In ASP.NET, configuration information is stored in one of two files: machine.config or web.config. While an application can have as many web.config files as it has directories and subdirectories (subject to scope limitations of some elements), there is only one machine.config file per machine; it contains the default configuration information for every web application, as well as other application types, on the machine. This information includes Windows Forms applications, security settings, remoting settings, and other network settings. You should use extreme caution when editing machine.config to avoid accidentally making changes that break other applications. It's probably a good idea to back up the machine.config file before editing it, in case you need to restore the original settings.
web.config is an optional configuration file that is stored with each web application. If an application contains a web.config file, the file takes precedence over machine.config (i.e., the settings in web.config override those in machine.config). If a web application does not contain a web.config file, it inherits its settings from machine.config. An application may have multiple web.config files, but each must reside in its own directory or subdirectory.
The web.config files in an application are hierarchical. Just as the settings in a web.config file in the application root will override the settings in machine.config, the settings in a web.config file in a subdirectory will override those in a web.config file in the parent directory.
The syntax of the machine.config and web.config files is based on XML. Each configuration section consists of a parent element that may in turn contain attributes or child elements. In the following snippet, the <configuration> and <system.web> elements are standard elements that are required in each web.config file. The <authentication> and <authorization> elements are parent configuration elements, while the <deny> element is a child element of the <authorization> element:
<configuration> <system.web> <authentication mode="Windows"/> <authorization> <deny users="?"/> </authorization> </system.web> <configuration>
The configuration of an ASP.NET application depends on which elements you include in your web.config file and on the values of their attributes (and any attributes of their child elements), as well as the defaults established in the machine.config file for that machine. Chapter 20 documents the configuration elements in detail. Most of this chapter looks at practical examples of how to set common configuration settings.
Related IIS Settings
It is very important to understand that ASP.NET configuration is distinct from IIS configuration. In most cases, configuring an ASP.NET application requires no changes to the configuration of IIS. One exception is that the settings for IIS may still need to be configured to make certain authentication modes, such as Windows authentication, work (although in many cases, the defaults will work fine).
The reason why most configuration settings do not require changes to IIS configuration is that when a request is made for a resource that is handled by ASP.NET, IIS is only involved long enough to hand that request over to the ASP.NET worker process, which is completely separate from IIS. In fact, you can host ASP.NET applications without even using IIS with the classes in the System.Web.Hosting namespace. The operation of the ASP.NET worker process is configured by machine.config and web.config, while IIS configuration settings remain in the IIS metabase.