76022 iis orchestrator 3.0.0 Ready for release #178
Conversation
Completed adding Integration Tests
…r SNI retrieval. - Enhanced `New-KFIISSiteBinding` to robustly handle SSL flags, including checks for managed API range and updating extended flags via `appcmd.exe`. - Improved comments and verbose logging for better clarity and debugging.
…rrectly 76938 sni flag not reporting correctly
…N_Entry_Parameter 76023 eliminate but support san entry parameter
…ocal and remote sessions.
… additional "housekeeping" for ADFS.
…tor/iis-orchestrator into 60764_Adding_ADFS_Support
60764 adding adfs support
Updated SAN handling in integration-manifest.json and clarified support for previous versions. Added new features and improvements.
Updated changelog to reflect changes in version 3.0.0, including SAN handling and new WinADFS Store Type.
Added SSL Flag validation details and improved messaging.
Updated SSL Flag descriptions for clarity and accuracy.
…ng_Issues Fixed SSH Formatting issue
…Using_SSH Update generated docs
…e automatically added via Command.
…paring for release.
There was a problem hiding this comment.
Pull request overview
This PR releases version 3.0.0 of the IIS orchestrator extension with significant changes to SAN handling, a new WinADFS store type for ADFS certificate rotation, integration tests, and various bug fixes related to SSL flags and error messaging.
Changes:
- SANs are now handled through ODKG Enrollment in Command rather than the SAN Entry Parameter (backward compatibility maintained in 3.0)
- Added WinADFS store type for automated ADFS service-communications certificate rotation across farm nodes
- Fixed SNI/SSL flag handling in IIS bindings with validation for correct bit flag combinations
Reviewed changes
Copilot reviewed 39 out of 52 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| integration-manifest.json | Removed SAN entry parameters from WinCert, IISU, and WinSql store types; added new WinAdfs store type configuration |
| docsource/winadfs.md | Added documentation for the new WinADFS store type |
| WindowsCertStore.sln | Added integration and unit test projects to solution |
| WindowsCertStore.UnitTests/* | Added unit test project and tests for SANs, PowerShell helpers, certificates, and ADFS |
| WindowsCertStore.IntegrationTests/* | Added integration test project with end-to-end tests for WinSQL and WinIIS |
| IISU/SANBuilder.cs | New class for building SAN strings from dictionary input |
| IISU/PowerShellScripts/WinCertScripts.ps1 | Updated version to 1.5.0 with SSL flag fixes and certificate retrieval improvements |
| IISU/PowerShellScripts/WinADFSScripts.ps1 | New PowerShell script with ADFS management functions |
| IISU/PSHelper.cs | Enhanced to support multiple script loading, ADFS module import, and improved error handling |
| IISU/ImplementedStoreTypes/WinIIS/* | Added SSL flag validation and improved error messaging |
| IISU/ImplementedStoreTypes/WinAdfs/* | New implementation for ADFS certificate rotation manager |
| IISU/ClientPSCertStoreReEnrollment.cs | Updated to support new SAN handling with backward compatibility |
| README.md | Updated documentation to include WinADFS store type |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
WindowsCertStore.IntegrationTests/Factories/ConfigurationFactory.cs
Outdated
Show resolved
Hide resolved
…of Windows Server and IIS.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 52 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
WindowsCertStore.IntegrationTests/Factories/ConfigurationFactory.cs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 53 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| When binding certificates to IIS sites, certain SSL flags can be configured to modify the behavior of the SSL bindings. Depending on what version of Windows Server and IIS, these are the following flags are available: | ||
|
|
||
| #### Windows Server 2016 (IIS 10.0): #### Windows Server 2016 (IIS 10.0) |
There was a problem hiding this comment.
Duplicate heading found - remove the repeated text
| #### Windows Server 2016 (IIS 10.0): #### Windows Server 2016 (IIS 10.0) | |
| #### Windows Server 2016 (IIS 10.0): |
| new { Machine = "{IPAddressToClient}", Username = "{username}", Password = "{path_to_.ssh\\my_rsa}" }, | ||
| new { Machine = "{IPAddressToClient}", Username = "{username}", Password = "{path_to_.ssh\\my_rsa}" } |
There was a problem hiding this comment.
Duplicate test case entries should be removed or differentiated with unique values to avoid redundant test execution.
| new { Machine = "{IPAddressToClient}", Username = "{username}", Password = "{path_to_.ssh\\my_rsa}" }, | |
| new { Machine = "{IPAddressToClient}", Username = "{username}", Password = "{path_to_.ssh\\my_rsa}" } | |
| new { Machine = "{IPAddressToClient}", Username = "{username}", Password = "{path_to_.ssh\\my_rsa}" }, | |
| new { Machine = "{IPAddressToClient2}", Username = "{username2}", Password = "{path_to_.ssh\\my_rsa2}" } |
| using System.Collections.ObjectModel; | ||
| using System.Diagnostics; | ||
| using System.IO; | ||
| using System.IO.Ports; |
There was a problem hiding this comment.
The System.IO.Ports namespace is imported but does not appear to be used anywhere in the file. Consider removing this unused import.
| using System.IO.Ports; |
| } | ||
| catch (KeyNotFoundException ex) | ||
| { | ||
| throw new ArgumentException($"An Entry Parameter was missing. Please check the Cert Store Type Definition, note that entry parameters are case sensitive. Message: {ex.Message}"); |
There was a problem hiding this comment.
The error message structure is unclear - it states 'Message: {ex.Message}' at the end which could be confusing. Consider rephrasing to 'Missing required Entry Parameter. Please verify the Certificate Store Type Definition. Note that entry parameters are case-sensitive. Details: {ex.Message}'
| throw new ArgumentException($"An Entry Parameter was missing. Please check the Cert Store Type Definition, note that entry parameters are case sensitive. Message: {ex.Message}"); | |
| throw new ArgumentException($"Missing required Entry Parameter. Please verify the Certificate Store Type Definition. Note that entry parameters are case-sensitive. Details: {ex.Message}"); |
3.0.0
As of this version of the extension, SANs will be handled through the ODKG Enrollment page in Command, and will no longer use the SAN Entry Parameter. This version, we are removing the Entry Parameter "SAN" from the integration-manifest.json, but will still support previous versions of Command in the event the SAN Entry Parameter is passed. The next major version (4.0) will remove all support for the SAN Entry Parameter.
Added WinADFS Store Type for rotating certificates in ADFS environments. Please note, only the service-communications certificate is rotated throughout your farm.
Internal only: Added Integration Tests to aid in future development and testing.
Improved messaging in the event an Entry Parameter is missing (or does not meet the casing requirements)
Fixed the SNI/SSL flag being returned during inventory, now returns extended SSL flags
Fixed the SNI/SSL flag when binding the certificate to allow for extended SSL flags
Added SSL Flag validation to make sure the bit flag is correct. These are the valid bit flags for the version of Windows:
Windows Server 2012 R2 / Windows 8.1 and earlier (IIS 8.5):
Windows Server 2016 (IIS 10.0):
Windows Server 2019 (IIS 10.0.17763)
Windows Server 2022+ (IIS 10.0.20348+)