When configuring Panel Service to handle password synchronization for the first time, or replacing certificates used for server authentication it may be necessary to manually manage certificates and the http listener.
Installation
The PanelSetup wizard downloaded from https://{{identitypanelhost}}/settings/tools provides an option to configure Password Synchronization. The following sections explain the process and provide sample commands if any of the installation steps need to be performed manually.
ServicePrincipalName (SPN)
SPNs must be added to each service account running a Panel Service that will be a Password Sync target. Each available hostname should be added to the service account.
# List existing SPNs for service account setspn -L myAD\idmServiceAccount1 # Set SPN for FQDN setspn -S HTTP/svr-idmagent1.myad.net myAD\idmServiceAccount1 # Set SPN for DNS alias setspn -S HTTP/idmpasswordsync1.myad.net myAD\idmServiceAccount1 # Verify SPNs created for service account setspn -L myAD\idmServiceAccount1
Create URL bindings
Accepted URLs must be reserved for non-Administrator users.
# List existing URLs
netsh http show urlacl
# Register URL
$passwordSyncUrl = Read-Host -Prompt "Enter Password Sync target name"
netsh http add urlacl=$passwordSyncUrl user=myAD\idmServiceAccount1
## repeat for additional hostnames available for this server, e.g. DNS aliases or load balanced target
## entries should match "PasswordSync": {} section in Panel Service config.json
## E.g. "PasswordSync": { "svr-idmagent1.myad.net": "https://svr-idmagent1.myad.net:443/" }
# Verify URL reserved
netsh http show urlaclCertificate Installation
Certificates can be installed in the certificate store of the Local Computer or the Service Account running panel service. These examples reference the Local Computer certificate store.
# List existing certificates
Get-ChildItem cert:\LocalMachine\My | Select-Object Subject,FriendlyName,Thumbprint,DnsNameList | Format-List
# Install certificate to cert store
$params = @{
FilePath = 'c:\path\mycert.cert'
CertStoreLocation = 'Cert:\LocalMachine\My
}
Import-Certificate @params
# Verify certificate installed
Get-ChildItem cert:\LocalMachine\My | Select-Object Subject,FriendlyName,Thumbprint,DnsNameList | Format-ListRegister Certificate
Once installed in a suitable certificate store, the certificate must be registered with the http listener configured to receive passwords.
# Get thumbprint for Password Sync certificate
$myCertificateName = Read-Host -Prompt "Enter certificate subject name"
$myCert = (Get-ChildItem cert:\LocalMachine\My | Where-Object -FilterScript { $_.Subject -match $myCertificateName }).Thumbprint
$myCert
# Check certificates already in use by http listener
netsh http show sslcert
# Register certificate [thumbprint] with http listener
netsh http add sslcert ipport=0.0.0.0:443 appid="{3C28323F-408A-41AE-B805-9FA51C2CAA5B}" certhash=$myCert
netsh http add sslcert ipport=[::]:443 appid="{3C28323F-408A-41AE-B805-9FA51C2CAA5B}" certhash=$myCert
# Verify certificates registered with http listener
netsh http show sslcert
# Reload Panel Service
paneltool --restartservice
Replace Certificate
Expired, or simply superseded, certificates must be added to the relevant certificate store and registered with the http listener. Certificates bound to address/port combinations can be updated or removed and replaced.
# Check certificates already in use by http listener
netsh http show sslcert
# Get thumbprint for Password Sync certificate
# Get thumbprint for Password Sync certificate
$myCertificateName = Read-Host -Prompt "Enter certificate subject name"
$myCert = (Get-ChildItem cert:\LocalMachine\My | Where-Object -FilterScript { $_.Subject -match $myCertificateName }).Thumbprint
$myCert
# Update certificates in use
netsh http update sslcert ipport=0.0.0.0:443 appid="{3C28323F-408A-41AE-B805-9FA51C2CAA5B}" certhash=$myCert
netsh http update sslcert ipport=[::]:443 appid="{3C28323F-408A-41AE-B805-9FA51C2CAA5B}" certhash=$myCert
# Optionally replace certificates in use
netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete sslcert ipport=[::]:443
netsh http add sslcert ipport=0.0.0.0:443 appid="{3C28323F-408A-41AE-B805-9FA51C2CAA5B}" certhash=$myCert
netsh http add sslcert ipport=[::]:443 appid="{3C28323F-408A-41AE-B805-9FA51C2CAA5B}" certhash=$myCert
# Verify certificates registered with http listener
netsh http show sslcert
# Reload Panel Service
paneltool --restartserviceTest Password Sync
When installing Password Sync, replacing certificates or during troubleshooting it may be necessary to test the Password Sync component of Panel Service is running and using the expected certificate.
An issue with certificates may be raised in the Event Log (System).
Source: HttpEvent Event ID: 15021 Message: An error occurred while using SSL configuration for endpoint 0.0.0.0:443. The error status code is contained within the returned data.
Connecting to the Password Sync Test endpoint
$passwordSyncUrl = Read-Host -Prompt "Enter Password Sync target name" Invoke-WebRequest -Uri "https://$passwordSyncUrl/test" -UseDefaultCredentials -UseBasicParsing
Comments
0 comments
Article is closed for comments.