiple IIS instances.  (More info on shared configuration can be found here.)

A step in setting up shared configuration is to provide a user credential that can be used to access the shared configuration.  Now, what happens when the password changes for the user?   Naturally, the IIS instances that are using the shared configuration will no longer be able to access the shared configuration on a file share and, therefore, they won't work properly.  So, in order to fix this problem, you may be thinking that all you need to do is to open the IIS Manager and just update the password.  You may be right, except that you have a chicken and an egg problem.

Although IIS Manager launches successfully, when you try to connect to the server,  you will see the following error:

You guessed it.  The IIS Manager is unable to read the configuration because it no longer has the access to the file share where the configuration file is located, hence the chicken and the egg problem.

Before we discuss how you can workaround this problem, we will first need to understand how the shared configuration works.  Before the IIS config system loads applicationHost.config, it relies on redirection.config to see if shared configuration is enabled or not.  Below is an example of redirection.config (which is located at %windir%\system32\inetsrv\config\):


        <section name="configurationRedirection" />
            <add name="IISRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />
    <configurationRedirection enabled="true" path="\\server\folder" userName="removed" password="[removed]" />

The IIS config system looks at the redirection.config file first.

If configurationRedirection is enabled, then it will try to read the applicationHost.config file from the path using the userName and password.

If configurationRedirection is disabled, it will try to read the applicationHost.config from the local file system. So, in order to temporarily get around the chicken and the egg problem, open the redirection.config in the notepad and set enabled="false". Doing so will effectively take this IIS instance out of shared configuration. More importantly, it will now allow you to launch the IIS manager and connect to the server successfully.

After launching the IIS manager, navigate to Shared Configuration page and enable shared configuration. Once enabled, update the password fields with the new password and Apply:

Now repeat the same steps in remaining IIS instances that are using the shared configuration.


  • Great post!

    I was having a slightly different problem - when I entered the path to the shared config configuration GUI, I accidentlly included a space at the end (I was cut and pasting from a file). That extra space broke the path, and rendered me unable to start inetmgr with the same symptoms as mentioned in the post. Editing redirection.config to remove the space fixed the problem.

    For the search engines, the exact message I was getting was
    c:\windows\system32>c:\Windows\System32\inetsrv\appcmd list config -section:system.webServer/rewrite/globalRules
    ERROR ( message:Configuration error
    Filename: \\?\UNC\machinename\arr \applicationHost.config
    Line Number: 0
    Description: Cannot read configuration file
    . )

    there was an error when trying to connect. Do you want to retype your credentials and try again?
    Error: Cannot read configuration file

  • Not sure how this a "Great Post" when it doesn't work. It doesn't say where to look for the redirection.config file so I've had to sewarch my entire hard drive, I changed them all but the same credentials error exists.

Comments have been disabled for this content.