Create a new Microsoft IIS machine¶
Creating a new machine is the initial step in enabling TLS Protect Cloud to connect directly to application keystores for certificate management. Once you have created machines, you can move on to provisioning certificates to those machines.
Before you begin¶
Decide which authentication mechanism to use:
- Basic authentication over HTTPS is your only option for push installation to a Windows server that is not joined to a domain.
- Kerberos authentication over HTTP is your best option if the Windows Server is joined to a domain and you are not able to bootstrap the windows server with a TLS Server Certificate originally. This requires you to set the WinRM configuration to allow for unencrypted communication.
- Kerberos authentication over HTTPS is your best option if the Windows Server is joined to a domain and you already have a trusted TLS Server Certificate installed. Additional steps may be required to bind that certificate to the WinRM HTTPS Listener.
Follow the prerequisite configuration steps below:
- Ensure that you know the Windows Remote Management (WinRM) port you plan to use.
- Minimum required credentials on Microsoft IIS: Choose between user credentials or shared credentials. You must have permissions to create, read, and write to the CAPI stores, and to update website bindings on the Microsoft IIS for either account. The easiest way is to use a service account with local or domain admin permissions unless you have a delegated user with the permissions to update CAPI store.
- User credentials: The username and password you enter.
- Shared credentials: Optionally, you can use shared credentials from your credential provider (CyberArk is the only credential provider currently supported by TLS Protect Cloud). To use this option, first set up the connection to CyberArk.
-
If using Kerberos, you will also need:
- Domain Name
- Key distribution center address or hostname
- Service Principal Name
-
Supported Windows versions
- Windows Server 2019 and 2022
From the Authentication Type drop-down, select either Basic Authentication or Kerberos Authentication, then follow the steps below.
Note
For each of the methods outlined below, please follow these guidelines:
- If the UPN (UserPrincipalName) format fails for your username, try removing the domain name, leaving just the common name of the username, such as "jsmith".
- Windows Management Framework (WMF) 5.1 or higher is required.
Prerequisite configuration¶
To do Basic Authentication securely, you must do it over a TLS-encrypted connection. This means that your target Windows host must already have a valid TLS Server Certificate installed before you can use Basic Authentication to rotate the existing certificate or install new certificates. Because of this prerequisite, basic authentication or push installation may not be suitable for all use cases. See the VCert Readme for information on how to pull installations of certificates on Windows-based systems.
Note
The certificate must be installed in the LocalMachine\My
CAPI store (Local Computer > Personal store if using the Certificates MMC snap-in) so WinRM can use it.
-
A local (non-domain) user that is a member of the local “Administrators” group.
-
Basic Authentication set to True
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service/auth '@{Basic="true"}'
-
A certificate with “Server Authentication” Extended Key Usage
winrm set winrm/config/service @{CertificateThumbprint="ABC"}
winrm set winrm/config/service '@{CertificateThumbprint="ABC"}'
(replacing
ABC
with the actual thumbprint of the certificate referenced above) -
An HTTPS listener configured with that certificate
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{CertificateThumbprint="ABC"}
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{CertificateThumbprint="ABC"}'
- Enter the Microsoft IIS Hostname and the Windows Remove Management (WinRM Port) port.
-
Enable Use TLS for WinRM to secure the username and password when TLS Protect Cloud communicates with the IIS server.
Warning
Disabling this option will send the username and password in plaintext over the network.
-
(Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.
Important
Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.
Note
- Enter Credentials - Is used to enter your admin credentials manually.
- Select Credentials - Is used to select your shared credentials from CyberArk.
- If you choose Enter Credentials, enter your Microsoft IIS admin credentials in the Username and Password fields.
- If choose Select Credentials. From the Credential drop-down, select your shared credentials.
-
Enter your Microsoft IIS admin credentials in the Username and Password fields.
Warning
If you encounter an error message while using a username formatted as a User Principal Name (UPN), such as "jsmith@company.com", try using only the common name of the username, for example, "jsmith".
Warning
Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
-
Click Test Access, and then click Create. Note that Create is only enabled if the Test Access is successful.
