76022 iis orchestrator 3.0.0 #165
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
rcpokorny
commented
Dec 10, 2025
rcpokorny
commented
- As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command, and will no longer use the SAN Entry Parameter. This version, we are removing the Entry Parameter "SAN" from the integration-manifest.json, but will still support previous versions of Command in the event the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter.
- Added WinADFS Store Type for rotating certificates in ADFS environments. Please note, only the service-communications certificate is rotated throughout your farm.
- Internal only: Added Integration Tests to aid in future development and testing.
- Improved messaging in the event an Entry Parameter is missing (or does not meet the casing requirements)
- Fixed the SNI/SSL flag being returned during inventory, now returns extended SSL flags
- Fixed the SNI/SSL flag when binding the certificate to allow for extended SSL flags
- Added SSL Flag validation to make sure the bit flag is correct. These are the current SSL Flags (NOTE: Values greater than 4 are only supported in IIS 10 version 1809 and higher. The default value is 0):
- 0 No SNI
- 1 Use SNI
- 2 Use Centralized SSL certificate store.
- 4 Disable HTTP/2.
- 8 Disable OCSP Stapling.
- 16 Disable QUIC.
- 32 Disable TLS 1.3 over TCP.
- 64 Disable Legacy TLS.
Completed adding Integration Tests
…r SNI retrieval. - Enhanced `New-KFIISSiteBinding` to robustly handle SSL flags, including checks for managed API range and updating extended flags via `appcmd.exe`. - Improved comments and verbose logging for better clarity and debugging.
…rrectly 76938 sni flag not reporting correctly
…N_Entry_Parameter 76023 eliminate but support san entry parameter
…ocal and remote sessions.
… additional "housekeeping" for ADFS.
…tor/iis-orchestrator into 60764_Adding_ADFS_Support
60764 adding adfs support
Updated SAN handling in integration-manifest.json and clarified support for previous versions. Added new features and improvements.
Updated changelog to reflect changes in version 3.0.0, including SAN handling and new WinADFS Store Type.
Added SSL Flag validation details and improved messaging.
Updated SSL Flag descriptions for clarity and accuracy.
Fixed an issue with SSL flags
…he Windows Server.
…ng_Issues Fixed SSH Formatting issue
…Using_SSH Update generated docs
…e automatically added via Command.
indrora
approved these changes
Dec 10, 2025
indrora
pushed a commit
that referenced
this pull request
Dec 10, 2025
* As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command, and will no longer use the SAN Entry Parameter. This version, we are removing the Entry Parameter "SAN" from the integration-manifest.json, but will still support previous versions of Command in the event the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter. * Added WinADFS Store Type for rotating certificates in ADFS environments. Please note, only the service-communications certificate is rotated throughout your farm. * Internal only: Added Integration Tests to aid in future development and testing. * Improved messaging in the event an Entry Parameter is missing (or does not meet the casing requirements) * Fixed the SNI/SSL flag being returned during inventory, now returns extended SSL flags * Fixed the SNI/SSL flag when binding the certificate to allow for extended SSL flags * Added SSL Flag validation to make sure the bit flag is correct. These are the current SSL Flags (NOTE: Values greater than 4 are only supported in IIS 10 version 1809 and higher. The default value is 0): * 0 No SNI * 1 Use SNI * 2 Use Centralized SSL certificate store. * 4 Disable HTTP/2. * 8 Disable OCSP Stapling. * 16 Disable QUIC. * 32 Disable TLS 1.3 over TCP. * 64 Disable Legacy TLS. --------- Co-authored-by: Bob Pokorny <[email protected]> Co-authored-by: Keyfactor <[email protected]> Signed-off-by: Morgan Gangwere <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.