6

Is there a way that I can Add/Remove/Reorder Windows authentication providers using powershell in IIS 7.5?

I am told, and have found no evidence to the contrary, that the NTLM provider is faster than Negotiate when used with Windows Auth. This may or may not be in combination with Silverlight 4, .NET 3.5, a Windows 2003 Active directory and IIS6.

Since this statement was told to me, we have upgraded to IIS7.5 ( Server 2008R2 ), SilverLight 5 and .NET 4.5, but AD is still running at 2003 function level.

My goal is to always ensure that the NTLM provider is listed first in the list of enabled providers in IIS 7.5.

Thanks

Russ
  • 12,312
  • 20
  • 59
  • 78

2 Answers2

21

It is possible to do this with powershell. For the scenario I was working with I wanted to configure a specific site rather than changing the default setting. This isn't possible in a web.config by default as all of the authentication settings are set to overrideModeDefault="Deny". This means that the changes need to be made to applicationhost.config directly.

The end result of what I was looking for was:

<location path="MySite">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true">
                    <providers>
                        <clear />
                        <add value="NTLM" />
                        <add value="Negotiate" />
                    </providers>
                </windowsAuthentication>
            </authentication>
        </security>
    </system.webServer>
</location>

By doing a clear before adding the providers back in the order of their priority is changed.

To first of all disable anonymous authentication and enable windows authentication I use the following:

Set-WebConfiguration system.webServer/security/authentication/anonymousAuthentication -PSPath IIS:\ -Location MySite -Value @{enabled="False"}
Set-WebConfiguration system.webServer/security/authentication/windowsAuthentication -PSPath IIS:\ -Location MySite -Value @{enabled="True"}

Then to add the <clear /> tag:

Remove-WebConfigurationProperty -PSPath IIS:\ -Location MySite -filter system.webServer/security/authentication/windowsAuthentication/providers -name "."

Finally, to add the providers in order:

Add-WebConfiguration -Filter system.webServer/security/authentication/windowsAuthentication/providers -PSPath IIS:\ -Location MySite -Value NTLM
Add-WebConfiguration -Filter system.webServer/security/authentication/windowsAuthentication/providers -PSPath IIS:\ -Location MySite -Value Negotiate
Perrin255
  • 479
  • 6
  • 9
3

You can only enable and disable the authentication methods available under the following section:

system.webServer/authentication

This is because system.webServer/authentication is not a collection and does not support the add and remove config elements. Have a look in the IIS configuration schema file in:

C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml

Search for system.webServer/security/authentication and you will see that each child element of that section is explicitly defined and there is no definition for system.webServer/security/authentication itself.

With regards to ordering, it makes no difference trying to change the authentication method order. For example in the following order (Basic is before Windows Authenticaton):

<system.webServer>
    <security>
        <authentication>
            <basicAuthentication enabled="true" />
            <windowsAuthentication enabled="true" />
        </authentication>
    </security>
</system.webServer>

and when I swap the order:

<system.webServer>
    <security>
        <authentication>
            <windowsAuthentication enabled="true" />
            <basicAuthentication enabled="true" />
        </authentication>
    </security>
</system.webServer>

...will always cause IIS to send the following headers to the browser in the 401 challenge (captured using Fiddler):

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="172.16.3.87"

In the above, IIS is indicating to the browser that it supports Kerberos, NTLM or Basic authentication methods. Out of the box these authentication methods are always in this order, regardless of browser vendor (I tried IE and Chrome).

From my observations using Fiddler, both IE and Chrome attempt negotiation using the first available supported method by that browser. i.e. in this case both IE and Chrome negotiated Kerberos authentication:

GET http://172.16.3.87:81/ HTTP/1.1
Host: 172.16.3.87:81
Connection: keep-alive
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

If you base64 decode the Negotiate value it says:

NTLMSSP

It is possible to remove the Kerberos (Negotiate) method by doing:

<system.webServer>
    <security>
        <authentication>
            <windowsAuthentication enabled="true">
                <providers>
                    <remove value="Negotiate" />
                </providers>
            </windowsAuthentication>
            <basicAuthentication enabled="true" />
        </authentication>
    </security>
</system.webServer>

However trying to change the order of these by doing the following will have no effect:

<system.webServer>
    <security>
        <authentication>
            <windowsAuthentication enabled="true">
                <providers>
                    <remove value="Negotiate" />
                    <remove value="NTLM" />
                    <add value="NTLM" />
                    <add value="Negotiate" />
                </providers>
            </windowsAuthentication>
            <basicAuthentication enabled="true" />
        </authentication>
    </security>
</system.webServer>

You will still be sent the WWW-Authenticate: headers in the order of:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="172.16.3.87"
Kev
  • 118,037
  • 53
  • 300
  • 385