Prerequisite configuration¶
-
An Active Directory domain user that is directly or indirectly a member of the local “Administrators” group.
-
Kerberos Authentication set to True
winrm set winrm/config/service/auth @{Kerberos="true"}
winrm set winrm/config/service/auth '@{Kerberos="true"}'
-
Unencrypted traffic allowed so Kerberos authentication can be negotiated with WinRM:
winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
- Enter the Microsoft IIS Hostname and the WinRM Port.
-
Leave Use TLS for WinRM disabled so TLS Protect Cloud communicates with the IIS server over HTTP.
Tip
Since kerberos already has built-in encryption, this option isn't necessary to secure data sent over the network.
-
Enter the Domain Name, Key Distribution Center Address/Hostname, and Service Principal Name.
Tip
Need to view your SPN? Run the
setspn –L hostname
command, where hostname is the actual hostname of the computer object that you want to query. -
(Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.
Important
Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.
Note
- Enter Credentials - Is used to enter your admin credentials manually.
- Select Credentials - Is used to select your shared credentials from CyberArk.
- If you choose Enter Credentials, enter your Microsoft IIS admin credentials in the Username and Password fields.
- If choose Select Credentials. From the Credential drop-down, select your shared credentials.
-
Enter your Microsoft IIS admin credentials in the Username and Password fields.
Warning
If you encounter an error message while using a username formatted as a User Principal Name (UPN), such as "jsmith@company.com", try using only the common name of the username, for example, "jsmith".
Warning
Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
-
Click Test Access, the click Create. Note that Create is only enabled if the Test Access is successful.
Prerequisite configuration¶
If your organization requires Kerberos over HTTPS, your target Windows host must already have a valid TLS Server Certificate installed before you can use Kerberos Authentication to rotate the existing certificate or install new certificates. Because of this prerequisite, Kerberos Authentication or push installation may not be suitable for all use cases. See the VCert Readme for information on how to pull installations of certificates on Windows-based systems.
Note
The certificate must be installed in the LocalMachine\My
CAPI store (Local Computer > Personal store if using the Certificates MMC snap-in) so WinRM can use it.
-
An Active Directory domain user that is directly or indirectly a member of the local “Administrators” group.
-
Kerberos Authentication set to True
winrm set winrm/config/service/auth @{Kerberos="true"}
winrm set winrm/config/service/auth '@{Kerberos="true"}'
-
A certificate with “Server Authentication” Extended Key Usage
winrm set winrm/config/service @{CertificateThumbprint="ABC"}
winrm set winrm/config/service '@{CertificateThumbprint="ABC"}'
(replacing
ABC
with the actual thumbprint of the certificate referenced above) -
An HTTPS listener configured with that certificate
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{CertificateThumbprint="ABC"}
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{CertificateThumbprint="ABC"}'
- Enter the Microsoft IIS Hostname and the WinRM Port.
-
Enable Use TLS for WinRM if you want TLS to be used when TLS Protect Cloud communicates with the IIS server.
Tip
Since kerberos already has built-in encryption, this option isn't necessary to secure data sent over the network.
-
Enter the Domain Name, Key Distribution Center Address/Hostname, and Service Principal Name.
Tip
Need to view your SPN? Run the
setspn –L hostname
command, where hostname is the actual hostname of the computer object that you want to query. -
(Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.
Important
Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.
Note
- Enter Credentials - Is used to enter your admin credentials manually.
- Select Credentials - Is used to select your shared credentials from CyberArk.
- If you choose Enter Credentials, enter your Microsoft IIS admin credentials in the Username and Password fields.
- If choose Select Credentials. From the Credential drop-down, select your shared credentials.
-
Enter your Microsoft IIS admin credentials in the Username and Password fields.
Warning
If you encounter an error message while using a username formatted as a User Principal Name (UPN), such as "jsmith@company.com", try using only the common name of the username, for example, "jsmith".
Warning
Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
-
Click Test Access, the click Create. Note that Create is only enabled if the Test Access is successful.
What's next?¶
-
Now that you have one or more machines created, you can provision certificates to those machines.
-
You can also discover certificates on machines to enable easy tracking of certificates deployed to your machines.