I have been looking into the Microsoft.Web.Administration.dll and the ServerManager class, trying to control our Windows Server 2008 IIS 7 instance.
I have enabled remote administration and can connect via the IIS remote administration tool. However, when I try and use the following, I cannot connect:
ServerManager.OpenRemote(serverName);
This class does not allow me to specify a username and password on the remote IIS 7 server, as the IIS remote administrator tool does.
This is all being called via our build process using NAnt.
How do others control their remote IIS 7 server as part of their CI setup?
You will need to run the application under a domain user (Active Directory user) that has the right permissions to change the configuration files.
Windows authentication will do the rest.
As Oded says, you need Active Directory to be able to open a connection to a remote server using ServerManager.
Assuming you have administrator RDP access server there is an alternative which is to use WinRM and Remote PowerShell (works best with PowerShell 2.0 which comes with the latest version of WinRM) in your build scripts:
Windows Remote Management Command-Line Tool (Winrm.cmd)
To quickly configure WinRM for two machines that are not in a domain:
Client:
winrm quickconfig (just say yes)
winrm set winrm/config/Client/Auth '#{Basic="true"}'
:: Only do this next line if not using HTTPS
winrm set winrm/config/Client '#{AllowUnencrypted="true"}'
winrm set winrm/config/Client '#{TrustedHosts="hostname_or_ip"}'
Server:
winrm quickconfig (just say yes)
winrm set winrm/config/Service/Auth '#{Basic="true"}'
:: See: http://support.microsoft.com/kb/2019527 regarding https
winrm quickconfig -transport:https
:: Only do this if not using HTTPS AND you are happy about sending credentials
:: in clear text.
winrm set winrm/config/Service '#{AllowUnencrypted="true"}'
Now there are some caveats. WinRM will punch a hole in Windows Firewall for ports 5985 and 5986 for the listener (if running Windows Server 2003 it'll use port 80 and 443). This may not be to your liking and you'd probably best speak to your network admins about how to secure that.
Once you have WinRM configured you'll need user account configured on the remote server that is a member of the administrators group. Once done you can then test. On the build server:
# the following line will prompt for a username and password, enter the name of the account
# you just configured on the IIS box
$cred = Get-Credential
# next test the connection
Test-WSMan -ComputerName <server_name_or_ip> -Authentication default `
-Credential $cred
If all is good you should see the following response:
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.x
sd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 6.1.7600 SP: 0.0 Stack: 2.0
The next thing is to connect to a remote PowerShell session:
Enter-PSSession <server_name_or_ip_address> -Authentication default -Credential $cred
If this is successful you should have a PowerShell prompt on the remote machine.
Using Remote PowerShell you can then load the WebAdministration Provider for PowerShell and manipulate many aspects of IIS to your hearts content:
Web Administration (IIS) Provider for Windows PowerShell
To connect to the remote server you need to provide a PSCredential object. As mentioned above you would provide this using:
$cred = Get-Credential
However, this always demands some interaction from the keyboard to provide a username and password. Obviously this is no good for automated CI.
You can however store the password in a file. To do this run the following just once (or whenever the password changes):
read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt
Then when you need to create your PSCredential to authenticate to the remote server:
$username = "deployment_user"
$password = cat C:\securestring.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential `
-argumentlist $username, $password
$serverNameOrIp = "192.168.1.1"
Enter-PSSession $serverNameOrIp -Authentication default -Credential $cred
The above script was sourced from the following blog entry but I've duplicated to preserve here just in case that article goes dark:
Using PSCredentials without a prompt - GeeksWithBlogs (archive.org)
Anyway, so once you're connected to the remote server you can issue further commands such as:
Import-Module WebAdministration
CD IIS:\Sites
And so on.
Most of the above should be approached with caution if this machine is internet facing and the only way to access is via the internet. If this is the case consider restricting the WinRM ports to VPN only.
I wrote a WCF service in the end, which runs on the remote machine as a service. The service runs under a local account with administrator rights so that the local IIS instance on that machine can be changed.
From my NAnt script I have a series of custom tasks that communicate to the WCF service and change IIS settings as required.
As this is an internal dev environment I am not too concerned about security and the actual changes to IIS I am allowed are very basic.
Related
I have a ASP.NET C# application and I am able to run it locally on my machine. I see it is IIS Express is hosting my application.
I can access it using 'https://localhost:4374'.
But when I look up my ip address of my machine and then go
https://{my ip address}:4374'.
I get an error saying 'Bad Request - Invalid Host name'
Can you please tell me how can I configure ASP.NET C# application so that I can use it using https://{my ip address}:4374?
Thank you.
1st solution:
Steps:
Open command prompt as administrator
Type the following:
netsh http add iplisten ipaddress (YourIPAddress)
That's it. You should get:
IP address successfully added
2nd solution:
Steps:
Search for IISExpress on your computer
Open config/applicationhost.config file
Search for localhost and replace with (YourIPAddress)
I am trying to integrate Jenkins and Web deploy v3.5 over "HTTP" connection. The server has IIS 10 and Windows Server 2016. The build is getting failed with an error,
Web deployment task failed. (Could not complete the request to remote agent URL 'http://IPAddress:8172/MSDeploy.axd?site=WebSite'.)
