Renew Certificate in Provider Hosted Apps Scenario

With a certain customer of mine I recently had an issue, where in the span of a month all of the certificates for the Provider Hosted Apps Domain (PHA) had to be renewed for four staging environments (including PROD).

I was lucky to be the successor of somebody who made the same mistake as the service provider a month later, so I was prepared and could save the day. In hopes of saving you the time it took for me to force the service provider’s hand (around 10 hours telco time) I want to give you a brief overview of how to tackle this, the full list of reference articles and a script to set the sharepoint part (trust).

First a short introduction.

Certificates. Certificates are often used to encrypt data communication between machines. This is done to make sure that two parties can communicate without a third party listening. Also this is done to verify the identity of somebody initiating communication.

In the scenario of SharePoint and PHA we have two parties. We have the PHA Server Farm and the SharePoint Server Farm. Usually each farm consists of at least 2 servers for redundancy/ high availability reasons.

When HTTP communication is done via SSL each WebSite in IIS has a binding on port 443, which uses a certificate for encrypting the data he site responds with to requests.

Any admin can swap the certificate in IIS. All you need to do is check the certificate that exists and request a new certificate either self-signed, internally trusted or externally trusted with the correct SAN (Subject Alternative Name).

As an example, let’s suggest the following setup:
SharePoint has a wildcard certificate, like * The PHA environment has a certificate corresponding to this in This may be the same certificate, if you request the big kahuna, i.e. a multi-san, wildcard certificate. Usually this is not the case, and is not necessary.

The PHA IIS will have the certificate, and SharePoint will have the wildcard certificate. However how does SharePoint make sure, that PHAs are not added to different server and this server has different code and pretends to be the PHA server? There is a trust between these servers on the SharePoint side. In essence this article has one message: “Don’t forget this trust!”

The underlying process of replacing the certificate is based on four easy steps, all of them are necessary:

  1. Replace the certificate in the IIS of each PHA server

    This is a no-brainer. Request the certificate, get the response, use certmgr.msc to import the certificate into the Personal Store of the Machine Account. Make sure to have a private key for the certificate. This can be self-signed, internally trusted or externally trusted (depending on your scenario, if you externalize your farm or not).

  2. Export the certificate as pfx (with private key)

    Export it with private key (and password) and put it into the location, where the web.config of each Provider Hosted App can access it. Usually this certificate is stored in a central location on each IIS PHA Server.

  3. Export the certificate as cer (without private key)

    Export it without private key and put it into a location on a SharePoint server, where you can access it from the SharePoint Powershell script in the next step.

  4. Replace the SharePoint trust via script

    The certificate (cer) is referenced in two locations in SharePoint (SPTrustedRootAuthority, STSTrustedSecurityTokenIssuer). You can set it in the SPTrustedRootAuthority by updating the object and by deleting the STSTrustedSecurityTokenIssuer object and recreating this with the correct IssuerName and RegisteredIssuerName ([Issuer GUID]@[Realm]). See Script below.

EDIT: This image differs from the code below. A crucial parameter is missing. line 29 must have the flag “-IsTrustBroker” as seen below. I wrote a specific article on this topic here

param (
[string] $CertificateSubjectAlternativeName = ""
, [string] $CertificatePathLocation = "[MyDrive]:\[MyPath]\"

asnp microsoft.sharepoint.powershell -ea 0

$certificate = $null;
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificatePathLocation);

if($certificate -ne $null) {
$tra = $null;
$tra = Get-SPTrustedRootAuthority | ? { $_.Certificate.Subject.Contains(${CertificateSubjectAlternativeName}) }

if( $tra -ne $null ) {
$tra.Certificate = $certificate;
} else {
Write-Host -ForegroundColor Red “Error: No Certificate with SAN ‘${CertificateSubjectAlternativeName}’ found in Root Authority Store.”;

$sci = $null;
$sci = Get-SPTrustedSecurityTokenIssuer | ? { $_.SigningCertificate.Subject.Contains(${CertificateSubjectAlternativeName}) }

if( $sci -ne $null ) {
$regIssuerName = $sci.RegisteredIssuerName;
$issuerName = $sci.DisplayName;
New-SPTrustedSecurityTokenIssuer -Name “${issuerName}” -RegisteredIssuerName “${regIssuerName}” -Certificate $certificate -IsTrustBroker;
} else {
Write-Host -ForegroundColor Red “Error: No Certificate with SAN ‘${CertificateSubjectAlternativeName}’ found in Trusted Security Token Issuer Store.”;
} else {
Write-Host -ForegroundColor Red “Error: Certificate not found at location ‘${CertificatePathLocation}’.”;

The last step, which is not mandatory, but we had to do it was on the IIS Servers of the PHA environment. The certificate gets cached by the UserProfile of the User running the app pool. Thus once you replace it is no longer able to find the file. This will be broadcasted by an ugly error like: ‘CryptographicException: The system cannot find the file specified.’

