Create a new Microsoft IIS machine¶

Creating a new machine is the initial step in enabling TLS Protect Cloud to connect directly to application keystores for certificate management. Once you have created machines, you can move on to provisioning certificates to those machines.

Before you begin¶

Decide which authentication mechanism to use:

Basic authentication over HTTPS is your only option for push installation to a Windows server that is not joined to a domain.
Kerberos authentication over HTTP is your best option if the Windows Server is joined to a domain and you are not able to bootstrap the windows server with a TLS Server Certificate originally. This requires you to set the WinRM configuration to allow for unencrypted communication.
Kerberos authentication over HTTPS is your best option if the Windows Server is joined to a domain and you already have a trusted TLS Server Certificate installed. Additional steps may be required to bind that certificate to the WinRM HTTPS Listener.

Follow the prerequisite configuration steps below:

Ensure that you know the Windows Remote Management (WinRM) port you plan to use.
Credentials: Choose between user credentials or shared credentials.
- User credentials: The account you use must have admin permission.
- Shared credentials: Optionally, you can use shared credentials from your credential provider (CyberArk is the only credential provider currently supported by TLS Protect Cloud). To use this option, first set up the connection to CyberArk.
If using Kerberos, you will also need:
- Domain Name
- Key distribution center address or hostname
- Service Principal Name
Supported Windows versions
- Windows Server 2019 and 2022

From the Authentication Type drop-down, select either Basic Authentication or Kerberos Authentication, then follow the steps below.

Note

For each of the methods outlined below, please follow these guidelines:

If the UPN (UserPrincipalName) format fails for your username, try removing the domain name, leaving just the common name of the username, such as "jsmith".
Windows Management Framework (WMF) 5.1 or higher is required.

Basic Authentication over HTTPSKerberos Authentication over HTTPKerberos Authentication over HTTPS

Prerequisite configuration¶

To do Basic Authentication securely, you must do it over a TLS-encrypted connection. This means that your target Windows host must already have a valid TLS Server Certificate installed before you can use Basic Authentication to rotate the existing certificate or install new certificates. Because of this prerequisite, basic authentication or push installation may not be suitable for all use cases. See the VCert Readme for information on how to pull installations of certificates on Windows-based systems.

Note

The certificate must be installed in the LocalMachine\My CAPI store (Local Computer > Personal store if using the Certificates MMC snap-in) so WinRM can use it.

A local (non-domain) user that is a member of the local “Administrators” group.

Basic Authentication set to True

Command PromptPowerShell

winrm set winrm/config/service/auth @{Basic="true"}

winrm set winrm/config/service/auth '@{Basic="true"}'

A certificate with “Server Authentication” Extended Key Usage
Command PromptPowerShell
```
winrm set winrm/config/service @{CertificateThumbprint="ABC"}
```
```
winrm set winrm/config/service '@{CertificateThumbprint="ABC"}'
```
(replacing ABC with the actual thumbprint of the certificate referenced above)

An HTTPS listener configured with that certificate

Command PromptPowerShell

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{CertificateThumbprint="ABC"}

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{CertificateThumbprint="ABC"}'

Enter the Microsoft IIS Hostname and the Windows Remove Management (WinRM Port) port.
Enable Use TLS for WinRM to secure the username and password when TLS Protect Cloud communicates with the IIS server.

Warning

Disabling this option will send the username and password in plaintext over the network.
(Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.

Important

Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.
Note
- Enter Credentials - Is used to enter your admin credentials manually.
- Select Credentials - Is used to select your shared credentials from CyberArk.
- If you choose Enter Credentials, enter your Microsoft IIS admin credentials in the Username and Password fields.
- If choose Select Credentials. From the Credential drop-down, select your shared credentials.
Enter your Microsoft IIS admin credentials in the Username and Password fields.

Warning

If you encounter an error message while using a username formatted as a User Principal Name (UPN), such as "jsmith@company.com", try using only the common name of the username, for example, "jsmith".
Click Test Access, and then click Create. Note that Create is only enabled if the Test Access is successful.

Prerequisite configuration¶

An Active Directory domain user that is directly or indirectly a member of the local “Administrators” group.

