IIS7 remote administration via c#

Question

I have been looking into the Microsoft.Web.Administration.dll and the ServerManager class, trying to control our Windows Server 2008 IIS7 instance.

I have enabled remote administration and can connect via the IIS remote administration tool, however when I try and use the following I cannot connect:

ServerManager.OpenRemote(serverName);

This class does not allow me to specify a username and password on the remote IIS7 server, as the IIS remote admin tool does.

This is all being called via our build process using NAnt.

How do others control their remote IIS7 server as part of their CI setup?

Answer 1

I wrote a WCF service in the end, which runs on the remote machine as a service. The service runs under a local account with administrator rights so that the local IIS instance on that machine can be changed.

From my NAnt script I have a series of custom tasks that communicate to the WCF service and change IIS settings as required.

As this is an internal dev environment I am not too concerned about security and the actual changes to IIS I am allowed are very basic.

Answer 2

You will need to run the application under a domain user (Active Directory user) that has the right permissions to change the configuration files.

Windows authentication will do the rest.

Answer 3

As Oded says, you need Active Directory to be able to open a connection to a remote server using ServerManager.

Assuming you have administrator RDP access server there is an alternative which is to use WinRM and Remote PowerShell (works best with PowerShell 2.0 which comes with the latest version of WinRM) in your build scripts:

Windows Remote Management Command-Line Tool (Winrm.cmd)

To quickly configure WinRM for two machines that are not in a domain:

Client:

winrm quickconfig  (just say yes)
winrm set winrm/config/Client/Auth '@{Basic="true"}'
:: Only do this next line if not using HTTPS
winrm set winrm/config/Client '@{AllowUnencrypted="true"}'
winrm set winrm/config/Client '@{TrustedHosts="hostname_or_ip"}'

Server:

winrm quickconfig (just say yes)
winrm set winrm/config/Service/Auth '@{Basic="true"}'

:: See: http://support.microsoft.com/kb/2019527 regarding https
winrm quickconfig -transport:https

:: Only do this if not using HTTPS AND you are happy about sending credentials
:: in clear text.
winrm set winrm/config/Service '@{AllowUnencrypted="true"}'

Now there are some caveats. WinRM will punch a hole in Windows Firewall for ports 5985 and 5986 for the listener (if running Windows 2003 it'll use port 80 and 443). This may not be to your liking and you'd probably best speak to your network admins about how to secure that.

Once you have WinRM configured you'll need user account configured on the remote server that is a member of the administrators group. Once done you can then test. On the build server:

# the following line will prompt for a username and password, enter the name of the account
# you just configured on the IIS box
$cred = Get-Credential

# next test the connection
Test-WSMan -ComputerName <server_name_or_ip> -Authentication default `
           -Credential $cred

If all is good you should see the following response:

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.x
                  sd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 6.1.7600 SP: 0.0 Stack: 2.0

The next thing is to connect to a remote PowerShell session:

Enter-PSSession <server_name_or_ip> -Authentication default -Credential $cred

If this is successful you should have a PowerShell prompt on the remote machine.

Using Remote PowerShell you can then load the WebAdministration Provider for PowerShell and manipulate many aspects of IIS to your hearts content:

Web Administration (IIS) Provider for Windows PowerShell

To connect to the remote server you need to provide a PSCredential object. As mentioned above you would provide this using:

$cred = Get-Credential

However this always demands some interaction from the keyboard to provide a username and password. Obviously this is no good for automated CI.

You can however store the password in a file. To do this run the following just once (or whenever the password changes):

read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt

Then when you need to create your PSCredential to authenticate to the remote server:

$username = "deployment_user"
$password = cat C:\securestring.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential `
         -argumentlist $username, $password

$serverNameOrIp = "192.168.1.1"
Enter-PSSession $serverNameOrIp -Authentication default -Credential $cred

The above script was sourced from the following blog entry but I've duplicated to preserve here just in case that article goes dark:

Using PSCredentials without a prompt - GeeksWithBlogs

Anyway so once you're connected to the remote server you can issue further commands such as:

Import-Module WebAdministration
CD IIS:\Sites

And so on.

Most of the above should be approached with caution if this machine is internet facing and the only way to access is via the internet. If this is the case consider restricting the WinRM ports to VPN only.