I recently learned about the CAO replacing the more commonly know CIO title. I hereby declare myself as a Chief Automation Officer.
The future of Windows Server GUI management, Project Honolulu (Windows Admin Center) was just released and presented at Ignite 2017. Check this link to watch two deep dive presentations about Project Honolulu. All I can say, IT IS AMAZING.
In this post I’m going to show you how to automatically deploy and install Project Honolulu using an internal wildcard certificate to secure the deployment.
If you don’t already have an internal wildcard certificate you can use the following script created by CTA Martin Therkelsen to do so automatically. I have customized it on Line 62 to also write the ThumbPrint to a text file. Check his blog post for more.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
<# .Synopsis Automate the creation of wildcard certificates .DESCRIPTION This script can automate the creation of wildcard certificates from an internal PKI infrastructure. The output PFX file will not have a password and it will be placed in the folder the PS1 script is located. You will need to have the SSL.INI file in the same folder as this script and you will need to run the script as a domain users. Use the function within this script by editing the line in the buttom. .PARAMETER Path Path to where temporary files are stored .PARAMETER PFXPath Path to where the PFX file is exported .PARAMETER CAName Name of the Certificate authority .EXAMPLE New-WildcardCertificate .EXAMPLE New-WildcardCertificate -Path C:\Temp -PFXPath "\\FILE01\Certificates" .EXAMPLE New-WildcardCertificate -Path C:\Temp -PFXPath "\\FILE01\Certificates" -CAName "DC01.Domain.Com\Domain-DC01-CA" #> Function New-WildcardCertificate { [CmdletBinding()] Param( [Parameter(Mandatory=$False,Position=1)] [string]$Path = "C:\Windows\Temp", [Parameter(Mandatory=$False,Position=2)] [string]$PFXPath = ".", [Parameter(Mandatory=$False,Position=3)] [string]$CAName, [Parameter(Mandatory=$False,Position=4)] [string]$Password ) Begin { $Domain = (Get-ItemProperty -path hklm:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name Domain).Domain If (!(Test-Path -Path $PSScriptRoot\ssl.ini)) { Write-Host "You don't have the SSL.INI file that is required to run this script" -ForegroundColor Red Break; } If (!(Test-Path -Path $Path)) { New-Item -Path $Path -ItemType Directory } (Get-Content $PSScriptRoot\ssl.ini) | Foreach-Object {$_ -replace 'ServerFQDN',"*.$Domain"} | Out-File .\Wildcard.ini } Process { If ($CAName -eq "") { Write-Verbose "Finding certificate authority" $CA = New-Object -ComObject CertificateAuthority.Config $CAName = $CA.GetConfig(0) } Write-Verbose "Requesting certificate" & c:\windows\system32\certreq.exe –new "Wildcard.ini" "$Path\wildcard.req" & c:\windows\system32\certreq.exe -config "$CAName" –submit "$Path\wildcard.req" "$Path\wildcard.cer" Write-Verbose "Installing certificate" & c:\windows\system32\certreq.exe –accept "$Path\wildcard.cer" Write-Verbose "Exporting certificate and private key" $PFXPassword = ConvertTo-SecureString -String $Password -Force -AsPlainText $cert = new-object security.cryptography.x509certificates.x509certificate2 -arg "$Path\wildcard.cer" Get-item cert:\localmachine\my\$($cert.Thumbprint) | Export-PfxCertificate -FilePath "$PFXPath\Wildcard.pfx" -Password $PFXPassword $cert.Thumbprint | Out-File -FilePath "\\dc-01.ctxlab.local\xa\Certificates\wildcard.txt" Write-Verbose "Certificate successfully exportert to wildcard.pfx" } End { Write-Verbose "deleting exported certificat from computer store" Remove-Item -Path cert:\localmachine\my\$($Cert.Thumbprint) -DeleteKey Remove-Item -Path $Path\wildcard.cer -Force Remove-Item -Path $Path\wildcard.req -Force Remove-Item -Path $Path\wildcard.rsp -Force } } New-WildcardCertificate -Path C:\Install -PFXPath "\\dc-01.ctxlab.local\xa\Certificates\" -Password "P@ssw0rd" -Verbose |
With a wildcard certificate at hand you’ll need to import it before running the Project Honolulu installation.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
Write-Verbose "Setting Arguments" -Verbose $StartDTM = (Get-Date) $PackageName = "Import and Bind Certificate" $LogPS = "${env:SystemRoot}" + "\Temp\$PackageName PS Wrapper.log" Start-Transcript $LogPS Install-WindowsFeature -Name Web-Server -IncludeManagementTools copy-item "\\dc-01.ctxlab.local\xa\Certificates\Wildcard.pfx" -Destination C:\Windows\Temp\wildcard.pfx copy-item "\\dc-01.ctxlab.local\xa\Certificates\Wildcard.txt" -Destination C:\Windows\Temp\wildcard.txt import-module webadministration $PFXPath="C:\Windows\Temp\wildcard.pfx" $PFXPassword="P@ssw0rd" $strThumb = Get-Content C:\Windows\Temp\wildcard.txt certutil -f -importpfx -p $PFXPassword $PFXPath Remove-Item C:\Windows\Temp\wildcard.txt -Force Push-Location IIS: cd SslBindings New-webBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https get-item cert:\LocalMachine\MY\$strThumb | new-item 0.0.0.0!443 Pop-Location Write-Verbose "Stop logging" -Verbose $EndDTM = (Get-Date) Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose Stop-Transcript |