I am using the following command,
/property:configuration=Dev /p:DeployOnBuild=True /p:DeployTarget=MsDeployPublish /p:CreatePackageOnPublish=False /p:AllowUntrusted=True /p:MsDeployPublishMethod=WMSvc /p:MsDeployServiceUrl="http://IpAddress:8172/MSDeploy.axd" /p:DeployIisAppPath="WebSite" /p:AllowUntrustedCertificate=True /p:Username=SomeUsername /p:Password=SomePassword
Troubleshooting:
8172 port is allowed for Jenkins.
Web deployment services are running.
Users have been given with sufficient rights to the directory.
WebDeploy user is added to administrator group.
I am suspecting if Web deploy tool doesn't work over HTTP connection, is that true?
Web Deploy is actually just a way of deploying. The services are running on a server and listening on the port 8172. I do not get why you are using a whole web adress, when all you need is the connection to the server (ip or domain only!).
Example: 0.00.000.000 or example.org
Check if you installed the handler too. You need the web deploy service and handler running.
Regards,
Maheshvara
I encountered the problem by taking following steps,
Ms web deploy works under the secure connection. it should be called by https://
Configured three rules as mentioned under Management Service Delegation Rule
2.1 ---- createApp with WDeployConfigWriter User
2.2 ---- setAcl
2.3 ---- contentPath_intiApp
Reference: https://learn.microsoft.com/en-us/iis/publish/using-web-deploy/configure-the-web-deployment-handler
In 2.1 step, WDeployConfigWriter user needs to be created manually. Web deploy tool use two users WDeployAdmin and WDeployConfigWriter
Reference: https://blog.richardszalay.com/2013/08/02/manually-creating-wdeployadmin-and-wdeployconfigwriter/
Is there a way to use WinRM to map a drive on a remote machine with the credentials of the session logged in on that remote machine, WITHOUT prompting the user to input their credentials.
Edit: This machine is on an AD domain, so ideally using the existing auth ticket would be nice.
See How to Run PowerShell Commands on Remote Computers on how to run PS commands remotely, then Powershell: how to map a network drive with a different username/password on the specific command you need.
Could you please advise me, how to configure a DSN entry for SQL Azure on UNix AIX box with DataDirect 6.1 to connect from PowerCenter 9.1.0.
Aix Server: 10.10.10.10 : 2222
On this Port, ABCXYZ9PQR(Database Server name) Database is configured.
Database name: TestDatabase
Telent is working from application server. Telnet 10.10.10.10 2222 --> Connected
Able to connect to the SQL server from Windows.
Please advise me what are the tests do I need to perform, and configure the DSN entry in ODBC.ini.
Thanks,
Sarat
Below steps are necessary for configuring odbc:
Ensure that the env variables ODBCHOME & ODBCINI are set. These has to be set before Informatica Services are started. Else they wont get picked up.
configure DNS in obdc.ini file for the DB server.
Use ssgbodbc utility (download from mysupport site) to test if the odbc connection goes through
Copy the DNS name from the entry in odbc.ini variable and paste it in the Connection String section of the ODBC connection in Workflow Manager.
I'm not clear from your description though:
Can you clarify if the Informatica Services is installed on AIX box (10.10.10.10)? how did you configure the connection to azure on windows box?
-Sadagopan
I'm trying to connect and getting an error like:
Login failed. The login cannot be used with Windows Authentication
I'm using mirrored local accounts on SQL Server and web server because I'm simply trying to use a trusted connection between machines not on the same domain. It seems like something that would be fairly common, but after days of trying to find an answer that applied to my situation, I do not recognize that any of the answers were applicable... that or the fact that I'm only a .NET developer and not a sysadmin or DBA means I have it and just don't know it.
Here's what I can say:
CMS web server: ASP.NET 4.0 web app running on Windows Server 2008, IIS7, on corporate DMZ
CMS database server: SQL Server 2008 R2 on a domain server
For various reasons that I won't go in to, encrypting the credentials is not sufficient.
The database port that the application needs to connect on is not the standard port and is set up to listen on a different port.
Setting up DB mirroring isn't an option and doesn't really address the requirements (in my way of thinking)
Also, FYI if this is helpful to know:
Content entry happens on internal web server which publishes content to same DB that is accessed by the DMZ web server.
Content server is set up to have the website run the app pool in integrated mode with a windows domain user that has been set as a service account using the -ga switch and given all the appropriate rights and everything runs perfect.
External web server, without domain access, using mirrored accounts (same username and password set up on the SQL Server machine and web machine).
Local account on the web server set as a service account using -ga switch and running as the app pool identity for my app.
On the SQL Server box, created local user with identical creds and given same permissions that the domain user identity has
Connecting to SQL Server via MGMT studio installed on web server with the SQL Server user creds works fine.
Now, if I put in the username in to the connection strings, everything is perfect. As soon as I put the trusted_connection=yes in the connection string like I did with the domain server connection strings, I get the trust error.
So if my connection string is like this, it works fine:
Server=myServerAddress;Database=myDataBase;Username=MyUser; Password=MyPassword;
If I change my connection string to either of these, it fails:
Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;
or
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
I'm working with one of the client's network admins and he's not necessarily a DBA and doesn't have experience with configuring web apps. So it's possible that we're missing something and any advice or ideas would help. What am I missing?
If using SQL credentials are not an option, then you should use Active Directory and create a one-way trust (have DMZ server domain trust your internal domain), create a service account in your internal domain which your DMZ application can use, and grant that account access to the database. Then it will be able to generate SSPI context.