This is how to fix that: open IIS –> ApplicationPools –> DefaultAppPool –> “Right Click” –> Advanced Settings –> Load User Profile | set this value to “true”.

It seems a bit absurd to change this setting since it did not have to be set when configuring the PHA connection in the first place, but it does the trick.


Read more of this post

Send A SOAP Message to Nintex Workflow WebService – DeleteWorkflow

Yesterday I was challenged to develop a script that deletes a list workflow on 105 sites and publish it with a new name.

There is a bug within Nintex, where when you copy a site collection the GUIDs of the workflow, the list and the web are the same as in the source site. This confuses Nintex sometimes, in this case regarding conditional start. The conditional start adds an event receiver to the list and the workflow itself is synchronous, so when saving a form this takes a couple of seconds to close because the form waits for the workflow to finish. Even if the workflow is small, this will always take longer than the user expects, so we changed the start condition to always run on change, but used the condition action as first action in the workflow, so the workflow always starts (asynchronously), but ends right away if the condition is not met. So we buy performance by getting more historic Nintex Data.

So back to the task. The publishing of a workflow can be done with NWAdmin, which was my obvious choice to team up with PowerShell to run through the sites of my webapplication and to pulish the workflow. Only publishing the workflow does not help, as the GUID stays the same. We need to decouple the workflow from its history. This can be done by publishing it with a new name (Nintex Support).

The NWAdmin Tool however does not provide a method to delete a workflow. I then looked into the dreaded “using the ie-process as com.application” but the page where you can manage a workflow is really irritating from a DOM-perspective. Also the url click event triggers a javascript method with a confirm-window.

function DeleteWorkflow(sListId, sWorkflowId, sWorkflowType, bPublished) {
    if (bPublished) {
        if (!confirm(MainScript_DeleteWfConfirm))
    else if ((!bPublished) && typeof (bPublished) != "undefined") {
        if (!confirm(MainScript_DeleteUnpublishedWfConfirm))
    else {
        // orphaned workflows
        if (!confirm(MainScript_DeleteOrphanedWfConfirm))
    deletedWorkflowID = sWorkflowId;
    var oParameterNames = new Array("listId", "workflowId", "workflowType");
    if (sListId == "") {
        sListId = "{00000000-0000-0000-0000-000000000000}";
    var oParameterValues = new Array(sListId, sWorkflowId, sWorkflowType);
    var callBack = function () {
        if (objHttp.readyState == 4) {
            if (CheckServerResponseIsOk()) {
                //delete the table row's for this workflow
                var tableRows = document.getElementsByTagName("TR");
                for (var i = tableRows.length - 1; i > -1; i--) {
                    if (tableRows[i].getAttribute("WfId") == deletedWorkflowID) {
    InvokeWebServiceWithCallback(sSLWorkflowWSPath, sSLWorkflowWSNamespace, "DeleteWorkflow", oParameterNames, oParameterValues, callBack);

As you can see there is an if-clause which sends a confirm-window in any case. So I could not use this method. But thankfully I found the last line
InvokeWebServiceWithCallback(sSLWorkflowWSPath, sSLWorkflowWSNamespace, “DeleteWorkflow”, oParameterNames, oParameterValues, callBack);

That took me on the right track.

I looked into the method, but that was the less efficient way of approaching the problem. The link to the webservice would have gotten me further (/_vti_bin/NintexWorkflow/Workflow.asmx?op=DeleteWorkflow).


function InvokeWebServiceWithCallback(sServiceUrl, sServiceNamespace, sMethodName, oParameters, oParameterValues, fCallBack) {
    if (objHttp == null)
        objHttp = createXMLHttp();

    oTargetDiv = null; // prevents the onstatechange code from doing anything

    // Create the SOAP Envelope
    var strEnvelope = "" +
                "" +
                    "" +
                    "" +
                "" +

    var objXmlDoc = CreateXmlDoc(strEnvelope);

