How to enable/disable/get status for extended protection for authentication in IIS using WMI/ADSI and C#?

Question

Can someone provide a code sample or resource which can help me programatically get status, enable and disable extended protection for authentication in IIS 7/IIS 7.5 using C#?

C# with WMI/ADSI is preferred.

i.e I am asked to use System.Management API or Microsoft.Web.Administration API using C# and i need to determine if EAP is enabled or not on a web server level (as web server default for all future websites).

Any other solution using C# is also welcome.

Looking forward to helpful answers. Thanks

Steve

Answer 1

Microsoft graciously provided a web page that not only explains this new concept (i.e., Extended Protection for Authentication, flag=extendedProtection), but provides sample code (copied below) in several languages. Here's their C# code to enable EAP in IIS7/7.5.

Implementing this over WMI will need to use explicit credentials and set impersonationLevel=Impersonate. An alternate method was recently created by Frank White on SO, and I detailed a fully fleshed code for it here: https://stackoverflow.com/a/11948096/1569434

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetApplicationHostConfiguration();

         ConfigurationSection windowsAuthenticationSection = config.GetSection("system.webServer/security/authentication/windowsAuthentication", "Default Web Site");
         windowsAuthenticationSection["enabled"] = true;

         ConfigurationElement extendedProtectionElement = windowsAuthenticationSection.GetChildElement("extendedProtection");
         extendedProtectionElement["tokenChecking"] = @"Allow";
         extendedProtectionElement["flags"] = @"None";

         ConfigurationElementCollection extendedProtectionCollection = extendedProtectionElement.GetCollection();

         ConfigurationElement spnElement = extendedProtectionCollection.CreateElement("spn");
         spnElement["name"] = @"HTTP/www.contoso.com";
         extendedProtectionCollection.Add(spnElement);

         ConfigurationElement spnElement1 = extendedProtectionCollection.CreateElement("spn");
         spnElement1["name"] = @"HTTP/contoso.com";
         extendedProtectionCollection.Add(spnElement1);

         serverManager.CommitChanges();
      }
   }
}