+1, this is an issue for us.

+1

+1
I would like to help but I am not sure how this additional options should be provided. Currently all information about authentication are defined as follows

AuthenticationInfo = `
            MSFT_xWebApplicationAuthenticationInformation
            {
                Anonymous = $true
                Basic     = $false
                Digest    = $false
                Windows   = $false
            }

Where can I find definition of MSFT_xWebApplicationAuthenticationInformation? Does it contain other properties which could be used to provide user/password information? Or should I introduce another parameter for this functionality, something like that:

AuthenticationInfo =   MSFT_xWebApplicationAuthenticationInformation
            {
                Anonymous = $true
                Basic     = $false
                Digest    = $false
                Windows   = $false
            };
AnonymousAuthenticationInfo = @{
               User="TestUser";
               Password = "secret"
}

Necessary configuration sections are described here:
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication

@cezarypiatek Sorry that nobody answered you for so long. I think you need a new property AnonymousCredential that provides the username and password to use when Anonymous = $true. Also, if that new property AnonymousCredential is not provided, then maybe it can blank out username and password which means Application Pool is used (as per @PlagueHO comment above). Let me know if you want to work on this, then I label this as 'in progress'.

I can take it.

Awesome! I have labeled this as 'In progress'. Thanks!

Is this a thing yet ? I really need this feature

I've started to implement it on my fork https://github.com/cezarypiatek/xWebAdministration but I haven't had time to manage the UT. Btw I think that xWebApplication and xWebSite require refactoring because there is a massive code duplication which make those modules hard to extend.

In the meantime I've found xIISApplicationPoolIdentityType resource which probably is the missing part.

@cezarypiatek Agree with that those should be refactored to use helper functions, same goes for the *Defaults resource(s) too.

I've got stuck with weird error related to CIM objects. The issue is described in related PR
#408

Can somebody help me with that?

@johlju @kwirkykat could you help me?

@cezarypiatek Thanks for submitting the PR for this issue. Sorry for the delay. I'll take a look at the error you're running into later tonight and reproduce in my environment.

@regedit32 Any progress on the PR yet?

Still waiting for a help, no response from @regedit32 so far.

@cezarypiatek I see you have some recent commits, are you close to having a working solution?

@twerthi I'm in the middle of adding tests for this feature in xWebSite module. After that I need to repeat everything forxWebApplication because there is a code duplication between this two modules (or find a way to reuse current solution) I'm probably going to split this into two PR.

Any progress to report on?

Would be great to have this. Currently using some idempotent powershell to accomplish this.

Thanks for the reminder. I will try to get back to this on Saturday.

I think I've finished with UT for xWebsite module. I need to only complete non-development task, such as doc update etc.

Two things:

1. I think I've got stuck again with integration tests. Some of them are failing and there is no useful error message. Details in Feature: #241 Anonymous authentication #408. Help needed.

2. Instead of adding custom CIM type for credentials maybe I should use MSFT_Credential ? What is the proper way of handling passwords in DSC?

@cezarypiatek I think for item 2 you should have MSFT_Credential for the property Password in MSFT_xWebAnonymousAuthenticationCredentials, otherwise the password will not be encrypted.

Looking at item 1 now.

For item 1. Could it be that it does not return the correct object on this line AnonymousCredentials = $anonymousCredentials. That this line is $null but should always be the CIM instance MSFT_xWebAnonymousAuthenticationCredentials. For example if the website returns false for this $anonymousAuthentication.enabled then Get-AnonymousCredentials will not return the correct CIM instance.

Could this be the problem?

@johlju so CIM fields cannot be null?

Honestly not sure, but Get-DscConfiguration that is failing in the integration test usually fails if the return value has the wrong type. So I’m guessing it tries to access the object, but there are no objects.
If that is the case, maybe you can return a CIM instance but the properties are null.

To test it, I would hard code an object in the code and manually run Get-DscConfiguration to see what the value can and cannot contain. 🤔

thanks, I will try this.

