iis 7.5 - How can I set IIS Windows Auth Providers with powershell? -
is there way can add/remove/reorder windows authentication providers using powershell in iis 7.5?
i told, , have found no evidence contrary, ntlm provider faster negotiate when used windows auth. may or may not in combination silverlight 4, .net 3.5, windows 2003 active directory , iis6.
since statement told me, have upgraded iis7.5 ( server 2008r2 ), silverlight 5 , .net 4.5, ad still running @ 2003 function level.
my goal ensure ntlm provider listed first in list of enabled providers in iis 7.5.
thanks
you can enable , disable authentication methods available under following section:
this because system.webserver/authentication
not collection , not support add
, remove
config elements. have in iis configuration schema file in:
c:\windows\system32\inetsrv\config\schema\iis_schema.xml
search system.webserver/security/authentication
, see each child element of section explicitly defined , there no definition system.webserver/security/authentication
itself.
with regards ordering, makes no difference trying change authentication method order. example in following order (basic before windows authenticaton):
<system.webserver> <security> <authentication> <basicauthentication enabled="true" /> <windowsauthentication enabled="true" /> </authentication> </security> </system.webserver>
and when swap order:
<system.webserver> <security> <authentication> <windowsauthentication enabled="true" /> <basicauthentication enabled="true" /> </authentication> </security> </system.webserver>
...will cause iis send following headers browser in 401 challenge (captured using fiddler):
http/1.1 401 unauthorized server: microsoft-iis/7.5 www-authenticate: negotiate www-authenticate: ntlm www-authenticate: basic realm="172.16.3.87"
in above, iis indicating browser supports kerberos, ntlm or basic authentication methods. out of box these authentication methods in order, regardless of browser vendor (i tried ie , chrome).
from observations using fiddler, both ie , chrome attempt negotiation using first available supported method browser. i.e. in case both ie , chrome negotiated kerberos authentication:
get http://172.16.3.87:81/ http/1.1 host: 172.16.3.87:81 connection: keep-alive authorization: negotiate tlrmtvntuaabaaaal4ii4gaaaaaaaaaaaaaaaaaaaaagabedaaaadw==
if base64 decode negotiate
value says:
ntlmssp
it possible remove kerberos (negotiate) method doing:
<system.webserver> <security> <authentication> <windowsauthentication enabled="true"> <providers> <remove value="negotiate" /> </providers> </windowsauthentication> <basicauthentication enabled="true" /> </authentication> </security> </system.webserver>
however trying change order of these doing following have no effect:
<system.webserver> <security> <authentication> <windowsauthentication enabled="true"> <providers> <remove value="negotiate" /> <remove value="ntlm" /> <add value="ntlm" /> <add value="negotiate" /> </providers> </windowsauthentication> <basicauthentication enabled="true" /> </authentication> </security> </system.webserver>
you still sent www-authenticate:
headers in order of:
www-authenticate: negotiate www-authenticate: ntlm www-authenticate: basic realm="172.16.3.87"
Comments
Post a Comment