The final part is to automatically download and install Project Honolulu using the wildcard certificate.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
# PowerShell Wrapper for MDT, Standalone and Chocolatey Installation - (C)2015 xenappblog.com # Example 1: Start-Process "XenDesktopServerSetup.exe" -ArgumentList $unattendedArgs -Wait -Passthru # Example 2 Powershell: Start-Process powershell.exe -ExecutionPolicy bypass -file $Destination # Example 3 EXE (Always use ' '): # $UnattendedArgs='/qn' # (Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode # Example 4 MSI (Always use " "): # $UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 /qn /liewa $LogApp" # (Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode Write-Verbose "Setting Arguments" -Verbose $StartDTM = (Get-Date) $Vendor = "Microsoft" $Product = "Admin Center" $Version = "1804" $PackageName = "AdminCenter" $InstallerType = "msi" $Source = "$PackageName" + "." + "$InstallerType" $LogPS = "${env:SystemRoot}" + "\Temp\$Vendor $Product $Version PS Wrapper.log" $LogApp = "${env:SystemRoot}" + "\Temp\$PackageName.log" $Destination = "${env:ChocoRepository}" + "\$Vendor\$Product\$Version\$packageName.$installerType" $strThumb = Get-Content "\\dc-01.ctxlab.local\xa\Certificates\Wildcard.txt" $UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 /qn /liewa $LogApp SME_PORT=443 SME_THUMBPRINT=$strThumb SSL_CERTIFICATE_OPTION=installed" $url = "http://aka.ms/WACDownload" Start-Transcript $LogPS if( -Not (Test-Path -Path $Version ) ) { New-Item -ItemType directory -Path $Version } CD $Version Write-Verbose "Downloading $Vendor $Product $Version" -Verbose If (!(Test-Path -Path $Source)) { Invoke-WebRequest -Uri $url -OutFile $Source } Else { Write-Verbose "File exists. Skipping Download." -Verbose } Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose (Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode Write-Verbose "Customization" -Verbose $gateway = "${env:ComputerName}" $nodes = Get-ADComputer -Filter * -SearchBase "OU=Deployment, DC=ctxlab, DC=local" $list = Get-ADComputer -Filter * -SearchBase "OU=Deployment, DC=ctxlab, DC=local" | Select-Object Name | Export-CSV AllWindows.txt -NoTypeInformation -Encoding UTF8 ForEach ($node in $nodes) { $gatewayObject = Get-ADComputer -Identity $gateway $nodeObject = Get-ADComputer -Identity $node Set-ADComputer -Identity $nodeObject.Name -PrincipalsAllowedToDelegateToAccount $gatewayObject Write-Host "Set Kerberos Resource Delagation to $gateway for" $nodeObject.Name } Write-Verbose "Stop logging" -Verbose $EndDTM = (Get-Date) Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose Stop-Transcript |
hi eric, i make today this honululu setup. i am not always a friend of wildcard certificates. i like san certificates much more. so for people who want make it with a named certificate, and to be sure, that google chrome like your certificate, you need to add a subject alternative name in the ssl.ini. so i try today some parameters, and on the end, when you want make a san certificate who is also trusted by chrome i create this ssl.ini:
[Version]
Signature=”$Windows NT$”
[NewRequest]
Subject = “CN=test.example.com,OU=IT,O=test,L=seatle,S=US,C=US” ; For a wildcard use “CN=*.CONTOSO.COM” for example
; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =
Exportable = TRUE ; Private key is not exportable
KeyLength = 4096 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = “Microsoft Enhanced RSA and AES Cryptographic Provider”
ProviderType = 12
SMIME = FALSE
RequestType = PKCS10
HashAlgorithm=Sha256
; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below
[Strings]
szOID_SUBJECT_ALT_NAME2 = “2.5.29.17”
szOID_ENHANCED_KEY_USAGE = “2.5.29.37”
szOID_PKIX_KP_SERVER_AUTH = “1.3.6.1.5.5.7.3.1”
szOID_PKIX_KP_CLIENT_AUTH = “1.3.6.1.5.5.7.3.2”
[RequestAttributes]
CertificateTemplate= Your Template
SAN=”dns=test.example.com&dns=test2.example.com&IP=192.168.1.1″
some tip failures in ssl.ini, here are the tested ini
[Version]
Signature=”$Windows NT$”
[NewRequest]
Subject = “CN=test.yourcompany.int,OU=IT,O=yourcompany,L=yourlocation,S=yourstate,C=yourcountry”
; For a wildcard use “CN=*.CONTOSO.COM” for example
; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =
Exportable = TRUE ; Private key is not exportable
KeyLength = 4096 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = “Microsoft Enhanced RSA and AES Cryptographic Provider”
ProviderType = 12
SMIME = FALSE
RequestType = PKCS10
HashAlgorithm=Sha256
; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below
[Strings]
szOID_SUBJECT_ALT_NAME2 = “2.5.29.17”
szOID_ENHANCED_KEY_USAGE = “2.5.29.37”
szOID_PKIX_KP_SERVER_AUTH = “1.3.6.1.5.5.7.3.1”
szOID_PKIX_KP_CLIENT_AUTH = “1.3.6.1.5.5.7.3.2”
[RequestAttributes]
CertificateTemplate= WebServerSAN5Years
SAN=”dns=test.yourcompany.com&dns=honululu.yourcompany.com&dns=localhost&ipaddress=192.1.1.4″
Thanks Franco