iis 7.5 - How can I set IIS Windows Auth Providers with powershell? -


is there way can add/remove/reorder windows authentication providers using powershell in iis 7.5?

i told, , have found no evidence contrary, ntlm provider faster negotiate when used windows auth. may or may not in combination silverlight 4, .net 3.5, windows 2003 active directory , iis6.

since statement told me, have upgraded iis7.5 ( server 2008r2 ), silverlight 5 , .net 4.5, ad still running @ 2003 function level.

my goal ensure ntlm provider listed first in list of enabled providers in iis 7.5.

thanks

you can enable , disable authentication methods available under following section:

system.webserver/authentication

this because system.webserver/authentication not collection , not support add , remove config elements. have in iis configuration schema file in:

c:\windows\system32\inetsrv\config\schema\iis_schema.xml

search system.webserver/security/authentication , see each child element of section explicitly defined , there no definition system.webserver/security/authentication itself.

with regards ordering, makes no difference trying change authentication method order. example in following order (basic before windows authenticaton):

<system.webserver>     <security>         <authentication>             <basicauthentication enabled="true" />             <windowsauthentication enabled="true" />         </authentication>     </security> </system.webserver> 

and when swap order:

<system.webserver>     <security>         <authentication>             <windowsauthentication enabled="true" />             <basicauthentication enabled="true" />         </authentication>     </security> </system.webserver> 

...will cause iis send following headers browser in 401 challenge (captured using fiddler):

http/1.1 401 unauthorized server: microsoft-iis/7.5 www-authenticate: negotiate www-authenticate: ntlm www-authenticate: basic realm="172.16.3.87" 

in above, iis indicating browser supports kerberos, ntlm or basic authentication methods. out of box these authentication methods in order, regardless of browser vendor (i tried ie , chrome).

from observations using fiddler, both ie , chrome attempt negotiation using first available supported method browser. i.e. in case both ie , chrome negotiated kerberos authentication:

get http://172.16.3.87:81/ http/1.1 host: 172.16.3.87:81 connection: keep-alive authorization: negotiate tlrmtvntuaabaaaal4ii4gaaaaaaaaaaaaaaaaaaaaagabedaaaadw== 

if base64 decode negotiate value says:

ntlmssp 

it possible remove kerberos (negotiate) method doing:

<system.webserver>     <security>         <authentication>             <windowsauthentication enabled="true">                 <providers>                     <remove value="negotiate" />                 </providers>             </windowsauthentication>             <basicauthentication enabled="true" />         </authentication>     </security> </system.webserver> 

however trying change order of these doing following have no effect:

<system.webserver>     <security>         <authentication>             <windowsauthentication enabled="true">                 <providers>                     <remove value="negotiate" />                     <remove value="ntlm" />                     <add value="ntlm" />                     <add value="negotiate" />                 </providers>             </windowsauthentication>             <basicauthentication enabled="true" />         </authentication>     </security> </system.webserver> 

you still sent www-authenticate: headers in order of:

www-authenticate: negotiate www-authenticate: ntlm www-authenticate: basic realm="172.16.3.87" 

Comments

Popular posts from this blog

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

web - SVG not rendering properly in Firefox -

java - JavaFX 2 slider labelFormatter not being used -