How to detect IIS Windows Authentication Provider Search Order NTLM or Negotiate
search cancel

How to detect IIS Windows Authentication Provider Search Order NTLM or Negotiate


Article ID: 261039


Updated On:


IT Management Suite


Due to the problem in January Cumulative Security updates prevent endpoints from registering to task server task servers keep reverting their IIS Windows Authentication provider search order causing a loss of productivity.  Is there any way to detect when the search order has changed, and if it has, be alerted?


Release: 8.6


Task servers, not SMP servers, will revert their provider search order upon reboot or restart of the SMA agent.


The resolution should be to implement the point fix listed in January Cumulative Security updates prevent endpoints from registering to task server Which will correct task servers from changing the provider search order.  In some situations, you may not be able to implement the point fix or upgrade the product.  Therefore, you can implement a PowerShell script that will check the setting and then alert you via email if the setting is incorrect.  This approach must use email and not a custom inventory because when the search order is changed, task services are not working correctly and therefore cannot be used.

You can use a copy file task, while things are working, to copy the PowerShell script and Windows Task Scheduler to a directory on all your site servers.  Once there you can run another command script to import the task into your site servers.

The following is the PowerShell script which should be saved as a .PS1 file.

Checks the provider values of IIS:\Sites\Default Web Site\Altiris\ClientTaskServer and e-mail based on if condition.
Checks the provider values of IIS:\Sites\Default Web Site\Altiris\ClientTaskServer.  Then it checks the first value.  If the first value is set to negotiate, generate e-mail.
This utilizes the Send-MailMessage cmdlet.  You may need to adjust the values accordingly. See
-SmtpServer should be set to your SMTP server
-T0 should be set to the person or group receiving the email.
-From is required and should be entered
Author - Derek Engel

$GetIISProviderValue = Get-WebConfigurationProperty -PSPath 'IIS:\Sites\Default Web Site\Altiris\ClientTaskServer' -filter "system.webServer/security/authentication/windowsAuthentication/providers/*" -name "value" | select value -First 1

if ( $GetIISProviderValue.Value -eq "negotiate")
    Send-MailMessage -To "[email protected]" -From "Al[email protected]" -SmtpServer -Subject "Incorrect Windows Authentication Provider Order Detected" -Body "The first value of the windows authentication provider search order has been detected to be negotiate.  Please investigate"

The script above will check the value, and if negotiate is found first, will alert you via email.  You must modify the script above to adjust for your email servers.


-To This can be a single email address or a group email distribution list.

-From This can be whatever you want to use.

-SmtpServer This must be the SMTP server you use in your organization.  You can get this from the SMP server under Settings > Notification Server > Notification Server Settings > E-mail.

-Subject Can be anything you want

-Body Can be anything you want

For testing purposes only, you can change negotiate to NTLM, and run the script to make sure you receive an email.  Then don't forget to change it back to negotiate.

You can now create a windows task scheduler that will run every 1 hour and will run the PowerShell script.

Once you have created the Windows Task Scheduler, and tested it, you can export it.  Once exported you would then copy both the XML file for the Windows Scheduled Task and the PowerShell.PS1 file to a server.  You can use the GUI to import the task schedule or a command line.  An example command line might look like the following:  

schtasks /create /xml "c:\temp\Execute IISValidate Powershell Script.xml" /tn "Execute IISValidate Powershell Script" /ru "domain\admin" /rp "MySuperPassword"

You can see the scheduled task above will look to c:\temp.  If you copy your PowerShell.PS1 script and the exported windows task schedule to c:\temp, the command line above can be used.  Of course, you have to change the /ru and /rp portion.  If you use another directory on the site servers, then change c:\temp to whatever directory you are using.