To be able to unencrypt the sytem.web/identity section you must have this entry as the last line of your section.
<validation validateIntegratedModeConfiguration="false"/>
Example:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
</modules>
<handlers>
<remove name="UrlRoutingHandler" />
</handlers>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>