2

Can someone provide a code sample or resource which can help me programatically get status, enable and disable extended protection for authentication in IIS 7/IIS 7.5 using C#?

C# with WMI/ADSI is preferred.

i.e I am asked to use System.Management API or Microsoft.Web.Administration API using C# and i need to determine if EAP is enabled or not on a web server level (as web server default for all future websites).

Any other solution using C# is also welcome.

Looking forward to helpful answers. Thanks

Steve

Steve Johnson
  • 3,054
  • 7
  • 46
  • 71

1 Answers1

1

Microsoft graciously provided a web page that not only explains this new concept (i.e., Extended Protection for Authentication, flag=extendedProtection), but provides sample code (copied below) in several languages. Here's their C# code to enable EAP in IIS7/7.5.

Implementing this over WMI will need to use explicit credentials and set impersonationLevel=Impersonate. An alternate method was recently created by Frank White on SO, and I detailed a fully fleshed code for it here: https://stackoverflow.com/a/11948096/1569434

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetApplicationHostConfiguration();

         ConfigurationSection windowsAuthenticationSection = config.GetSection("system.webServer/security/authentication/windowsAuthentication", "Default Web Site");
         windowsAuthenticationSection["enabled"] = true;

         ConfigurationElement extendedProtectionElement = windowsAuthenticationSection.GetChildElement("extendedProtection");
         extendedProtectionElement["tokenChecking"] = @"Allow";
         extendedProtectionElement["flags"] = @"None";

         ConfigurationElementCollection extendedProtectionCollection = extendedProtectionElement.GetCollection();

         ConfigurationElement spnElement = extendedProtectionCollection.CreateElement("spn");
         spnElement["name"] = @"HTTP/www.contoso.com";
         extendedProtectionCollection.Add(spnElement);

         ConfigurationElement spnElement1 = extendedProtectionCollection.CreateElement("spn");
         spnElement1["name"] = @"HTTP/contoso.com";
         extendedProtectionCollection.Add(spnElement1);

         serverManager.CommitChanges();
      }
   }
}
Community
  • 1
  • 1
Lizz
  • 1,442
  • 5
  • 25
  • 51
  • 1
    Thank you Lizz for the code and the Reference. I did encounter this code on MS Support however, i need to determine EAP status on a server-level and not for the specific website. I am, at the moment, not looking to modify EAP staus on the server (which may be needed at later stage. With that said, could you please help me create a method to get EAP status from Web Server (IIS 7/7.5) . Any response is highly appreciated. Thank you. – Steve Johnson Nov 06 '12 at 02:30
  • Also, by WMI actually i meant WMI and C# together. I need to use WMI (system.Managment ap) or MWA(Microsoft.Web.Administration) with C# to accomplish this for IIS 7.0 and get EAP status on a server level. Thank you for your help. – Steve Johnson Nov 06 '12 at 02:31
  • Ok. Sorry for providing the wrong answer, Steve. I don't know how to do what you're asking. I'll delete it in two days unless you want it to stay here for some reason... – Lizz Nov 06 '12 at 03:12
  • The answer may prove useful. +1 for the useful code. But it does not help solve the problem. Please donot remove it, maybe it can help anyone else too.. – Steve Johnson Nov 06 '12 at 16:27
  • Ok Steve you're too kind, and you talked me into keeping it - but I'll still try and "officially" answer your question. :) One thought is to enumerate all your sites using WMI (http://learn.iis.net/page.aspx/162/managing-sites-with-iis-7s-wmi-provider/#05) and use the above code to set the Extended Protection for Authentication (extendedProtection flag) on all sites. Then you'll want to change the default site (siteDefaults) here: http://www.iis.net/configreference/system.applicationhost/sites/sitedefaults. Can't yet find an all-in-one solution.. :( – Lizz Nov 06 '12 at 23:38