    // add the parameters
    if (oParameters != null && oParameterValues != null) {
        for (var i = 0; i < oParameters.length; i++) {
            var node = objXmlDoc.createNode(1, oParameters[i], sServiceNamespace);
            node.text = oParameterValues[i];
            objXmlDoc.selectSingleNode("/soap:Envelope/soap:Body/" + sMethodName).appendChild(node);

    var objXmlDocXml = null;
    if (typeof (objXmlDoc.xml) != "undefined")
        objXmlDocXml = objXmlDoc.xml; // IE
        objXmlDocXml = (new XMLSerializer()).serializeToString(objXmlDoc); // Firefox, mozilla, opera"POST", sServiceUrl, true);
    objHttp.onreadystatechange = fCallBack;
    objHttp.setRequestHeader("Content-Type", "text/xml; charset=utf-8");
    objHttp.setRequestHeader("Content-Length", objXmlDocXml.length);
    if (sServiceNamespace.charAt(sServiceNamespace.length - 1) == "/")
        objHttp.setRequestHeader("SOAPAction", sServiceNamespace + sMethodName);
        objHttp.setRequestHeader("SOAPAction", sServiceNamespace + "/" + sMethodName);

In any case I developed the script to run the delete workflow method via soap and that’s what I want to share with you below.

The script deletes exactly one workflow on a list in a given web based on the id. The ID of the Workflow can be retrieved from the nintex configuration database.

SELECT workflowid, workflowname
  FROM [Nintex_Config].[dbo].[PublishedWorkflows]
  where workflowname = '[Workflow A]'
  group by workflowid, workflowname

For those of you who panic when seeing/ reading SQL, you can also get the ID from the page (the link) itself, but that kind of defeats the purpose of automating the task of deletion, because you would need to go to every management page to get all ids…but I guess anybody still reading this is not panicking yet…

btw the export-workflows nwadmin command does not give you the ids of the workflows…

but if you want to get the ids in a different way you can use the following powershell:

$w = get-spweb "[WebUrl]";
$l = $w.lists["[ListTitle]"];
$l.WorkflowAssociations | select baseid, id, name

The ID you want to use is the baseid.

Back to the SOAP Script…

I am sending the request with the default credentials…this may be something you will want to check. Check out the System.Net.NetworkCredential type, if you want to add a dedicated user to run the call with. Don’t forget the security implications… 😉

The issue I had was, that I forgot the xml header, starting with a different content-type and the real big issue: I forgot to set the action in the header. That’s the critical point. If you don’t do that you will get a 200 HTTP Response Code, but nothing will happen. After a couple of hours I was satisfied with my result. Here it is…

param (
    [string] $WebUrl = "[MyUrl]",
    [string] $ListTitle = "[MyListTitle]",
    [string] $WorkflowId = "[GUID of Workflow without parentheses]"

asnp microsoft.sharepoint.powershell -ea 0;

$spweb = get-spweb "$Weburl";
$splist = $spweb.lists | ? { $_.Title -eq "$ListTitle" -or $_.RootFolder.Name -eq "$ListTitle" }
$splistid = $"B");

$WebServiceBase = $WebUrl;
$WebServiceMethod = "_vti_bin/NintexWorkflow/Workflow.asmx";
$Method = "POST";
$ContentType = "text/xml; charset=utf-8";

$soapEnvelope = "" +
                "" +
                    "" +
                        "" + $splistid + "" +
                        "{" + $workflowid + "}" +
                        "List" +
                    "" +
                "" +

$req = [system.Net.HttpWebRequest]::Create("$WebServiceBase/$WebServiceMethod");
$req.Method = $method;
$req.ContentType = "text/xml; charset=utf-8";
$req.MaximumAutomaticRedirections = 4;
#$req.PreAuthenticate = $true;

$req.Credentials = [System.Net.CredentialCache]::DefaultCredentials;

$req.Headers.Add("SOAPAction", "");
$encoding = new-object System.Text.UTF8Encoding
$byte1 = $encoding.GetBytes($soapEnvelope);

$req.ContentLength = $byte1.length;
$newStream = $req.GetRequestStream();

$newStream.Write($byte1, 0, $byte1.Length);

$res = $null;
$res = $req.getresponse();
$stat = $res.statuscode;
$desc = $res.statusdescription;

Recreate Office Web Apps // Proxy

Long time, no blog. Lots to do, and worth blogging about, but I just cannot find the time. Hopefully after March I will.

Recently at a customer I had to recreate the office web apps farm. As I have never done that before I tried naively:
Install the certificate, set the correct URLs on the server and recreate the SPWopiBindings.

Well there was a Proxy in my way, and the URL I wanted to use (spofficewebapps.customer.tld) was not in the list of exceptions.

