Page 1 of 1

IIS and Server Name Indication (SNI)

Posted: Sat Nov 21, 2020 7:36 pm
by msandford
Hi All,

Is there any way when creating bindings in IIS to tick the option 'Require Server Name Indication' (screenshot below) - I cannot seem to find a way to do this in the UI of installware.

bindings.png
bindings.png (15.65 KiB) Viewed 3093 times


I thought I would try and work around this by instead using a PowerShell script (see below), but for reasons I cannot figure out, the script will not work - it creates the SSL certificate fine, but will not create the binding and assign the certificate. If I run this same script manually in PowerShell ISE, it works perfectly.

Would anyone have any ideas how to do this in Installaware UI, or why the PowerShell script will not execute properly?

#Variables for user to set
$PortNumber = "443"
$HostName = "testserver01.mydomain.com"

$HostName = $HostName.ToLower()
$OS = Get-WMIObject Win32_OperatingSystem | select-object Caption

# Import Module
Import-Module WebAdministration

# Remove Certificate if one already exists of the same name
Get-ChildItem Cert:\LocalMachine\My -DnsName $HostName | remove-item -force -erroraction silentlycontinue
Remove-Item -path "IIS:\SslBindings\*!$PortNumber!$Hostname" -force -erroraction silentlycontinue
Get-WebBinding -Port $PortNumber -Name "passwordstate" | Remove-WebBinding

# Create the SSL Certificate, using different commands depending on which version of Operating System is installed.
if ($OS -like '*8*' -or $OS -like '*2012*')
{
$cert = New-SelfSignedCertificate -DnsName $HostName -CertStoreLocation Cert:\LocalMachine\My
}
else
{
$StartDate = '01/01/' + (Get-Date).Year
$EndDate = '01/01/' + (Get-Date).AddYears(5).Year
$cert = New-SelfSignedCertificate -DnsName $HostName -CertStoreLocation Cert:\LocalMachine\My -FriendlyName $HostName -NotBefore $StartDate -NotAfter $EndDate
}

$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine
$rootStore.Open("MaxAllowed")
$rootStore.Add($cert)
$rootStore.Close()

Start-Sleep -s 1

# Create a new web binding in IIS
New-WebBinding -Name 'passwordstate' -HostHeader $Hostname -IPAddress * -Port $PortNumber -Protocol https -SslFlags 1

# Assign the certificate to the binding
New-Item -Path "IIS:\SslBindings\*!$PortNumber!$Hostname" -Value $cert -SSLFlags 1

Regards
Mark

Re: IIS and Server Name Indication (SNI)

Posted: Mon Nov 23, 2020 1:06 pm
by FrancescoT
How did run your ps script from IA script? Did you use "Run Program" command?

Re: IIS and Server Name Indication (SNI)

Posted: Mon Nov 23, 2020 3:41 pm
by msandford
Hello Fransesco,

Yes, I used the Run Program syntax below. I know the script is running, as it's creating the self signed certificate. It's just not executing the other New-WebBinding and New-Item commands.

Thanks very much for your help so far.

runprogram.png
runprogram.png (12.83 KiB) Viewed 3074 times


Regards
Mark

Re: IIS and Server Name Indication (SNI)

Posted: Tue Nov 24, 2020 1:17 pm
by FrancescoT
mmm ...very strange indeed.

Can you do a try with omitting the "Hide Program Window" flag?
This should leave visible the Powershell Console Window while executing the "Run Program" command.
Probably, the console window will also report some more details about the nature of the problem.

Re: IIS and Server Name Indication (SNI)

Posted: Tue Nov 24, 2020 6:35 pm
by msandford
Hi Francesco,

Thanks for the suggestion, and it helped me figure out what the issue was.

I was getting errors like "New-Item : Cannot retrieve the dynamic parameters for the cmdlet", which ended up being related to the version of PowerShell being executed - as Installaware is a 32-bit app, it was executing the 32-bit version of PowerShell.

So I had to change my Run Command to the following, so it would execute the 64-bit version.

$WINDIR$\\Sysnative\\WindowsPowerShell\\v1.0\\powershell.exe

Thanks again for your help.

Regards
Mark

Re: IIS and Server Name Indication (SNI)

Posted: Wed Nov 25, 2020 1:57 pm
by FrancescoT
Happy you solved!