Enable authentication for IIS app in Powershell Enable authentication for IIS app in Powershell powershell powershell

Enable authentication for IIS app in Powershell


I had the issue of dealing with locked sections and the accepted answer proposes opening up a GUI to solve it, which I am trying to avoid with PowerShell in first place.

Short Answer

Enable Windows Authentication and Disable Anonymous Authentication

$iisSiteName = "Default Web Site"$iisAppName = "MyApp"Write-Host Disable anonymous authenticationSet-WebConfigurationProperty -Filter '/system.webServer/security/authentication/anonymousAuthentication' -Name 'enabled' -Value 'false' -PSPath 'IIS:\' -Location "$iisSiteName/$iisAppName"Write-Host Enable windows authenticationSet-WebConfigurationProperty -Filter '/system.webServer/security/authentication/windowsAuthentication' -Name 'enabled' -Value 'true' -PSPath 'IIS:\' -Location "$iisSiteName/$iisAppName"

Dealing with Locked Sections

As noted in the IIS documentation:

Authentication sections are usually locked, i.e. they can't be writtento a web.config file but have to be written to the centralapplicationhost.config file instead.

We have to use -PSPath and -Location parameters.

Set-WebConfigurationProperty -filter /system.webServer/security/authentication/windowsAuthentication -name enabled -value true -PSPath IIS:\ -location DemoSite/DemoApp


You don't need separate -PSPath and -Location parameters. You can combine them like this:

-PSPath "IIS:\Sites\$SiteName\$AppName"

So the actual command will look like this:

Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" -Name Enabled -Value True -PSPath "IIS:\Sites\$SiteName\$AppName"

Note that you may run into this error:

Set-WebConfigurationProperty : This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Tomfanning over at ServerFault provided the solution here. I have repeated his steps here:

  1. Open IIS Manager
  2. Click the server name in the tree on the left
  3. Right hand pane, Management section, double click Configuration Editor
  4. At the top, choose the section system.webServer/security/authentication/anonymousAuthentication
  5. Right hand pane, click Unlock Section
  6. At the top, choose the section system.webServer/security/authentication/windowsAuthentication
  7. Right hand pane, click Unlock Section