PowerShell - Managing Feature Delegation in IIS7

Perhaps you've read my earlier post on advanced feature delegation using PowerShell and the IIS 7.0 PowerShell Provider. This could actually be called Part II.

The previous post was based on a quick question from a premier customer. He is a never-ending source of intriguing questions and I always enjoy his "just one thing"-type of inquiries. They often force you to think a little extra. Anyway, the other day he came with a question, which (as always) seemed simple enough at a first glance. The goal was to set Feature Delegation for SMTP E-mail And Forms Authentication to "Read Only".

Now, most basic configuration topics have been covered in countless posts, and at first I thought that this shouldn't be so hard. There is, however, a major difference. The SMTP E-mail and Forms Authentication settings are set in the root web.config. Not in applicationhost.config.

If we open up and compare web.config before, and after we change the setting, we'll notice that the change made by the IIS Manager is adding the following into the root <configuration>-block:

<location path="" overrideMode="Deny">
    <system.net>
        <mailSettings>
            <smtp>
                <network />
                <specifiedPickupDirectory />
            </smtp>
        </mailSettings>
    </system.net>
    <system.web>
        <authentication>
            <forms>
                <credentials />
            </forms>
            <passport />
        </authentication>
    </system.web>
</location>

Okay, so using what we already know from the old post we should put together a call that looks something like this:

Set-WebConfiguration "/System.Net/mailSettings/smtp"  -value @{<something... overrideMode="Deny", maybe?>} -PSPath IIS:\

Please note that this is NOT the correct syntax. It is close, but no cigar. What we need to do is:

  1. Correctly set the overrideMode. The above sample is not the way to do it.
  2. Make sure the changes are saved to web.config

So, the final, (and correct,) call to the Set-WebConfiguration cmdlet would look like this:

Set-WebConfiguration //System.Net/mailSettings/smtp -metadata overrideMode -value Deny -PSPath MACHINE/WEBROOT

The Forms Authentication call would look like this:

Set-WebConfiguration //System.Web/authentication -metadata overrideMode -value Deny -PSPath MACHINE/WEBROOT

I've searched quite extensively for samples on this and so far I've found none. So I thought someone should write it down. :)

 

Happy Holidays! / Johan