How do I set overrideMode of Forms Authentication (system.web/authentication) of IIS with powershell?

Question

I need to automate the configuration of a new IIS server with powershell, and I need to change the Feature Delegation setting for the Forms Authentication feature (its overrideMode).

I'm basically looking to change the overrideMode seen when I use this command:

Get-WebConfiguration -Filter //system.web/authentication -PSPath 'MACHINE/WEBROOT/APPHOST' | fl *

I'm able to set it with Set-WebConfiguration for other types of Authentication methods, ex for Windows Authentication I'd do:

Set-WebConfiguration -Filter //System.webServer/Security/Authentication/windowsAuthentication -PSPath 'MACHINE/WEBROOT/APPHOST' -Metadata overrideMode -Value Allow

But I can't do the same for //system.web/authentication for some reason and I don't understand why. When I try I get this error:

PS H:\> Set-WebConfiguration -Filter //System.web/Authentication -PSPath 'MACHINE/WEBROOT/APPHOST' -Metadata overrideMode -Value Allow
Set-WebConfiguration : Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 974
Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default 
(overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
At line:1 char:1
+ Set-WebConfiguration -Filter //System.web/Authentication -PSPath 'MAC ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-WebConfiguration], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.IIs.PowerShell.Provider.SetConfigurationCommand

What am I doing wrong and how can I change this value? There are a few other delegated features that seem to be the same too.

This is for IIS 10 on Windows Server 2016

Edit: I noticed that when I change the delegation setting to read only using the IIS Manager (and not Powershell), it "locks" the feature by adding it to a location with overrideMode="Deny" in the applicationHost.config file. Once this is done, I get an error if I try to change it back to Allow using Powershell. This is the problem. If I only use powershell to set it to Allow or Deny, it doesn't give an error, but the change is not reflected in the IIS Manager. It seems that for some delegation rights, the IIS Manager uses a different method than what Powershell does to change the overrideMode and once it's locked using the UI, you can't unlock it using Powershell.

Answer 1

You can check to make sure these Windows Features are all enabled from this post as this resolved the same error for some there:

Config Error: This configuration section cannot be used at this path

Are you able to set the attribute on the file so that it is not read only?

# You may need to use the -Credential parameter for this to work on a remote machine
Set-ItemProperty \\?\C:\Windows\system32\inetsrv\config\applicationHost.config -name IsReadOnly -value $false

Then try to rerun your Set-WebConfiguration command.

You could also try to load that config file into PowerShell as XML and then modify the overrideMode attribute and save it back out to the IIS path.

[xml]$XmlDoc = Get-Content -Path '\\?\C:\Windows\system32\inetsrv\config\applicationHost.config'
# '//System.Web/Authentication' is the XPath provided above
$AuthNode = $XMLdoc.SelectSingleNode('//System.Web/Authentication')
$AuthNode.overrideMode = "Allow"
$XmlDoc.Save("\\?\C:\Windows\system32\inetsrv\config\applicationHost.config")

I don't have IIS setup on this machine, but assuming that is a valid XPATH in the XML, you should be able to change the flag like that assuming nothing is using the file when you try to update it.