IIS 7: But why do I get a 500.19 – Cannot add duplicate collection entry- with 0x800700b7 !?

(Because I’m sure that was your exact exclamation when you hit it!)

Also applies to IIS 7.5 (Windows Server 2008 R2), IIS 8.0 (Windows Server 2012), IIS 8.5 (Windows Server 2012 R2) and IIS 10 (Windows Server 2016).

The Background

This week, I was out at a customer site performing an IIS Health Check, and got pulled into a side meeting to look at an app problem on a different box.

The customer was migrating a bunch of apps from older servers onto some shiny new IIS 7.5 servers, and had hit a snag while testing one of these with their new Windows 7 build.

To work around that, they were going to use IE in compatibility mode (via X-UA-Compatible), but adding HTTP response headers caused the app to fail completely and instantly with a 500.19 configuration error.

We tested with a different header (“X-UA-Preposterous”) and it had the same problem, so we know it’s not the header itself.

“Now that’s interesting!”

At first I thought it was app failure, but as it turns out…

The Site Layout

This becomes important – remember I noted that the app was being migrated from an old box to a new one?

Well, on the old box, it was probably one app of many. But the new model is one app per site, so a site was being created for each app.

The old location for the app was (say) http://oldserver/myapp/, but the contents were copied to the root of http://newsite/ on the new server.

To allow the app to run without modification to all its paths, a virtual directory was created for /myapp/ (to mimic the old path) which also pointed to the root of newsite.


So myApp above points to c:\inetpub\wwwroot , and so does Default Web Site.

Setting up the problem

So, using the GUI, I set the X-UA-Compatible header to IE=EmulateIE7. The GUI wrote this to the web.config file, as you can see in the status bar at the bottom:


Browsing to a file in the root of the website works absolutely fine. No problem at all.

Browsing to anything in the /myApp/ vdir, though, is instantly fatal:


If you try to open HTTP Response Headers in the /myApp/ virtual directory, you also get a configuration error:


What does that tell us? It tells us that the configuration isn’t valid… interesting… because it’s trying to add a unique key for X-UA-Compatible twice.

Why twice? Where’s it set? We’re at the site level, so we checked the Server level HTTP Response Headers… blank.

But… it’s set in a web.config file, as we can see above. And the web.config file is in the same location as the path.

Lightbulb moment

Ah. So we’re probably processing the same web.config twice, once for each segment of the url!

So, when the user requests something in the root of the site, like http://website/something.asp:

1. IIS (well, the W3WP configuration reader) opens the site’s web.config file, and creates a customheaders collection with a key of X-UA-Compatible

2. IIS Serves the file

And it works. But when the user requests something from the virtual directory as well – like http://website/myApp/something.asp

1. IIS opens the site web.config file, and creates a customheaders collection with a key of X-UA-Compatible

2. IIS opens the virtual directory web.config file (which is the same web.config file) and tries to create the key again, but can’t, because it’s not unique

3. IIS can’t logically resolve the configuration, so responds with an error

Options for Fixing It

1. Don’t use a virtual directory

(or rather, don’t point the virtual directory to the root of the website)

This problem exclusively affects a “looped” configuration file, so if you move the site contents into a physical directory in that path, it’ll just work.

There will be one configuration file per level, the GUI won’t get confused, and nor will the configuration system.

Then you just use a redirecting default.asp or redirect rules to bounce requests from the root to /myApp/ .

2. Clear the collection

You can add a <clear /> element to the web.config file, and that’ll fix it for any individual collection, as shown here:

      <clear />
<add name=”X-UA-Compatible” value=”IE=EmulateIE7″ />

The clear element tells IIS to forget what it thinks it knows already, and just go with it. (When you break inheritance of a collection in the GUI, this is what it does under the covers).

The problem with this approach is that you need to do it manually, and you need to do it for every collection.

In our case, we had Failed Request Tracing rules as well which failed with the same type of error, promptly after fixing the above problem, confirming the diagnosis.

3. Move the configuration

And this splits into two possible approaches:

3a. Editing Applicationhost.config by hand

You can remove the web.config and use a <location path=”New Site/myApp”> tag in applicationhost.config to store configuration, and that’ll work until someone uses web.config again.

3b. Using Feature Delegation

If you do want to prevent web.config being used, you can use the Feature Delegation option to make all properties you don’t want people to set in web.config files Read-Only. (aka “lock” those sections). “Not Delegated” would also work.


This can be done per-Site using Custom Site Delegation, or globally.

And! This has the added happy side-benefit of making the GUI target applicationhost.config, rather than creating or modifying web.config files for that site.


Hope that helps you if you hit it…

IE8 and IE9 Taskbar Icons


I’ve been working on my tablet for the last week, and found myself really really missing IE9, even though I swore I wouldn’t install it on this, in the interests of production-readiness. So, with the work done, I’m installing it. Gimme my tearoff tabs back. It’s enough to make me consider reverting the taskbar to default non-full button-ness.

Wanted: New Tablet. Thin, light, quickish, immortal battery.


  • Multitouch
  • Active Digitizer (Pen support, preferably pressure-sensitive)
  • Thin (Don’t need a DVD drive, and small bulk is important for travelling)
  • Light (again, travelling)
  • SSD-capable (for a later upgrade)
  • 8ish hour battery life
  • 4GB+
  • Integrated 3G
  • TPM (this teeny little thing is really a license to demand wads of cash, isn’t it?)

Plus, if at all possible, cheap. For the above, I’d stretch to $AUD2000, but I’m loath to spend more than that.

I was waiting patiently to see an Acer 1820PTZ in the flesh, but it looks like the 1825PTZ has just been announced and the 1820PTZ seems rare (to say the least) right now. In favour of Acer: I really like my Acer 23” touch LCD screen, but I’m concerned that while it uses USB, it doesn’t have a hub built into it. Oversight, or pure madness? I don’t know. I’ve been eyeing an 1810PT in Dick Smith – it’s only $900, claims an 8-hour (widely substantiated) battery life, and is light and has a multi-track pad… but no touch, no pen, and little real need if I’m not taking it on the road and just using it on the couch.

My Dell XT is a reasonable laptop, but its battery life is suboptimal, and Dell politely didn’t respond to my inquiry as to getting a larger battery pack for it a while back. Their model range seems to have undergone a battery-life-less refresh recently (the V13/Latitude 13 looks very nice, but I want more than 6 hours from a charge, and touch). Plus, the dearth of customization options for most of them on the AU website doesn’t make me happy.

HP don’t seem to do thin and light and tablet (or if they do, I haven’t seen one). Love my touchsmart, was blown away by the newer model in JB Hi Fi the other day, but it’s expensive. And notably for this discussion, not a tablet.

The Lenovo X201T seems to have been refreshed with Core i5/7 processors, but the cost is prohibitive if I’m buying one myself – not to mention that their AU website doesn’t mention that yet.

My Fujitsu P1610 with 6-cell is still my personal travel laptop of choice, but it cost $3000 a few years back and performs about as well as your average netbook, plus the touch screen got “bubbly” (when drawing, not physically) near the start button, making it hard to use in that area. The other Fuj tablets don’t seem to share the AWESOME function key layout of the P1610 (Fn-left for Home, Fn-right for End, Fn-Up/Dn for PgUp/Dn – the efficiency is incredible, and it has to be experienced to be believed), and they tend to look vertically chunky. Did I mention they were generally expensive?

I’d accept a really thin clamshell with touch, but I’d miss the pen support, which I tend to use a lot when trying to explain concepts to people. So ideally, it’s still a tablet for me, for the road.

(Or do I just jam a small Wacom in my travel bag? I can’t say I’ve ever seen anyone use a graphics tablet in a technical meeting before, and imagining it, I’m pretty sure I can imagine why not).

So – anyone got a tip for a small, thin, light, fastish laptop with immortal battery life and tablet capabilities?

MicroUSB – a quick “yay!”

The Kindle 2 I bought recently used a new and strange USB cable – one I hadn’t seen before.

Then, the HTC HD2 I bought turned out to use exactly the same plug, which I now know is MicroUSB!

So now, I travel with one cable to charge the phone (nightly) and the Kindle (hardly ever).

Yay MicroUSB. Let the proliferation commence.

ISA Server 2006 TCP Retransmits

Health Checks

I perform ISA Server Health Checks for Premier Support (via Premier Field Engineering) as part of my role.

I’ve seen something a few times recently that I thought it might be helpful to call out, while poking around in the Performance Monitor TCPv4 counter area.

The Problem

In short: Lots of TCP retransmissions per second.

Like, lots. More than 1% is annoying; any more than 5% and you pretty surely have a problem.

Recently, I’ve been seeing 20%.

That’s right, kids, according to Perfmon’s statistics, one in five TCP packets requires retransmission. But! That doesn’t necessarily jive with what’s seen on the wire, suggesting it might be an internal driver or hardware problem.