Kerberos Authentication set to True

Command PromptPowerShell

winrm set winrm/config/service/auth @{Kerberos="true"}

winrm set winrm/config/service/auth '@{Kerberos="true"}'

Unencrypted traffic allowed so Kerberos authentication can be negotiated with WinRM:

Command PromptPowerShell

winrm set winrm/config/service @{AllowUnencrypted="true"}

winrm set winrm/config/service '@{AllowUnencrypted="true"}'

Enter the Microsoft IIS Hostname and the WinRM Port.
Leave Use TLS for WinRM disabled so TLS Protect Cloud communicates with the IIS server over HTTP.

Tip

Since kerberos already has built-in encryption, this option isn't necessary to secure data sent over the network.
Enter the Domain Name, Key Distribution Center Address/Hostname, and Service Principal Name.

Tip

Need to view your SPN? Run the setspn –L hostname command, where hostname is the actual hostname of the computer object that you want to query.
(Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.

Important

Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.
Note
- Enter Credentials - Is used to enter your admin credentials manually.
- Select Credentials - Is used to select your shared credentials from CyberArk.
- If you choose Enter Credentials, enter your Microsoft IIS admin credentials in the Username and Password fields.
- If choose Select Credentials. From the Credential drop-down, select your shared credentials.
Enter your Microsoft IIS admin credentials in the Username and Password fields.

Warning

If you encounter an error message while using a username formatted as a User Principal Name (UPN), such as "jsmith@company.com", try using only the common name of the username, for example, "jsmith".
Click Test Access, the click Create. Note that Create is only enabled if the Test Access is successful.

Prerequisite configuration¶

If your organization requires Kerberos over HTTPS, your target Windows host must already have a valid TLS Server Certificate installed before you can use Kerberos Authentication to rotate the existing certificate or install new certificates. Because of this prerequisite, Kerberos Authentication or push installation may not be suitable for all use cases. See the VCert Readme for information on how to pull installations of certificates on Windows-based systems.

Note

The certificate must be installed in the LocalMachine\My CAPI store (Local Computer > Personal store if using the Certificates MMC snap-in) so WinRM can use it.

An Active Directory domain user that is directly or indirectly a member of the local “Administrators” group.

Kerberos Authentication set to True

Command PromptPowerShell

winrm set winrm/config/service/auth @{Kerberos="true"}

winrm set winrm/config/service/auth '@{Kerberos="true"}'

A certificate with “Server Authentication” Extended Key Usage
Command PromptPowerShell
```
winrm set winrm/config/service @{CertificateThumbprint="ABC"}
```
```
winrm set winrm/config/service '@{CertificateThumbprint="ABC"}'
```
(replacing ABC with the actual thumbprint of the certificate referenced above)

An HTTPS listener configured with that certificate

Command PromptPowerShell

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{CertificateThumbprint="ABC"}

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{CertificateThumbprint="ABC"}'

Enter the Microsoft IIS Hostname and the WinRM Port.
Enable Use TLS for WinRM if you want TLS to be used when TLS Protect Cloud communicates with the IIS server.

Tip

Since kerberos already has built-in encryption, this option isn't necessary to secure data sent over the network.
Enter the Domain Name, Key Distribution Center Address/Hostname, and Service Principal Name.

Tip

Need to view your SPN? Run the setspn –L hostname command, where hostname is the actual hostname of the computer object that you want to query.
(Optional) From the Credential Type drop-down, select either Enter Credentials or Select Credentials. Only users with the enabled "CyberArk shared credential" capability will see this option.

Important

Your view of credentials may be limited due to your role. System Administrators and PKI Administrators should be able to select any credential, but users with the Resource Owner role are limited to only using the credentials associated with their teams.
Note
- Enter Credentials - Is used to enter your admin credentials manually.
- Select Credentials - Is used to select your shared credentials from CyberArk.
- If you choose Enter Credentials, enter your Microsoft IIS admin credentials in the Username and Password fields.
- If choose Select Credentials. From the Credential drop-down, select your shared credentials.
Enter your Microsoft IIS admin credentials in the Username and Password fields.

Warning

If you encounter an error message while using a username formatted as a User Principal Name (UPN), such as "jsmith@company.com", try using only the common name of the username, for example, "jsmith".
Click Test Access, the click Create. Note that Create is only enabled if the Test Access is successful.

What's next?¶

Now that you have one or more machines created, you can provision certificates to those machines.