I've been trying to add an additional site to one of our CF2021 / IIS10 webservers without success. This server has the auto lockdwon applied and I went through the lockdown guide a few years ago. I ran wsconfig and added the additional site but even a simple "default.htm" or "index.htm" file results in 500 internal server error. I checked the eventlog and see "The HTTP Filter DLL D:\CF2021\config\wsconfig\1\isapi_redirect.dll failed to load. The data is the error." When I look at the permissions for the wsconfig\1 folder, I see "groups" for each of the existing sites with read/list/read permissions, but the new site is absent. What's interesting is I don't remember creating these groups and they don't exist in Local Users and Groups so I'm assuming the wsconfig or auto lockdown tool created these, but how do I get a group for the new site added? I've tried adding the user I'm using for the IIS AppPool to the folder permissions but without any success.

make sure the dll_filter is installed correctly in the application pool.

The ISAPI filter dll is installed identically to the other sites

Still odd if it was working for another site and then not with the same wsconfig. Did you have your virtual directories added in IIS? You should only need one wsconfig.

I believe the Auto-Lockdown tool is the culprit. wsconfig did not create the virtual directories for jakarta or the randomly named cfscripts. I had to create those manually. Since I believe the Auto-Lockdown tool creates groups for each site's IIS app pool and then grants permissions for those to the wsconfig\1\ folder, the user account that the new site's app pool is running under wasn't included in those. The wsconfig\1\ folder has permission inheritance disabled, so after I realized that and granted the new site's app pool user read access to the dll and properties files, the site started working. I'll probably revert this machine back before I started changing the setup and try everything again before attempting this on the production server.