Install the IIS Management Service (assuming IIS is already installed)
- Open an elevated Powershell session
- Run: Install-WindowsFeature -Name Web-Mgmt-Service
- Run: sc config WMSVC start=auto
- Run Regedit.exe and navigate to HKLM\Software\Microsoft\WebManagement\Server
- Change the binary value of EnableRemoteManagement from 0 to 1
- Run: Start-Service WMSVC
Optional: Enrol a certificate from an internal AD CA
- Open an elevated Powershell session
- Launch Notepad
- Add the following lines to the new file:
[NewRequest]
Subject=”cn=yourServer.yourDomain.com”
Exportable=TRUE
[RequestAttributes]
CertificateTemplate=”WebServer” - Save the file as something ending in .inf, for example iis.inf
- Run: certreq -new d:\temp\iis.inf d:\temp\request.txt
- Run: certreq -submit d:\temp\request.txt d:\temp\iiscert.cer
- Run: certreq -accept d:\temp\iiscert.cer
Optional: Changing the listener certificate
- Open an elevated PowerShell session
- Run: Get-ChildItem -Path “cert:\localmachine\my”
- Copy the thumbprint for the certificate you enrolled above
- Run the following
netsh
http
del sslcer ipport=0.0.0.0:8172
For the next command, replace yourCert with the thumbprint copied from step 3:
add sslcert ipport=0.0.0.0:8172 certhash=yourCert appid={00000000-0000-0000-0000-000000000000} certstorename=MY verifyrevocationwithcachedclientcertonly=disable usagecheck=enable dsmapperusage=disable clientcertnegotiation=disable - Run: show sslcer, just to just to check the binding was successfully applied with the nominated settings (even if the output from the above command was successful)
Assuming you completed the optional steps, you can now bind to the IIS Management Service without receiving the certificate trust warning.
If you elected to skip the optional procedures, you will still be able to connect, you’ll just have to put up with the warnings.
Cheers,
Lain