If your ISA Server seems like it might be a bit slow, and you haven’t looked yet, go look. I’ll wait. You’re interested in the TCPv4 object, specifically the Segments/sec and Segments Retransmitted/sec counters.

What I’ve seen looks like this:


The green area is TCPv4\Segments/sec. The red area is TCPv4\Segments Retransmitted/sec. They’re using the same scale.

Notice that the retransmission figures track with the overall volume.

This 20% figure has been seen across HP and Broadcom (and possibly Intel) server NICs, so I don’t think it’s specific to either vendor.

Fixing It

In at least one of the places I found this, a simple driver upgrade to the latest version available looked like it fixed the problem.

Otherwise, it could indicate a NIC issue, or a hardware issue with the switch.

If you find yourself in this situation, and do resolve it, please do post details in the comments section below.

My new roadmouse

They wanted me to post about Windows phones.

Well, I’m going to fight the power. Buck the trend. Talk about my new favourite travelling companion.

It is the surprisingly-catchily-titled Microsoft Mobile Memory Mouse 8000.


First cool feature: Magnets everywhere!

The wireless transceiver doubles as a 1GB USB stick, and has a magnetic doohickie on the end that the charge cable happily snuggles up to.

The same cable has another magnetic dock on the underside of the mouse.

Next cool feature: Use it like a wired one!

With the mouse power switch in the “off” position, I’m still happily mousing away with the cable connected.

Next cool almost-hidden feature: It does Bluetooth too!

You can select between the 2.4Ghz Wireless thingy supplied by the dongle, or regular Bluetooth connectivity with a switch under the battery cover. And since I got bluetooth fixed on my laptop, that actually makes some sense, and means that – as long as it’s charged already – I can use the mouse for a fair while without having to find the memory stick slash dongle slash cord thing.

I have no idea how I came into possession of this one, but it’s quickly replaced the (fleet of) Notebook Optical Mouse (s) that I’ve loved – yes, loved – over the years for its size, lightness and plucky go-anywhere courage.

It is, however, heavier: there’s a nice metal finish, and obviously a rechargeable battery in there, but I don’t find myself minding that much.

From the wish-it-didn’t department: 4-way scroll wheel that I’d have happily substituted for a fatter non-side-scrolling regular wheel (middle clicks are a bit sharp and rolly), and thumb buttons discreetly out of thumb’s reach on the left. I hate thumb buttons (unlike Jeff), but these are unobtrusive enough that you’re unlikely to hit them accidentally.

So perhaps I’m just getting old – and I certainly don’t play as many first person shooters as I used to, especially not on this 1.2Ghz-and-PATA-toting Dell XT – but this mouse seems to do just fine for the moment. Recommended!

Brought to you by the number 8000, and the word “shill”. 🙂

PL15W2SP.DLL vs Firewall Client

As I possibly misspelled or misremembered it, the PL15ws2p.dll (possible sic) file was installed as a Winsock Layered Service Provider on a couple of boxes at a customer site.

Coincidentally, these machines were Windows Server 2008 machines where we couldn’t get the Firewall Client to work properly.

We found that there was a third party LSP using:

NETSH WINSOCK SH CA > catalog.txt

And then opening catalog.txt in notepad. The properties of the Pl15ws2p.dll indicated that it was a signed DLL from American Power Corporation or similar (APC or ACP; one of those no-notes half-hours), and that it was used in some sort of management capacity.

But only one of the machines had this APC software installed on it, and the other didn’t… perhaps it got left behind when it was being uninstalled? The search engines didn’t seem to know much about it.

Either way, next step was clear:


To return the Windows Sockets provider list to its shiny defaults, and reboot the computer.

After that, the Firewall Client wasn’t working (which we expected).

A Repair from Not-Called-Add-Remove-Programs-Any-More-Now-It’s-Programs-And-Features-Silly fixed that up.

Cool, huh? Remember: when nothing makes sense and the configuration looks good, perhaps LSPs are to blame?

Now if only I could get my stupid Huawei 3G modem working on my Win7 laptop again (“Device attached to the system is not functioning”… thaaanks).

Vista-Stylez File Management in Windows 7 Beta

If you’re finding file management frustrating because the folder pane seems strangely inactive in the Windows 7 beta, it’s probably because it is. It’s perfect for light filing use, but not so good for folder-stuffing and navigational acrobatics. Which I seem to do.

I filed a bug using Send Feedback on that just now, complaining it was harder to organize files en masse with the new system, especially with an extensive folder hierarchy, cos I had to use two windows, and while I love the Snap Left and Snap Right feature to a point, blah, blah blah, whine. (Hey, does anyone know how to tile vertically?)