So it didn’t work (adding the spwopibinding).

Office Web Apps Server:

$dns = "spofficewebapps.customer.tld"
set-location Cert:\LocalMachine\My
$cert = gci | ? { $_.DnsNameList.Unicode -eq $dns } | select -First 1;
$cert.FriendlyName = $dns
Set-OfficeWebAppsFarm -InternalURL "https://$dns" -ExternalUrl "https://$dns" -CertificateName "$dns"

SharePoint Server:

Remove-SPWopiBinding -All:$true -Confirm:$false
New-SPWopiBinding -ServerName "spofficewebapps.customer.tld"

What I got is that the Server was not available. Like this:
But my certificate was there, I could reach the https://spofficewebapps.customer.tld/hosting/discovery/ just fine and so none of the results from Google fit my bill.

What now? Well here is the list of remedies:
– Add the new URL to the list of Proxy exceptions
– Do not use Set-OfficeWebAppsFarm, but rather destroy and create (see below)
– Restart all servers involved

Then another thing: My servers aren’t getting the Proxy exceptions pushed. So I had to add them to Internet Explorer manually.

Good Code on Office Web Apps:

$dns = "spofficewebapps.customer.tld"
New-OfficeWebAppsFarm -InternalUrl "https://$dns" -CertificateName "$dns" -EditingEnabled -LogLocation "D:\OWA-LOGS" -RenderingLocalCacheLocation "D:\OWA-CACHE"

So after all that I was finally able to add the office web apps back. By the way a host file entry on the SharePoint Server to the Office web apps Server DID NOT HELP.

Static IP? No thanks, i’ve got ftp!

So yes, there is a bit of a logical issue in the title. If I have ftp, I already have a static ip of course, which is connected to the servername, but maybe I don’t want that static ip, I want it for a different purpose and it costs me 15 EUR/ month to get it via my Internet Provider. I could start with using a service that can tunnel my requests via a static IP to my dynamic one, but I will have to register with somebody.

I thought, why can I not do the following? Trigger a timer job on my home machine, get the IP Address and store it in a file. This file I could either push via a service like dropbox (but I don’t want dropbox on my server) or I can use ftp.

I took the code from this site.

Here it is:

function UploadFTP {
[string] $user,
[string] $url,
[string] $port,
[string] $pass,
[string] $localPath,
[string] $remotePath

# create the FtpWebRequest and configure it
$ftp = [System.Net.FtpWebRequest]::Create("ftp://" + $url + ":" + $port + "/" + $remotePath);
$ftp = [System.Net.FtpWebRequest]$ftp
$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile
$ftp.Credentials = new-object System.Net.NetworkCredential($user,$pass);
$ftp.UseBinary = $true
$ftp.UsePassive = $true
# read in the file to upload as a byte array
$content = [System.IO.File]::ReadAllBytes($localPath);
$ftp.ContentLength = $content.Length
# get the request stream, and write the bytes into it
$rs = $ftp.GetRequestStream()
$rs.Write($content, 0, $content.Length)
# be sure to clean up after ourselves

function DownloadFTP {
[string] $user,
[string] $url,
[string] $port,
[string] $pass,
[string] $downloadPath,
[string] $remotePath
# Create a FTPWebRequest
$FTPRequest = [System.Net.FtpWebRequest]::Create("ftp://" + $url + ":" + $port + "/" + $remotePath);
$FTPRequest.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
$FTPRequest.Method = [System.Net.WebRequestMethods+Ftp]::DownloadFile
$FTPRequest.UseBinary = $true
$FTPRequest.KeepAlive = $false

# Send the ftp request
$FTPResponse = $FTPRequest.GetResponse()
# Get a download stream from the server response
$ResponseStream = $FTPResponse.GetResponseStream()
# Create the target file on the local system and the download buffer
$LocalFile = New-Object IO.FileStream ($downloadPath,[IO.FileMode]::Create)
[byte[]]$ReadBuffer = New-Object byte[] 1024
# Loop through the download
do {
$ReadLength = $ResponseStream.Read($ReadBuffer,0,1024)
while ($ReadLength -ne 0)


$user = "someusername"
$url = "some.ftp.server"
$port = "21";
$pass = "somepassword";
$localPath = "C:\tmp\myfile.txt";
$downloadPath = "C:\tmp\myfiledown.txt";
$remotePath = "myuploadedfile.txt";

$ip = Get-NetIPAddress | ? { $_.AddressFamily -eq "IPv4" -and $_.InterfaceAlias -eq "Ethernet"}
$ip.IPv4Address > $localPath;

UploadFTP $user $url $port $pass $localPath $remotePath
DownloadFTP $user $url $port $pass $downloadPath $remotePath

So what I am doing is defining my variables, writing my IP to my localpath and uploading that file as well as downloading it. So my PoC was with one machine. The expectation is that the downloaded file and the original file are the same. Which is true.

