Here's my scenario:
* I have a certificate installed on my server (Windows Server 2008 R2, with IIS 7.5)
* I create a new HTTPS binding via PowerShell command (New-WebBinding), but I have no way here to associate this to the certificate I have (for which I do have the Thumbprint)
Any ideas on how I can go about making this association. In the attached screenshot, this can be done in the GUI simply by editing the HTTPS binding and selecting it from the drop-down, though haven't seen a good example to do this via PowerShell or Command Line.
Use the Get-WebBinding cmdlet to retrieve the binding of your website and set the certificate using the AddSslCertificate method:
$httpsBinding = Get-WebBinding -Name "YourWebSiteName" -Protocol "https"
$httpsBinding.AddSslCertificate('SSL_HASH_STRING', "my")
Related
I am trying to access a Filezilla Server using FtpWebRequest in Powershell, like this:
$ftprequest = [System.Net.FtpWebRequest]::Create($sourceuri)
$ftprequest.Method = ([System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails + " -a")
$ftprequest.Credentials = New-Object System.Net.NetworkCredential($username,$password)
$ftprequest.EnableSsl = $true
In Filezilla Server there is a "Generate New Certificate" which is what I used to create the certificate. This created a .crt file that Filezilla is pointing to for both the private key and certificate file.
The server is also configured with the options "Enable FTPS" and "Allow explicit FTP over TLS".
I am able to happily access the server using the Filezilla Client (although it warns that the server's certificate is unknown).
To access the server from a Powershell client, without getting complaints about the certificate, my understanding is the best thing to do is import the certificate on the client machine. I managed to do this by downloading the .crt file, manually stripping out the private key portion using Notepad, and then running:
Import-Certificate -FilePath .\filezillaCertificate.crt -CertStoreLocation cert:\CurrentUser\My
However, trying to connect using FtpWebRequest I still receive the error "The remote certificate is invalid according to the validation procedure."
Can anyone point me in the right direction?
This is not a PoSH issue. It is a pure PKI 101 (cert implementation) issue.
Self-signed certificates will always be considered untrusted in most cases, because there is no way to validate it, no public registered body for it and no public CRL (Certificate Revocation List / Authority) associated with it.
You cannot create a PKI cert for a remote location on your local machine. You must create the cert on the remote location, or buy a public cert and install it on the remote location certificate store. The public and private key must reside on the remote server / site. For any server / site, the certificate must be registered / issued to that server then manually assigned to a site (FTP/s, HTTP/s).
Then, you download the public cert from the destination and install that on your local machine. Normally installed to the local machine store. If you cannot download that public certificate and certificate chain using a browser, by clicking on the lock, after visiting the site, then you must request that the destination server/site owner send you the public cert for you to install locally. Again, normally installed to the local machine store.
I know your post is about a Filezilla server (Full Disclosure: I've never seen on used one), but the approach as shown in the articles below on setting up FTP over SSL on IIS should be similar.
FTP over SSL
The element specifies the FTP over Secure Sockets Layer (SSL)
settings for the FTP service; FTP over SSL was first introduced for
IIS 7 in FTP 7.0.
Unlike using HTTP over SSL, which requires a separate port and
connection for secure (HTTPS) communication, secure FTP communication
occurs on the same port as non-secure communication. FTP 7 supports
two different forms of FTP over SSL:
https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/ftpserver/security/ssl
https://learn.microsoft.com/en-us/iis/publish/using-the-ftp-service/using-ftp-over-ssl-in-iis-7
Update to find the FileZilla SSL guidance
Install a SSL certificate on FileZilla FTP Server
https://www.tbs-certificates.co.uk/FAQ/en/FileZilla_FTP_Server.html
Installing a certificate on an OpenSSL-based server is really similar
than doing so on Apache: Install an Apache certificate, except that
the instructions indicating the path to th files are not the same!
for FTP FileZilla server, via the interface: FileZilla Server
Option -> SSL/TLS settings:
•import the private key (.key file generated along with the CSR) in
"Private key file".
•import the certificate and the certification chain in the same file:
1) on your certificate status page, download the "file.cer" file and
the certification chain "chain-xxx.txt" 2) concatenate those two
files into one 3) import the file in "Certificate file"
How to connect FTP over SSL/TLS in FileZilla?
Create Site
Go to File >> Site Manager >> New Site.
Following are the required details to fill up.
• Host: Enter Hostname(i.e. ftp.yourdomain.com) or IP address which we
have sent in Welcome e-mail. • Port: 21 (Default FTP port is 21, you
can also keep it blank). • Protocol: FTP - File Transfer Protocol. •
Encryption: Select Required explicit FTP over TLS from dropdown list.
• Logon Type: Select Normal from the dropdown list. • User: Your FTP
username. • Password: Your FTP Password.
https://manage.accuwebhosting.com/knowledgebase/761/How-to-connect-FTP-over-SSLorTLS-in-FileZilla.html
The FileZilla wiki also talks to how to do the SSL implementation.