Of course, seconds after filing the bug, I experimentally right-clicked in the folder area of the Win7 Explorer interface, and there are precisely the options to restore Vista-like behaviour:


It’s also in Folder Options. (oops). The trick to finding it in the Explorer pane is to right-click a blank area, not one of the items.

My bad. Sorry, Win7 team. I take it all back, and I’ll pay for any damage*.

Home Hyper-V Networking Gotchas

Before the holidays, I bought myself an early present: a new quad-core box with 4GB RAM, which I was going to use for a home Hyper-V lab, so that I could run a bunch of 64-bit VMs as well as the 32-bit staples I’ve been using for years (SBS 2003, and a separate ISA Server box).

I’d had Windows Server 2008 installed on my Virtual Server host for a while, and use it with Routing and Remote Access (RRAS)’ NAT to provide a simple internet gateway for a segment of my internal network.

Lesson #1: Core Quad Q8200s don’t support VT (that’s Hyper-V, kids)

There was a 1300Mhz FSB Q8200 available for the same price as a Q6600, and I figured that I couldn’t go wrong with that. Surely, I thought, all Intel CPUs since the Core2 Duos support Hyper-V?

Well, no, said Intel, and thanks for your money (stupidty tax, I seem to pay a lot of it). The one Quad core chip that doesn’t support Hyper-V is the one I bought. Q8200 is being phased out (I read somewhere), so this mistake should be easily avoidable in the future. Or now, by how-you-say smarter people.

Lesson #2: When you Hyper-V-ify a Parent Partition, It’s Sort Of A Client Too (aka “You may need to set stuff like RRAS up again with the new virtualized network adapters”)

What I mean by this is that when I got the Right CPU and installed Hyper-V, I was without Internets.

To cut a long and boring troubleshooting story short: the physical network adapters I’d configured in RRAS were no longer the Right Network Adapters.

I set up new virtual networks for each physical adapter (one Internet, one Local), and then had to set up RRAS again, because it didn’t think there were any new interfaces to set up – it was quite happy only seeing the old ones, thank you very much.

After checking both virtual adapters were visible in the Network Connections interface, and that they had the right IPs assigned, I rechecked my Windows Firewall settings and ran a port probe to confirm only ports I knew I wanted open were open (RRAS Basic Firewall doesn’t exist any more in 2008, so be careful with dual-homing where the Internet is attached to one of your adapters).

The disconnect here was that I was assuming the parent partition would see the physical hardware – it does, it just doesn’t use it directly any more, it looks like it uses the virtualized setup instead, at least to some extent.

Lesson #3: Hyper-V and DHCP didn’t like each other when the physical host became the parent partition

My RRAS server had (to this point) been my DHCP server for the internal network. This was all fine, and seemed to be working okay (or had my lease durations just not expired yet?), except for the new virtual hosts I created today.

There’s some lore floating around on the forums that worked for me – the bit that worked was manually adding a REG_MULTI_SZ called IPAddress to the likeliest-looking adapter interface in the registry, because Hyper-V setup for whatever reason doesn’t do that.

The DHCP server wouldn’t bind to the physical adapters (or even show them in the Bindings interface), presumably because IPv4 and IPv6 was unbound from them (interesting, hey?) and also wouldn’t show me either of the virtual adapters, which I guess is due to the lack of a static IP address on either of them.

Now, though, my setup’s working nicely, everything more or less as it was before, only virtualized. And thus, you know, more sexy.

Back With A Semblance

It’s a new year, I have a new job, and I have new stories to tell*!

I had a lovely Christmas break, thanks for asking, and now I’m back, I’ve moved into my new role as a Premier Field Engineer. PFEngineering is the part of the organization tasked with helping customers optimize and healthify their deployments of our software.

In my new role, I spend more time on fewer things, and more time actually in customer environments. I’m a professional poker, prodder and proofreader.

My focus has expanded, from IIS alone out to IIS, ISA Server, PKI and Security, and I’m likely to be expanding those a little further too.

It’s good to be back in the field. I enjoy working in real (and, um, virtualized) environments, with real (and virtualized) people, fixing things quickly, demonstrating my suddenly-wonderful touch-enabled Dell XT Tablet PC (Mary Jo might hate touch, but I’ve been sold since I used it with Teh Vistar, and Win7 is even better… more on that some other time).

* I lied about having new stories to tell right now. But soon. Sooooon.