Created
July 25, 2018 21:14
-
-
Save rukas/538e5f1a79434fce23931e53108a2106 to your computer and use it in GitHub Desktop.
Setup-WinRMHttps.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################# | |
## Get machine certificate info ## | |
############################################################# | |
$domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name | |
$domainDN = "DC=" + $domain -replace '\.', ", DC=" | |
$CA = [ADSI]"LDAP://CN=Enrollment Services, CN=Public Key Services, CN=Services, CN=Configuration, $domainDN" | |
$caDN = $ca.psbase.children.cacertificatedn | |
$machineCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*$($env:COMPUTERNAME).$((gwmi WIN32_ComputerSystem).Domain)" -and $_.issuer -eq "$caDN"} | |
If(!$machineCert){ | |
Write-Host "Unable to find a machine certificate for HTTPS binding...exiting..." | |
exit | |
#Get-Certificate -Template SslWebServer -DnsName www.contoso.com,www.fabrikam.com -Url https://www.contoso.com/Policy/service.svc -Credential $up -CertStoreLocation cert:\LocalMachine\My | |
} | |
############################################################# | |
## Add/Configure the HTTPs WinRM listener ## | |
############################################################# | |
$httpsWinRMInstance = Get-WSManInstance -resourceURI winrm/config/listener -selectorset @{Address="*";Transport="https"} | |
If($httpsWinRMInstance){ | |
Write-Host "A listener for HTTPs already exists" | |
If($httpsWinRMInstance.CertificateThumbprint -replace "\s","" -ne $machineCert.Thumbprint){ | |
Write-Host "The thumbprint currently configured is different than that of the machine certificate. Updating it now..." | |
#Set the certificate on the HTTPs WinRM listener | |
Set-WSManInstance -resourceURI winrm/config/listener -selectorset @{Address="*";Transport="https"} -ValueSet @{CertificateThumbprint="$($machineCert.Thumbprint)"} | |
} | |
Else{ | |
Write-Host "The thumbprint currently configured matches the machine certificate. Nothing to do here..." | |
} | |
} | |
Else{ | |
Write-Host "A listener for HTTPs doesn't exist. Creating one now..." | |
#Create the HTTPs WinRM listener | |
New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{Hostname="$(($machineCert.Subject -split "=")[1])";CertificateThumbprint="$($machineCert.Thumbprint)"} | |
} | |
############################################################# | |
## Add the WinRM HTTPs firewall rule if it's missing ## | |
############################################################# | |
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" | |
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any | |
If ($fwtest1.count -lt 5){ | |
Write-Host "Adding firewall rule to allow WinRM HTTPS." | |
netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow | |
} | |
ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)){ | |
Write-Host "Updating firewall rule to allow WinRM HTTPS for any profile." | |
netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any | |
} | |
Else{ | |
Write-Host "Firewall rule already exists to allow WinRM HTTPS." | |
} | |
############################################################# | |
## Enable Basic Authentication if it isn't already ## | |
############################################################# | |
# Check for basic authentication. | |
$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"} | |
If (($basicAuthSetting.Value) -eq $false){ | |
Write-Host "Enabling basic auth support." | |
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true | |
} | |
Else{ | |
Write-Host "Basic auth is already enabled." | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment