How to enable Windows Authentication on a Windows Server 2012 IIS website using Powershell?

1
votes

From end-to-end, how does one go about setting Windows Authentication on a ASP.NET app in Windows Server 2012?

In earlier versions of IIS, you could just set <authentication>, <identity>, and <authorization> settings in the Web.Config and be done with it.

<!-- Web.Config -->
<system.web>
  ...
  <authentication mode="Windows />
  <identity impersonate="false />
  <authorization>
    <allow users="DOMAIN\user1" />
    <allow users="DOMAIN\user2" />
    <deny users="*" />
  </authorization>

Now there is an extra security component that requires you to enable authentication on the IIS site/webapp itself.

I'm scripting a bootstrap for our Window Server 2012 webserver, how to go about completing the configuration for IIS in Powershell?

NOTE: I'll be providing a self answer.

1
asp.netpowershelliiswindows-server-2012

1 Answers

3
votes

The Web.Config stated above won't need to change, those settings are still valid. The problem is, IIS itself will not obey these settings since Windows Authentication has been turned off by default at the server level.

First, ensure you have installed the Windows Authentication feature Web-Windows-Auth, and the Server Management tools -IncludeManagementTools. 

Install-WindowsFeature "Web-Windows-Auth" -IncludeManagementTools ;

Next, let's assume you have already handled created your site, named "AuthSite", and now I want to disable anonymous authentication and enable Windows authentication.

Import-Module WebAdministration ;

# disable anonymous
Set-WebConfigurationProperty `
  -filter "/system.webserver/security/authentication/anonymousAuthentication" `
  -PSPath "IIS:\" `
  -location "AuthSite" `
  -name "enabled" `
  -value "False" ;

# enable Windows authentication
Set-WebConfigurationProperty `
  -filter "/system.webserver/security/authentication/windowsAuthentication" `
  -PSPath "IIS:\" `
  -location "AuthSite" `
  -name "enabled" `
  -value "True" ;

NOTE: -PSPath and -Location must be used (not just the full path on -PSPath), otherwise you will encounter a locked section issue: https://stackoverflow.com/a/31416581/740575

VARIATION: Suppose you are just creating a webapp "AuthWebApp" on the "Default" site, just replace with -location "Default/AuthWebApp", -PSPath can stay the same.