The eventual setup will look a bit different because I will have to get at the public ip as well as setup the job which will then upload the file. On the other side I will need the part of the script, that downloads the file.

So my use case is I want to connect to a server connected to the internet, but I don’t know the IP, because it is dynamic/ DHCP.

AppManagement and SubscriptionSettings Services, Multiple Web Applications and SSL

So currently I am setting up four environments of which one is production, 2 are staging and another is was a playground installation.

My staging environments (TEST, QA, PROD) are multi-server, multi-farm systems (multi-farm because the 2013 Farm publishes Search and UPA to existing 2010 Farms).
They are running SPS2013 Standard with March PU 2013 + June CU 2013. They will be using App Pool Isolation and App Management and SubscriptSettings Services have their own account (svc_sp{t, q, p}_app, i.e. svc_spt_app, svc_spq_app and svc_spp_app).

I have three web applications of which all are secured by SSL making a wildcard certificate necessary for the app domain. Each has their own account (svc_sp{t, q, p}_{col, tws, upa}). The reason for this is that I will be using Kerberos Authentication and for the SPNs I need dedicated accounts for each Application URL.

My playground was once a 4 server farm, but now 3 servers have been removed. It does not run the March PU 2013 nor June CU 2013. There app pool isolation wihtout SSL is used.

On the playground the app management worked well. I actually encountered my problem on my test first and tried to replicate on the playground, but couldn’t. But I am getting ahead of myself. The system was setup via autospinstaller and the necessary certificates and IPs involved were requested and implemented. The AD Team did the domain setup for me. I didn’t setup my environment following this article, but it is a good one to read. I also got the idea of creating a separate dummy web application for attaching my IIS Bindings and Certificate from it, which makes a lot of sense, because of security considerations and kerberos.

The first article to read to get an overview of what is necessary and what’s trying to be achieved can be found here.

So I set up everything and still it wasn’t working. What does that mean? I will explain. When I subscribe to an app, download it from the store and add it in a site collection of my choosing I get to click on it once it is finished installing. The link then leads me to my app domain. With SSL only when I was using the same application pools I could actually get anywhere, otherwise I say the below.

This is what I wanted to see:

This is what I saw on any of the web applications with SSL and that had a different app pool account than the one I was using for my dummy web application.

So this blank page is actually exactly what you see when you leave the request management service running on the frontends without doing any topology configuration.

So I tried to work with the user policy from the web application management page in hopes of giving the users permissions on the content databases. This was actually not happening as I found out later, but which was actually exactly what was needed. I had to manually add the account of the app pool for the app domain to the SPDataAccess Group of the content databases. Then it also works with SSL. I actually set up three web applications WITHOUT SSL on the Test Staging Environment with the same users as the SSL Web Applications and this worked like a charm, but for any SSL web application I needed to explicitly give permissions to the content database. This is a nightmare to maintain. For my migration of 20 databases from 2010 to 2013 I need to do this again and again and for each new content database I will create in the future. Just imagine you create a new content database and forget to do this. Now for any site collection in this content database the above issue will show up. Hard to debug later on.

Not sure what Microsoft is thinking here, but I am happy that it only took me 4 days to figure this one out.

Automation of Web Application Creation in Managed Environments (Part VII: Edit registry and host file)

This is the seventh and last article of this series. It is related to another article I already posted on the subject. This article tries to automate what was achieved in that article, i.e. edit the registry entry for BackConnectionHostNames to contain all hosted Hostnames as well as update the Local Host-File. Why would you do that? Because if you don’t then you will have a problem with calls from the server calling resources on the same server running into the loopback issue.

In essence the loopback issue is caused by a (valid!) security measure where the server should not call any resources on the system as this can mean a security loop hole. Webservers and especially webservers hosting webservices are a special case, thus you need to configure for this case and that is what you do by registering the allowed host names in the host-file and the registry.

So let’s get into the BackConnectionHostNames Registry Edit.

