That's by design. The <modules>
section of system.webServer essentially defines IIS itself. If you <clear />
, you won't be left with anything. In applicationHost.config, you should have something like this:
<modules>
<add name="HttpCacheModule" lockItem="true" />
<add name="DynamicCompressionModule" lockItem="true" />
<add name="StaticCompressionModule" lockItem="true" />
<add name="DefaultDocumentModule" lockItem="true" />
<add name="DirectoryListingModule" lockItem="true" />
<add name="IsapiFilterModule" lockItem="true" />
<add name="ProtocolSupportModule" lockItem="true" />
<add name="HttpRedirectionModule" lockItem="true" />
<add name="StaticFileModule" lockItem="true" />
...
Notice the lockItem properties. Because there are 1 or more lock items, will throw a lock violation.
So, you either need to specifically remove just the items that you don't want from web.config, or if you really need to clear them all and add back your own, then in applicationHost.config remove the lockItem="true" on each of those elements, and make sure to add enough of them back so that your web server will actually work.
Edit
(Appended further information from Daniel, per his request. (Scott))
Here is what I did based on what Scott said:
Opened applicationHost.config in %windir%\system32\inetsrv\config. Note that in 64 bit Windows Server 2008, you'll need to edit the file with a 64 bit editor (the native Notepad will do, but Notepad++ won't be able to find the file). See here for more information about this.
In the <system.webServer>
element, change the lockItem attribute on all modules to false.
In my web application's web.config file, was then able to do the following:
<system.webServer>
<modules>
<clear />
</modules>
</system.webServer>
Of course, as Scott points out, this means there's no web server left, so here is the minimum set of modules I needed to get my stuff running again (YMMV):
<add name="HttpRedirectionModule" lockItem="false" />
<add name="StaticFileModule" lockItem="false" />
<add name="CustomLoggingModule" lockItem="false" />
<add name="CustomErrorModule" lockItem="false" />
<add name="IsapiModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />
Also, for anyone interested, here's the backstory as to why I'm doing this.
Best Answer
Which keystore did you install the certificate into? If you right-clicked on the PFX file and selected 'install' then the answer is your user account's personal store.
Certificates for IIS should be installed in the local computer keystore. The best way to do this is by using the Certificates MMC snap-in.
I've never received the error you posted, but there's a good chance IIS 7 is smart enough to export the certificate from your User account to the Computer account where it belongs.
Does EventViewer provide any additional information about which logon it's trying to access?