How can I set IIS Windows Auth Providers with powershell?

Question

Is there a way that I can Add/Remove/Reorder Windows authentication providers using powershell in IIS 7.5?

I am told, and have found no evidence to the contrary, that the NTLM provider is faster than Negotiate when used with Windows Auth. This may or may not be in combination with Silverlight 4, .NET 3.5, a Windows 2003 Active directory and IIS6.

Since this statement was told to me, we have upgraded to IIS7.5 ( Server 2008R2 ), SilverLight 5 and .NET 4.5, but AD is still running at 2003 function level.

My goal is to always ensure that the NTLM provider is listed first in the list of enabled providers in IIS 7.5.

Thanks

Answer 1

It is possible to do this with powershell. For the scenario I was working with I wanted to configure a specific site rather than changing the default setting. This isn't possible in a web.config by default as all of the authentication settings are set to overrideModeDefault="Deny". This means that the changes need to be made to applicationhost.config directly.

The end result of what I was looking for was:

<location path="MySite">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true">
                    <providers>
                        <clear />
                        <add value="NTLM" />
                        <add value="Negotiate" />
                    </providers>
                </windowsAuthentication>
            </authentication>
        </security>
    </system.webServer>
</location>

By doing a clear before adding the providers back in the order of their priority is changed.

To first of all disable anonymous authentication and enable windows authentication I use the following:

Set-WebConfiguration system.webServer/security/authentication/anonymousAuthentication -PSPath IIS:\ -Location MySite -Value @{enabled="False"}
Set-WebConfiguration system.webServer/security/authentication/windowsAuthentication -PSPath IIS:\ -Location MySite -Value @{enabled="True"}

Then to add the <clear /> tag:

Remove-WebConfigurationProperty -PSPath IIS:\ -Location MySite -filter system.webServer/security/authentication/windowsAuthentication/providers -name "."

Finally, to add the providers in order:

Add-WebConfiguration -Filter system.webServer/security/authentication/windowsAuthentication/providers -PSPath IIS:\ -Location MySite -Value NTLM
Add-WebConfiguration -Filter system.webServer/security/authentication/windowsAuthentication/providers -PSPath IIS:\ -Location MySite -Value Negotiate