$path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\BackConnectionHostNames"
$root_path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
$name = "BackConnectionHostNames"

$value = @"

if (Test-Path $path) {  
    Write ($path + " exists!")  
} else {  
    Write ($path + " needs to be created!") 
    New-ItemProperty -Path $root_path -Name $name -PropertyType MultiString -Value $value

So this one is pretty easy. You can improve it by getting the multi-string content from a text file or something silly like that. So I have 3 variables at the top and these were the early days, you can see that because I omitted the semi-colon at the end of the line, which I usually do these days (except for function calls). Also the two last variables could be used to create the first, so it’s redundant, but that’s not even going to change the semantics of the script. The variable ‘value’ basically contains lines where each line represents a hostname.

Next the script checks if the path to the item property exists. It makes sure not to overwrite it, when a value exists. You could easily change this by adding the following line

Set-ItemProperty -Path $root_path -Name $name -Value $value -confirm:$false


Write ($path + " exists!")

The only time you will get a problem is when there already is a property with this name and this property does not have the type of a multi-valued string.

If the property does not exist it gets created with the path, name, type and value given. It’s almost as if you create a directory with PowerShell which makes sense because you can also walk through the registry the same way you do a directory of files and folders.

Now that we have set up the registry we can choose to hit “Windows + R” for “Run” and type ‘regedit’ then you navigate through the registry editor to the right place…hklm\system\CurrentControlSet\Control\Lsa\MSV1_0\ and then check the backconnectionhostnames value. It should be fine with the values given above.

Okay, the next step is getting the host file in order. You can do this manually. Honestly this is basically nothing but an ip address and a hostname separated by a tab or two at the most. Find the script below.

$inpath = ([string] (Split-Path -parent $MyInvocation.MyCommand.Definition) + "\hosts.txt")
$definitions = ([string] (Split-Path -parent $MyInvocation.MyCommand.Definition) + "\hosts_definitions.txt")

$outpath = ([string] (Split-Path -parent $MyInvocation.MyCommand.Definition) + "\hosts")

$content = get-content $inpath;

$content > $outpath 

import-csv $definitions -delimiter ';' | % {
    Write ("    " + $_.IP + "    " + $_.HostName) >> $outpath;
    Write ("    " + $_.IP + "    " + $_.HostName);
if (Test-Path $outpath) {
    copy-item $outpath "C:\windows\system32\drivers\etc\hosts" -confirm:$false -force
    Write ("Copied host-file");
    remove-item $outpath

The hosts.txt and the hosts_definitions.txt need to be in the directory the script is run in ($MyInvocation.MyCommand.Definition). The hosts file (without the .txt) will be copied to the same directoy and then later on moved to the correct directory. For each of the lines in the input file you can add the IP and the hostname with 4 spaces in between. Bam! Finito! Your host file is finished and ready to be sent to the correct folder. The correct folder in this case is the drivers\etc folder of the system directory. You move it and you delete the source. There you go. That’s it.

This is what the input file looks like:


and just for completeness, here is what the host file looks like when delivered with a fresh windows installation:

# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#          # source server
#              # x client host

# localhost name resolution is handled within DNS itself.
#       localhost
#	::1             localhost

So now you have your registry and host files set up to allow the loopback check done in the right way! The only thing is that you need to make this re-runnable in some fashion or at least be able to add new host names in the future as we will see can be done with the scripts in all other parts. So using the set-propertyitem command might be a really good idea.

Additionally I want to touch on the topic of disallowing SSL 2.0 for IIS on Windows Server and automating that as well. This topic is described in another very detailed knowledge base article, so I will only briefly give you an overview of why you would want to do this. It fits well with editing the registry for the backconnectionhostname entry, because that uses the same mechanics but isn’t quite as long/ complex.

Basically this belongs into the context of security and server hardening. You will want to disallow the use of certain certificates that IIS may allow but you do not. At one of my customers a security department basically made this a requirement for our servers. So doing this on every server (because any SharePoint Prerequisite Install configures the WebServer role) of the farm is quite tedious.

The problem with these certificate types (cryptos) is that they have names containing slashes (‘/’) in them, e.g. RC2 128/128. The slash is used as a path separator in the context of powershell, so all the blogs tell you: you need to use the C# API. Okay so in my first version of the script I actually just added the first part (“RC2 128”) and manually edited the entries later (add “/128”). Yuck! So today I finally made this work in a sensible fashion. Finally I as the administrator no longer care about which cryptos are actually disabled and can only run the script and be done with this. As it’s actually fast as scripting should be it’s a couple of script executions and less than a minute for a farm. Nice!

