WebConfigPropertyCollection: This configuration section cannot be used at this path. This happens when the section is locked at a parent level.

[ChristophHannappel]

Problem description

I'm trying to set the Authentication Providers for the Windows Authentication to ensure that Negotiate and NTLM is present. The resource fails because the config section is locked.
If i use the PowerShell command generated from the IIS Console it works.

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -Location 'MySite' -filter "system.webServer/security/authentication/windowsAuthentication/providers" -name "." -value @{value='NTLM'}

Verbose logs

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourceset,'className' = MSFT_DSCLocalConfiguration
Manager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer ComputerName with user sid S-1-5-21-....
VERBOSE: [ComputerName]: LCM:  [ Start  Set      ]  [[WebConfigPropertyCollection]DirectResourceAccess]
VERBOSE: [ComputerName]:                            [[WebConfigPropertyCollection]DirectResourceAccess] Checking for the existence of property 
"value" in collection item "providers/add" with key "*=NTLM" using filter "system.webServer/security/authentication/windowsAuthentication" lo
cated at "MACHINE/WEBROOT/APPHOST/MySite".
VERBOSE: [ComputerName]:                            [[WebConfigPropertyCollection]DirectResourceAccess] Collection item "providers/add" with ke
y "*=NTLM" does not exist, adding with property "value".
Filename: 
Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either 
by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.IIs.PowerShell.Provider.AddConfigurationPropertyCommand
    + PSComputerName        : localhost
 
VERBOSE: [ComputerName]: LCM:  [ End    Set      ]  [[WebConfigPropertyCollection]DirectResourceAccess]  in 0.2670 seconds.
The PowerShell DSC resource '[WebConfigPropertyCollection]DirectResourceAccess' with SourceInfo '' threw one or more non-terminating errors 
while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. 
Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.26 seconds

DSC configuration

Invoke-DscResource -Name WebConfigPropertyCollection -Method set -ModuleName WebAdministrationDSC -Property @{
        Ensure            = 'Present'
        WebsitePath       = "MACHINE/WEBROOT/APPHOST/MySite"
        Filter = 'system.webServer/security/authentication/windowsAuthentication'
        CollectionName    = 'providers'
        ItemName          = 'add'
        ItemKeyName       = '*'
        ItemKeyValue      = 'NTLM'
        ItemPropertyName  = 'value'
        ItemPropertyValue = 'NTLM'
} -Verbose

Suggested solution

The CMDlets Add-WebConfigurationProperty and Set-WebConfigurationProperty support the `-Location' Parameter which makes this change possible.

Extend the Resource Parameters with an optional 'Location' Parameter.
Convert the *-WebConfigurationProperty CMDlet Calls to be based on Splatting to reduce the code.

Operating system the target node is running

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value                                                                                                        
----                           -----                                                                                                        
PSVersion                      5.1.20348.2849                                                                                               
PSEdition                      Desktop                                                                                                      
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                      
BuildVersion                   10.0.20348.2849                                                                                              
CLRVersion                     4.0.30319.42000                                                                                              
WSManStackVersion              3.0                                                                                                          
PSRemotingProtocolVersion      2.3                                                                                                          
SerializationVersion           1.1.0.1

WebAdministrationDsc version

Name                 Version Path                                                                                           
----                 ------- ----                                                                                           
WebAdministrationDsc 4.2.1   C:\Program Files\WindowsPowerShell\Modules\WebAdministrationDsc\4.2.1\WebAdministrationDsc.psd1

[ChristophHannappel]

@johlju if you agree with the suggested solution, i'll create the necessary PR