What Lex Li said is one way, but there are more ways to achieve this:
First of all run the commands in the order you want the providers to be set. The first authentication method added will be on top. So if you run your command lines after creating the site and no providers have been set, change the current mentioned run order of the appcmd's.
Secondly you can only remove the authentication provider that you want to be second and then re-add that provider, because by removing and re-adding it, it will become second automatically:
C:\Windows\SysWOW64\inetsrv\appcmd set config "Default Web Site/LIT/My.Site" -section:system.webServer/security/authentication/windowsAuthentication /-providers.[value='Negotiate'] /commit:apphost
C:\Windows\SysWOW64\inetsrv\appcmd set config "Default Web Site/LIT/My.Site" -section:system.webServer/security/authentication/windowsAuthentication /+providers.[value='Negotiate'] /commit:apphost
Thirdly you can do what Lex Li says:
Remove all the providers:
C:\Windows\SysWOW64\inetsrv\appcmd set config "Default Web Site/LIT/My.Site" -section:system.webServer/security/authentication/windowsAuthentication /-providers.[value='Negotiate'] /commit:apphost
C:\Windows\SysWOW64\inetsrv\appcmd set config "Default Web Site/LIT/My.Site" -section:system.webServer/security/authentication/windowsAuthentication /-providers.[value='NTLM'] /commit:apphost
Add in correct order:
C:\Windows\SysWOW64\inetsrv\appcmd set config "Default Web Site/LIT/My.Site" -section:system.webServer/security/authentication/windowsAuthentication /+providers.[value='NTLM'] /commit:apphost
C:\Windows\SysWOW64\inetsrv\appcmd set config "Default Web Site/LIT/My.Site" -section:system.webServer/security/authentication/windowsAuthentication /+providers.[value='Negotiate'] /commit:apphost
The choice is yours.