Ok, I'm trying now to implement it using MSFT_Credential. I model myself on xWebAppPool and application pool credentials. The Get-TargetResource method is returning Credential field with username and password values. Doesn't it violate security? It looks like a way to retrieve credentials from the system.

https://github.com/PowerShell/xWebAdministration/blob/2e1778f42c782e98583368612f692f2af7072b7c/DSCResources/MSFT_xWebAppPool/MSFT_xWebAppPool.psm1#L135

cc: @johlju

What I meant it should return an CIM Instance of the instance MSFT_xWebAnonymousAuthenticationCredentials, not MSFT_Credential. The instance of MSFT_xWebAnonymousAuthenticationCredentials that is returned could just contain the user name, and not the password. Or both values in that instance could probably be $null.

We are talking about this line in the schema, right?

https://github.com/PowerShell/xWebAdministration/blob/e665489a92fa64b8e50f31d7f529f39efe504bfd/DSCResources/MSFT_xWebsite/MSFT_xWebsite.schema.mof#L52

I think that introducing MSFT_xWebAnonymousAuthenticationCredentials is a bad idea and I want to implement this feature in the same way as MSFT_xWebAppPool is handling application pool identity credentials (It uses MSFT_Credential) but I'm not sure if that existing implementation of MSFT_xWebAppPool is secure. Please review Get-TargetResource from MSFT_xWebAppPool and tell me if it's secure or not.

Using MSFT_Credential means the credentials (password) get encrypted when the configuration is compile. This is the default, that compiling a configuration containing a MSFT_Credential requires a certificate to protect the password.

Using the other instance would not be secure. So changing the property AnonymousCredentials to a MSFT_Credential would probably be the easiest.
Although, you could probably use a MSFT_Credential instance for the property Password in the MSFT_xWebAnonymousAuthenticationCredentials instance. Though, I have not tested this myself. You can easily see if the password is encrypted by opening the compiled mof-file in a text editor. The file should be readable, but the password property should have been replaced by the encrypted string.

Is there any progress on this issue?

This was been worked on in Pr #408. If anyone want to send in a new PR to continue this work then please do.

After the discussion about security, I was forced to start everything from the begging. Unfortunately, I haven't had time to finish it. My current work is available on my fork. If anyone has a resource to continue it, feel free to use my work,

@cezarypiatek Thank you for the update! 🙂

Not a solution to this issue, but a workaround for some: The CIS documentation suggests that the passAnonymousToken = $true setting on every application pool has the same effect. And that is a setting supported by the WebAdministrationDSC WebAppPool. That doesn't change the (appearance of the) Anonymous authentication setting but maybe silently bypasses that?

DSC workarounds for setting the default Anonymous Authentication Credentials username to blank. The WebConfigProperty approach could be a workaround for this issue you since you can set the username/password to any desired values.

Option 1 with WebAdministrationDSC

#
# Set anonymous authentication to use Application Pool Identity
# (Can also set 'passAnonymousToken = $true' on app application pools which has the same effect)
#
# IIS Security: 1.6 (L1) Ensure 'application pool identity' is configured for anonymous user identity (Scored)
#

WebConfigProperty UseApplicationPoolIdentityForAnonymousUserByDefault
{
    Ensure       = 'Present'
    WebsitePath  = 'MACHINE/WEBROOT/APPHOST'
    Filter       = 'System.WebServer/Security/Authentication/anonymousAuthentication'
    PropertyName = 'userName'
    Value        = ''
}

Option 2 with Script/xScript

#
# Set anonymous authentication to use Application Pool Identity
# (Can also set 'passAnonymousToken = $true' on app application pools which has the same effect)
#
# IIS Security: 1.6 (L1) Ensure 'application pool identity' is configured for anonymous user identity (Scored)
#

xScript UseApplicationPoolIdentityForAnonymousUserByDefault {
    SetScript  = {
        &($env:SystemRoot + '\system32\inetsrv\appcmd') set config -section:anonymousAuthentication /username:"" --password
    }
    TestScript = {
        $userName = &($env:SystemRoot + '\system32\inetsrv\appcmd') list config -section:anonymousAuthentication /text:userName
        return ($userName -eq "")
    }
    GetScript  = {
        $userName = &($env:SystemRoot + '\system32\inetsrv\appcmd') list config -section:anonymousAuthentication /text:userName
        return @{
            Result = $userName
        }
    }
}