Enable authentication for IIS app in Powershell

28
votes

I know how you set this for IIS web site by following command:

Set-WebConfigurationProperty -filter "/system.webServer/security/authentication/windowsAuthentication" -name enabled -value true -PSPath "IIS:\" -location $siteName

But I want to set it for the applications inside that website. For example, I have IIS website named "MySite" and inside that, there are two applications. I want to enable Windows authentication for one and not for the other. So enabling at site level will be enabled for both and that is what I don't want.

2
powershelliisweb-deployment

2 Answers

52
votes

I had the issue of dealing with locked sections and the accepted answer proposes opening up a GUI to solve it, which I am trying to avoid with PowerShell in first place.

Short Answer

Enable Windows Authentication and Disable Anonymous Authentication

$iisSiteName = "Default Web Site"
$iisAppName = "MyApp"

Write-Host Disable anonymous authentication
Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/anonymousAuthentication' -Name 'enabled' -Value 'false' -PSPath 'IIS:\' -Location "$iisSiteName/$iisAppName"

Write-Host Enable windows authentication
Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/windowsAuthentication' -Name 'enabled' -Value 'true' -PSPath 'IIS:\' -Location "$iisSiteName/$iisAppName"

Dealing with Locked Sections

As noted in the IIS documentation:

Authentication sections are usually locked, i.e. they can't be written to a web.config file but have to be written to the central applicationhost.config file instead.

We have to use -PSPath and -Location parameters.

Set-WebConfigurationProperty -filter /system.webServer/security/authentication/windowsAuthentication -name enabled -value true -PSPath IIS:\ -location DemoSite/DemoApp
26
votes

You don't need separate -PSPath and -Location parameters. You can combine them like this:

-PSPath "IIS:\Sites\$SiteName\$AppName"

So the actual command will look like this:

Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" -Name Enabled -Value True -PSPath "IIS:\Sites\$SiteName\$AppName"

Note that you may run into this error:

Set-WebConfigurationProperty : This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Tomfanning over at ServerFault provided the solution here. I have repeated his steps here:

  1. Open IIS Manager
  2. Click the server name in the tree on the left
  3. Right hand pane, Management section, double click Configuration Editor
  4. At the top, choose the section system.webServer/security/authentication/anonymousAuthentication
  5. Right hand pane, click Unlock Section
  6. At the top, choose the section system.webServer/security/authentication/windowsAuthentication
  7. Right hand pane, click Unlock Section