I have an Azure VM running Windows Server 2016 (64-bit, 14393.1593).
It has some WinRM listeners on it, one for HTTP and one for HTTPS.
When I restart the machine, the HTTPS listener resets itself to an old configuration (hostname and thumbprint). With this, it also re-creates the corresponding server certificate.
I delete the certificate and the HTTPS listener. Using PowerShell, I recreate the listener with the desired hostname and thumbprint. The thumbprint corresponds to a certificate on the server that behaves as expected (the desired certificate isn't deleted on machine restart).
Everything works until the next machine restart, where I find that the old HTTPS listener is back, with the old hostname and thumbprint. The old thumbprint corresponds to the old certificate that I had deleted, but the old certificate came back from the grave.
Why is my HTTPS listener resetting itself?
Steps for Configuring WinRM
In Powershell, I execute the following commands.
winrm e winrm/config/listener; - Enumerates the listeners.
winrm delete winrm/config/listener?Address=*+Transport=HTTPS; - Deletes the HTTPS listener.
I then manually delete the old server certificate using either the MMC or IIS manager. I also get the thumbprint for the correct certificate.
I then execute the following PowerShell.
winrm create winrm/config/listener?Address=*+Transport=HTTPS '#{Hostname="MyIPAddress";CertificateThumbprint="MyThumbprint";port="5986"}'; - Creates a new HTTPS listener.
I am developing a PowerShell script that uses HTTP to access REST services. For debugging purposes I want to redirect all HTTP traffic created by that script through a local proxy (Fiddler).
What I don't want to is to set Fiddler as system wide proxy in IE/ Windows internet settings as this would redirect the traffic of my whole system through Fiddler (especially because Fiddler decrypts SSL/TLS traffic).
How do I set a proxy that affects only one WebClient instance or only the PowerShell?
Use the WebProxy class and instantiate it with the address to Fiddler (listens on port 8888 by default):
$FiddlerWP = New-Object System.Net.WebProxy "http://127.0.0.1:8888"
$WebClient = New-Object System.Net.WebClient
$WebClient.Proxy = $FiddlerWP
# This request will now get proxied through Fiddler
$WebClient.DownloadString("https://test.site.example")
I have a system in which I use Kerberos with simple delegation to have an AD user's credentials forwarded from a website to a downstream HTTP REST service using integrated Windows authentication. All servers are Windows Server 2012 R2.
This works great.
The issue comes when I started doing Powershell remoting to the same servers that my backend HTTP service runs on. Enter-PSSession makes a Kerberos auth request for the WSMan service on the target machine. AD sees this request, and encrypts the requested ticket with the identity that my custom HTTP service runs as, which the WSMan service obviously cannot use, and remoting fails.
I know it's possible to force IE to do port-specific SPN requests (via KB908209), but I have not been able to have the 2nd hop (i.e. the IIS-brokered request) to do a port-specific request. Nor have I been able to get powershell to make a port-specific request on 5985 for WSMan.
To make things more concrete:
Client browser makes a request to ServerA. Browser makes a Kerberos ticket request to AD for HTTP/ServerA, which is granted and then sent to ServerA.
ServerA wants to make a delegated request to http://ServerB:15200.
ServerA makes a request to AD for a Kerberos ticket for SPN HTTP/ServerB. It does not make a request for SPN HTTP/ServerB:15200. I want it to.
If I have my SPN set up as HTTP/ServerB:15200, simple delegation in IIS fails, but powershell remoting works. If I have my SPN set up as HTTP/ServerB, simple delegation works but powershell remoting fails. If I have my SPN set up as HTTP/ServerB:5985, nothing works.
I am totally stumped at this point -- doesn't seem like delegation and per-port SPNs play nicely together?
You can workaround this by setting up an alias for ServerB, give the HTTP/ServerBAlias SPN to the IIS account and HTTP/ServerB to the PS account, and then make ServerA send its requests to ServerBAlias. Or use the FQDN (e.g. ServerB.domain.local) in one SPN and the NETBIOS in the other (e.g. ServerB).
Or, you can look at how this person hosted WinRM in IIS with a custom account.
Do you have ms-DS-Allowed-to-Delegate-to attribute for HTTP/ServerA set to the list of HTTP/ServerB and HTTP/ServerB:15200?
I'm new to Windows azure. I've browsed the web but stuck at the moment. Here is my problem.
I've deployed a web role and uploaded a certificate. I also configured the domain name.
In the control panel certificate name is *.mydomain.com. My website responds to mysubdomain.mydomain.com. In the properties of my azure project, in certificates tab I added a certificate with name Mydomain and copy pased the Thumbprint of my certificate from the control panel.
Then in the Endpoints tab I added an endpoint
Name: Endpoint2
Type: Input
Public port: 8080
Certificate: Mydomain (the one I recently added)
Then I published the project via Visual Studio.
But it doesn't open via https. What I'm missing?
I've solved the Issue. I had to change the public port from 8080 to 443 and everything worked fine.