So how did I go about this? I found this RegistryKey Class on msdn but I didn’t know how to get an object of the type [Microsoft.Win32.RegistryKey], because when do you actually have a Handle (basically what I was trying to get in the first place, so trying to find a handle is the same problem as before or an IntPtr (Int Pointer)) so I had to scan through multiple google results before finding something about RegistryKey Object and OpenSubKey. That’s where I found the constructor, which is basically a special form of the path (…prefixed “Registry::”), so that was the last missing piece to script the below:

function Get-LocalMachineRegistryKeyForEdit([string] $registryPath, [string] $SubKey) {
    $fullParentPath = "Registry::HKLM\" + $registryPath;
    if ( Test-Path $fullParentPath ) {
        $reg = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($registryPath);
        $reg.OpenSubKey($SubKey, $true);

function New-SubKey([Microsoft.Win32.RegistryKey] $key, [string] $subkey) {
    $fullParentPath = "Registry::" + $key.Name;
    if ( Test-Path $fullParentPath ) {
        $fullChildPath = $fullParentPath + "\" + $subkey;
        if ( -not (Test-Path $fullChildPath) ) {
            $newsubkey = $key.CreateSubKey($subkey);

function New-PathDWORD([Microsoft.Win32.RegistryKey] $key, [string] $subkey, [string] $valueType, [string] $valueName, [string] $value) {
    $fullParentPath = "Registry::" + $key.Name;
    if ( Test-Path $fullParentPath ) {
        $fullChildPath = $fullParentPath + "\" + $subkey;
        if ( -not (Test-Path $fullChildPath) ) {
            $newsubkey = $key.CreateSubKey($subkey);
        $k = Get-Item -Path ($fullChildPath)  

        if($k -ne $null) {
            $kProp = Get-ItemProperty -Path $fullChildPath -Name $valueName -erroraction silentlycontinue
            if($kProp -eq $null) {
                New-ItemProperty -Path $fullChildPath -Name $valueName -PropertyType $valueType -Value $value

# Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
$schannelPath = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL";

# Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
$ciphers = "Ciphers";

$cip = Get-LocalMachineRegistryKeyForEdit $schannelPath $ciphers

#enabled == 0
Write "SCHANNEL SECTION - Enabled=0";

New-SubKey $cip "NULL" "DWORD" "Enabled" "0"

New-PathDWORD $cip "RC2 40/128" "DWORD" "Enabled" "0"
New-PathDWORD $cip "RC2 56/128" "DWORD" "Enabled" "0"
New-PathDWORD $cip "RC4 40/128" "DWORD" "Enabled" "0"
New-PathDWORD $cip "RC4 56/128" "DWORD" "Enabled" "0"
New-PathDWORD $cip "RC4 64/128" "DWORD" "Enabled" "0"
New-PathDWORD $cip "RC2 128/128" "DWORD" "Enabled" "0"
New-PathDWORD $cip "RC4 128/128" "DWORD" "Enabled" "0"

#enabled == 1
Write "SCHANNEL SECTION - Enabled=1";

New-PathDWORD $cip "DES 56/56" "DWORD" "Enabled" "0xffffffff";
New-PathDWORD $cip "Triple DES 168/168" "DWORD" "Enabled" "0xffffffff"; # Triple DES 168/168

# ------
# Hashes

$hashes = "Hashes";
$hash = Get-LocalMachineRegistryKeyForEdit $schannelPath $hashes

Write "HASHES SECTION - Enabled=0";

#enabled == 0
New-PathDWORD $hash "MD5" "DWORD" "Enabled" "0"; # MD5

Write "HASHES SECTION - Enabled=1";

#enabled == 1
New-PathDWORD $hash "SHA" "DWORD" "Enabled" "0xffffffff"; # SHA


$keyexchalgo = "KeyExchangeAlgorithms";
$algo = Get-LocalMachineRegistryKeyForEdit $schannelPath $keyexchalgo

New-PathDWORD $algo "PKCS" "DWORD" "Enabled" "0xffffffff"; # PKCS


$protocolsPath = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols";
$protocols = "Protocols";

$prot = Get-LocalMachineRegistryKeyForEdit $schannelPath $protocols

$pct10 = "PCT 1.0";
New-SubKey $prot $pct10;  #PCT 1.0

$ssl20 = "SSL 2.0";
New-SubKey $prot $ssl20;  #PCT 1.0

$pct = Get-LocalMachineRegistryKeyForEdit $protocolsPath $pct10
New-PathDWORD $pct "Server" "DWORD" "Enabled" "0"; 

$ssl = Get-LocalMachineRegistryKeyForEdit $protocolsPath $ssl20
New-PathDWORD $ssl "Server" "DWORD" "Enabled" "0";

When all is run, this is what the registry looks like:

We basically have three methods that I will need to implement for the different use-cases I have.
I have the “give me a registry key for editing” use-case. So I get me that .NET object if it exists. Watch out that I am doing this in the HKLM (HKey Local Machine) context. I you want to do something outside of HKLM you need to change it accordingly.

So then I have my object I want to create DWORDs and Keys for. Well I need a method that does exactly that, because the first 15 or so steps will be “get me the key for editing and check if a key exists and add a DWORD enabling it or disabling it. Then I have a special case starting with the protocols section. There are actually sub-subkeys (or grandchildren keys if you so will). So we also need to be able to just create a path and then be able to perform or Path+DWORD operation again.

So the Path+DWORD is the heart of our script. Let’s look at it then. We make sure we don’t try to create something that already exists. So we have a parallel identification variable for the Test-Path method and the RegistryKey.OpenSubKey method. The subsequent OpenSubKey then opens the key for editing. I could have of course also implemented it, so that it directly opens the key I want in the first call of opensubkey and then use the flag for editing there. Might have been more slick, but how do I find my scripts on other blogs later if I don’t have any sillyness in them, right? 😉

So that’s a wrap.

I am sure you can optimize these things or maybe find easier solutions to these challenges I drew up here, but I think it was well worth writing this down as it took quite some time to find the solutions and the way I work I get inspiration for other problems I come across from reading these types of blogs.

I hope reading this article or all of them was worth your time and I would appreciate any feedback from your side if you are reading this.
I enjoyed writing this, so hopefully reading it was fun, too. My SharePoint journey isn’t over by far, so stay tuned for the next articles to come.

Back To Part VI
Back To Overview


Automation of Web Application Creation in Managed Environments (Part VI: Edit bindings for IPs and Certificates on the IIS Site)

For the sixth part of this series we have a special one. This might be the least stable one and you may need to change something to make it work. It is also one of these things when you finally get it done you click F5 and then it’s like “wow, sweet!”.

param (
    [string] $sitename,
    [string] $url,
    [string] $ip

import-module webadministration;

Function GetCertificate {
    param (
        [string] $url

    $url = $url.ToUpper();
    $url = $url.Replace("DOMAIN.SOMEEXTENSION", "domain.someextension");

    $cert = Get-ChildItem cert:\localmachine\my | ? { $_.Subject.Contains("CN=$url")}


Function BindCertificate {
    param (
        [System.Security.Cryptography.X509Certificates.X509Certificate] $cert,
        [string] $ip
    $certObj = Get-Item $cert.PSPath; 

    $item = get-Item IIS:SslBindings\${ip}!443;

    if($item -eq $null) {
        New-Item IIS:SslBindings\${ip}!443 -value $certObj;
    } else {
        Set-Item IIS:SslBindings\${ip}!443 -value $certObj;

Function ReplaceWebsiteBinding {
        [string] $sitename,
        [string] $oldBinding,
        [string] $newValue

    $wsbindings = (Get-ItemProperty -Path "IIS:\Sites\$sitename" -Name Bindings);

    for($i=0;$i -lt ($wsbindings.Collection).length;$i++) {
            ($wsbindings.Collection[$i]).bindingInformation = $newValue;
    Set-ItemProperty -Path "IIS:\Sites\$sitename" -Name Bindings -Value $wsbindings

$cert = GetCertificate $url;

if($cert -ne $null) {
    BindCertificate $cert $ip;

ReplaceWebsiteBinding $sitename "*:443:" "${ip}:443:";

So let’s check this script out. We have a sitename, we have an ip and we have the url of the website. We need the ip of course, because we wan’t to set that in the bindings and if you use https you need to anyway (that is if you don’t use a wild card certificate). The script does three things. It retrieves the certificate based on the url (the url needs to be in the subject of the certificate), it binds the certificate on the IP. So once you have the IP and the certificate bound you can replace the websitebindung (which is actually not yet associated with the sitename yet).

So you need to get the site via the sitename which is the path as well in the IIS:\ directory. It expects that you do not have a “real” binding, i.e. the way SharePoint creates it in Part II, plain and simple with “all unassigned:443”. If that’s not the case for you for any reason you need to edit the second of the three parameters. The third parameter represents what you have set in the second step: the correct binding.

So all the function does is iterate over all bindings of the site and edit the one you want to replace (the one given as second parameter). The last step is just replacing the old with the new. That’s it. IIS is set up. Off to the next step…

Continue Reading…Part VII

Back To Part V
Back To Overview