How can I set IIS Windows Auth Providers with powershell?

It is possible to do this with powershell.For the scenario I was working with I wanted to configure a specific site rather than changing the default setting.This isn't possible in a web.config by default as all of the authentication settings are set to overrideModeDefault="Deny". This means that the changes need to be made to applicationhost.config directly.

The end result of what I was looking for was:

<location path="MySite">    <system.webServer>        <security>            <authentication>                <anonymousAuthentication enabled="false" />                <windowsAuthentication enabled="true">                    <providers>                        <clear />                        <add value="NTLM" />                        <add value="Negotiate" />                    </providers>                </windowsAuthentication>            </authentication>        </security>    </system.webServer></location>

By doing a clear before adding the providers back in the order of their priority is changed.

To first of all disable anonymous authentication and enable windows authentication I use the following:

Set-WebConfiguration system.webServer/security/authentication/anonymousAuthentication -PSPath IIS:\ -Location MySite -Value @{enabled="False"}Set-WebConfiguration system.webServer/security/authentication/windowsAuthentication -PSPath IIS:\ -Location MySite -Value @{enabled="True"}

Then to add the <clear /> tag:

Remove-WebConfigurationProperty -PSPath IIS:\ -Location MySite -filter system.webServer/security/authentication/windowsAuthentication/providers -name "."

Finally, to add the providers in order:

Add-WebConfiguration -Filter system.webServer/security/authentication/windowsAuthentication/providers -PSPath IIS:\ -Location MySite -Value NTLMAdd-WebConfiguration -Filter system.webServer/security/authentication/windowsAuthentication/providers -PSPath IIS:\ -Location MySite -Value Negotiate

You can only enable and disable the authentication methods available under the following section:

system.webServer/authentication

This is because system.webServer/authentication is not a collection and does not support the add and remove config elements. Have a look in the IIS configuration schema file in:

C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml

Search for system.webServer/security/authentication and you will see that each child element of that section is explicitly defined and there is no definition for system.webServer/security/authentication itself.

With regards to ordering, it makes no difference trying to change the authentication method order. For example in the following order (Basic is before Windows Authenticaton):

<system.webServer>    <security>        <authentication>            <basicAuthentication enabled="true" />            <windowsAuthentication enabled="true" />        </authentication>    </security></system.webServer>

and when I swap the order:

<system.webServer>    <security>        <authentication>            <windowsAuthentication enabled="true" />            <basicAuthentication enabled="true" />        </authentication>    </security></system.webServer>

...will always cause IIS to send the following headers to the browser in the 401 challenge (captured using Fiddler):

HTTP/1.1 401 UnauthorizedServer: Microsoft-IIS/7.5WWW-Authenticate: NegotiateWWW-Authenticate: NTLMWWW-Authenticate: Basic realm="172.16.3.87"

In the above, IIS is indicating to the browser that it supports Kerberos, NTLM or Basic authentication methods. Out of the box these authentication methods are always in this order, regardless of browser vendor (I tried IE and Chrome).

From my observations using Fiddler, both IE and Chrome attempt negotiation using the first available supported method by that browser. i.e. in this case both IE and Chrome negotiated Kerberos authentication:

GET http://172.16.3.87:81/ HTTP/1.1Host: 172.16.3.87:81Connection: keep-aliveAuthorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

If you base64 decode the Negotiate value it says:

NTLMSSP

It is possible to remove the Kerberos (Negotiate) method by doing:

<system.webServer>    <security>        <authentication>            <windowsAuthentication enabled="true">                <providers>                    <remove value="Negotiate" />                </providers>            </windowsAuthentication>            <basicAuthentication enabled="true" />        </authentication>    </security></system.webServer>

However trying to change the order of these by doing the following will have no effect:

<system.webServer>    <security>        <authentication>            <windowsAuthentication enabled="true">                <providers>                    <remove value="Negotiate" />                    <remove value="NTLM" />                    <add value="NTLM" />                    <add value="Negotiate" />                </providers>            </windowsAuthentication>            <basicAuthentication enabled="true" />        </authentication>    </security></system.webServer>

You will still be sent the WWW-Authenticate: headers in the order of:

WWW-Authenticate: NegotiateWWW-Authenticate: NTLMWWW-Authenticate: Basic realm="172.16.3.87"