我想使用所需状态配置 (DSC) 将 Web 服务器的 Active Directory 客户端证书身份验证设置为 TRUE。
我想为此使用 xWebAdministration cmdlet。
设置该值的IIS路径为:system.webServer/security/authentication/clientCertificateMappingAuthentication
我已经有这个脚本,但是值尚未正确设置:
# Client Certificate Mapping Authentication should be present
WindowsFeature ActiveDirectoryClientCertificateAuthentication
{
Name = "Web-Cert-Auth"
Ensure = "Present"
DependsOn = "[WindowsFeature]IIS"
}
# Client Certificate Mapping Authentication should be present
WindowsFeature Web-Client-Auth
{
Name = "Web-Client-Auth"
Ensure = "Present"
}
如何实现这一点?
答案1
在我的脚本中进行了 2 处修复,使其可以正常工作。
我删除了安装的 Web-Cert-Auth 功能,因为 Web-Cert-Auth 用于 IIS 证书映射(我不需要)。Windows 功能 Web-Client-Auth 用于 AD 客户端证书映射,这是我需要的。
然后我添加了这个内联脚本:
# (Active Directory) Client Certificate Mapping Authentication should be enabled
Script EnableClientCertificateAuthentication
{
GetScript = {
Return @{
Result = [string]$((Get-WebConfiguration -filter /system.webServer/security/authentication/clientCertificateMappingAuthentication).enabled)
}
}
TestScript = {
If ((Get-WebConfiguration -filter /system.webServer/security/authentication/clientCertificateMappingAuthentication).enabled) {
Write-Verbose "ClientCertificateAuthentication is on"
Return $true
} Else {
Write-Verbose "ClientCertificateAuthentication is off"
Return $false
}
}
SetScript = {
Write-Verbose "Enabling ClientCertificateAuthentication"
Set-WebConfigurationProperty -filter /system.webServer/security/authentication/clientCertificateMappingAuthentication -name enabled -value true -PSPath IIS:\
}
DependsOn = "[WindowsFeature]Web-Client-Auth"
}