PowerShell - Managing Feature Delegation in IIS7
Perhaps you've read my earlier post on advanced feature delegation using PowerShell and the IIS 7.0 PowerShell Provider. This could actually be called Part II.
The previous post was based on a quick question from a premier customer. He is a never-ending source of intriguing questions and I always enjoy his "just one thing"-type of inquiries. They often force you to think a little extra. Anyway, the other day he came with a question, which (as always) seemed simple enough at a first glance. The goal was to set Feature Delegation for SMTP E-mail And Forms Authentication to "Read Only".
Now, most basic configuration topics have been covered in countless posts, and at first I thought that this shouldn't be so hard. There is, however, a major difference. The SMTP E-mail and Forms Authentication settings are set in the root web.config. Not in applicationhost.config.
If we open up and compare web.config before, and after we change the setting, we'll notice that the change made by the IIS Manager is adding the following into the root <configuration>-block:
<location path="" overrideMode="Deny">
<system.net>
<mailSettings>
<smtp>
<network />
<specifiedPickupDirectory />
</smtp>
</mailSettings>
</system.net>
<system.web>
<authentication>
<forms>
<credentials />
</forms>
<passport />
</authentication>
</system.web>
</location>
Okay, so using what we already know from the old post we should put together a call that looks something like this:
Set-WebConfiguration "/System.Net/mailSettings/smtp" -value @{<something... overrideMode="Deny", maybe?>} -PSPath IIS:\
Please note that this is NOT the correct syntax. It is close, but no cigar. What we need to do is:
- Correctly set the overrideMode. The above sample is not the way to do it.
- Make sure the changes are saved to web.config
So, the final, (and correct,) call to the Set-WebConfiguration cmdlet would look like this:
Set-WebConfiguration //System.Net/mailSettings/smtp -metadata overrideMode -value Deny -PSPath MACHINE/WEBROOT
The Forms Authentication call would look like this:
Set-WebConfiguration //System.Web/authentication -metadata overrideMode -value Deny -PSPath MACHINE/WEBROOT
I've searched quite extensively for samples on this and so far I've found none. So I thought someone should write it down. :)
Happy Holidays! / Johan
Comments
Anonymous
March 08, 2011
Thanks you so much for this - you just saved us a LOT of time in our Windows Azure onboarding efforts!Anonymous
November 13, 2012
Great post, I've only been able to get this working for .net 2.0, what about 4.0 settings?