Friday, April 17, 2009

ASP.NET Web.config

Leave a Comment
The ASP.NET Web.config file is used to define the configuration settings for an ASP.NET application. ASP.NET and the .NET Framework use .config files to define all configuration options. The .config files, including the ASP.NET Web.config file, are XML files.

Server-wide configuration settings for the .NET Framework are defined in a file called Machine.config. The settings in the Machine.config file can be changed and those settings affect all .NET applications on the server.

Different ASP.NET applications might need different application settings, that’s why defining those settings in the Machine.config file, is usually not practical. The solution for this problem is the ASP.NET Web.config file.

The ASP.NET application configuration settings can be changed by creating a file called Web.config and saving it in the root folder of the application. But what if the Machine.config file defines different settings than the ones defined in your Web.config file? The good news is that the settings in the Web.config file override the settings in the Machine.config file.

This is how the minimal Web.config file should look like:
<?xml version="1.0" encoding="utf-8" ?>
<add key="sConnectionString" value="Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog=Your_Database_Name;User Id=Your_Username;Password=Your_Password;" />
<system.web />

As you can see, we have added a new section in our Web.config called <appSettings>.

The <appSettings> section defines custom ASP.NET application settings. The <add> child element of the <appSettings> ads a key/value pair, which is accessible from your applications, with the following code:

<customErrors> Web.config section

The <customErrors> section of the Web.config file defines the settings for handling web application errors. Below is the general syntax of this section:

<customErrors defaultRedirect="YourDefaultURL" mode="On|Off|RemoteOnly">
<error statusCode="ErrorStatusCode" redirect="YourRedirectURL"/>

The attribute mode defines how custom error handling works and can be one of the following 3 options:
On: Enabled
Off: Disabled
RemoteOnly: Enabled only for remote clients (requests coming from the local machine are not handled by these custom error settings).

You can use the <customErrors> Web.config section to define how to handle particular error codes. Here is an example of custom handling of 404 error (File Not Found):

<customErrors mode="On">
<error statusCode="404" redirect="Nice-FileNotFound-Page.aspx"/>

<identity> Web.config section

The <identity> Web.config section defines what identity (Windows account) to use when accessing the ASP.NET application. Here is the generic syntax of the <identity> section of the Web.config:

<identity impersonate="true|false" userName="username" password="password"/>

Impersonation is the concept whereby an application executes under the context of the identity of the client that is accessing the application. This is achieved by using the access token provided by IIS.

By default the ASPNET Windows account is used to access ASP.NET resources through the Aspnet_wp.exe process. This account is less powerful, compared to the IUSR_ machinename guest Internet account used by classic ASP for example. In certain situations you might want to use the anonymous IUSR_ machinename account, as the account accessing your ASP.NET application and you can do that by using the following code in your Web.config file:

<identity impersonate="true" />

In this case we use impersonation. In short impersonation is the act of ASP.NET executing code in the context of an authenticated client (Windows account).

If you want you can specify a particular account Windows account to be used instead of the ASPNET Windows account. You can do it like this:

<identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />