Skill Level Intermediate
- So in the first part, we got to set up PowerShell web access using all of its default settings. If you had a chance to try that on a virtual machine, it's actually kind of cool, right? Well in a lot of instances though, you're going to want to customize this and so I want to take you through a couple of customizations. In this part, what we're going to do is do most things graphically. We'll check things out in PowerShell, but in grahpically, I don't want to install it to the default website, so let's choose a different website and a different web application name.
And then I want to show you from scratch how to graphically set it up, without using the PowerShell command so that you can set it to whatever website you want and you'll see all of the security settings and all of the little minutiae that you would need to do. That's actually really good to know, because in the last part I'm gonna show you how to set up PowerShell web access completely over PowerShell remote to a core box. And we're going to do everything from creating a website to setting the DNS record, everything through PowerShell.
And you're gonna need to know all of these ins and outs and kind of deep dive configuration settings. So let's get started here with the first set up and let me show you what I have right now. First of all, (clears throat) let me go ahead and open up PowerShell and I'm gonna do get Windows feature and I'm gonna show you that from our last section, I still have the feature installed. So, I'm gonna say PowerShell. And I want you to notice that the feature itself is still installed. Now once again, if it's not installed on the machine that you're working on.
Install Windows feature and then go ahead and type in this name over here, which is Windows PowerShell Web Access. Once that feature's installed, you get all the commandlets to play with. Let me show you again how to get the commandlet list, and then I'm going to show you what I currently have set up as a website. Something different than the default website. So to get the commandlet list again, *pswa * and you'll see that we have six commandlets.
Now we're only going to use a couple of these this time. Let me show you my current web environment. So I'm gonna go in the IIS manager, we're gonna spend quite a bit of time in here. I want you to see the IIS side of things. And I want you to notice, (clears throat) that I've got a website out here that I've already created called Management. And I'll show you the bindings for it. Oops, let me get rid of this binding. We don't want that one in there. Here's Port80, just like you create any website from scratch, which we'll do.
So I've got it set up for Port80, and I'll even test to make sure that this website currently works. Start (typing) iexplore, and the website currently, with this binding, is called management .company .loc. Ta-da! Just a regular, old-fashioned kind of website. So let's go back into the IIS manager. What I'd like to do is, instead of installing pswa to the default website, under a web app.
Now it's not here now, but remember a web app was pswa underneath here. I want to install it to the management website, and to a web app underneath called pwa. First of all, I like the shorter name pwa. PowerShellWebAccess, it's a lot like if you work with Exchange owa, it's a lot shorter to type than all the pswa stuff. The other thing is, is I like to put this in my own website. I don't like to put things in the default website unless I have to. This way I can set up DNS, I have my own bindings.
I can put this on any server I want, with my own website settings. Which as we customize these you'll see that's actually kind of important. So, let's go ahead and do this. Now I'm gonna use PowerShell (clears throat) and those commandlets again. So, add pswa oops, not add here let's get the list, because I forgot. And as a PowerShell guy, I try not to memorize anything, that's what get help is for. So what I want to do is ah, I want to install the pswa web application.
This time we're gonna use some additional configuration settings for it when we do it. So install pswa web application. First thing that comes up is the web application name. This is the name that you want to give the web application. It'll be part of the URL, so the website slash whatever name you want to give it. Now by default, it's pswa, but in this case I wanna make it shorter, pwa, I like that. And we want to give it a specific website.
This will allow us to specify what website we're gonna use, and I wanna use the management website. Now I want you to notice that I'm not going to use the use test certificate parameter this time. Keep in mind, when you use test certificate it creates a generic, self-signed certificate that's good for 90 days. You can still do this here, and then test it and go back later and replace the certificate. In my case, I already have a good certificate so, I don't want it to set this up.
Now one of the issues with not specifying this switch, is it doesn't set up an HTTPS binding for the website, you have to do that manually. So, I'll show you how to do it manually. So let's not use this setting and we'll just strike enter. And as you can see he creates an application pool for the website, pwa_pool and he created /pwa, well that looks really good. Let's go see if we can take a look at that graphically.
I'm gonna refresh my IIS manager. And first of all, what I wanna show you this time is the application pools. Soon, this is going to become very important to us. An application pool was created for us by default. Now if you're not sure what an application pool is for an IIS website, this is a protected memory space that the website runs in. These pools can get recycled so that if something hangs or starts to corrupt the memory pool, it can be cleared out, if a website suddenly starts to fragment memory.
This is one of the great features to IIS. Every time you create a website, it's good practice to create an application pool for it, not run all of your websites in one pool. Well this is really good, I have my own website for pwa, rather than using the default, which means I get my own application pool for that application. Now also, I'll show you that here's the management website, and here's the web application that was created. Now interestingly enough, I'm gonna go to the website and to into bindings.
The only binding we have is that Port80 binding. Since I didn't use that parameter switch, use test certificate, I'm now responsible, have to be responsible, to create that binding myself. So let me show you how to create the binding. In bindings, you click add binding. Up here for a protocol type, pick HTTPS. You'll notice that the port got flipped to 443. Now if you have Virtual IP's, or VIPs already assigned, if you're an IIS person and you have multiple VIPs, you can select those individual VIPs here, but I'm gonna leave it as all unassigned right now.
You can go down now and select the certificate, now I already have this wildcard certificate so let's go ahead and select that one, and I'll say okay. Now I've created the binding for 443. I'll close, And let's go test this. What do you think? Think it's gonna work? Well, kind of, and I want you to see this, this is a very common issue that occurs. So as you take a look at my screen here, I'm now just gonna test it. I'll say start iexplore HTTPS, and put in management .company .loc / and now the new web app name that I chose, pwa strike enter, and there's PowerShellWebAccess.
Ta-da ta-da ta-d, well not exactly um, let's test this. Company, ooh that's not gonna work, company/administrator have you figured out where my mistake is yet? Password, and the computer that I wanna go to, and I'll sign in. Oops! Notice the error message. Authorization failure occurred. Verify that you are authorized to connect to the destination computer.
I forgot to set up my authorization rules, and this is a common mistake, especially as you start customizing and start trying to set it up in your unique way, for your environment. You sometimes forget some of these things, like the authorization rules. So I need an authorization rule, that's what I forgot. I installed it, but I forgot to give it an authorization rule. So let's do that. I'm gonna clear the screen, and I'm gonna say add pswa authorization rule. Now I'm in a virtualized environment, so just for brevity's sake, I'm gonna do what I said not to do and put in the three stars, just so that we can play around with it for a little bit.
Now I've got an authorization rule, so let's go try it again. (typing) And sign in. Ooh yeah, (laughs) now it works. And the best part is, it's now working on the website of my choice, with the web application of my choice. And you can see I'm actually on my domain controller in this case and oh adcomputer filter start, just to show you that all the active directory stuff, everything's working just the way it's supposed to, Ta-da! Just what we wanted.
So that's excellent. Now what I'm gonna do, is this is really cool. Let's go ahead and leave this page. Let's go back to the IIS manager. I don't want any of this. I don't like, in my case, having pwa /pwa as part of the URL. Now there's a couple ways around this. One is, if you're an IIS person, you can create a URL re-write for this where you can create a rule, using regular expressions, that will automatically redirect this.
That's cool. I also want to show you a different way, if you're not comfortable with setting up URL re-write, and you probably aren't, then let me show you a cool way to set this up that's much easier. Now the first thing is, I've gotta get rid of this one, and you can only have one pswa per server so, I need to go in and clean this up. Well let's kinda do this properly, let's clean him up a little bit. So pswa, I wanna use remove authorization rule and get rid of the rule I already have up here, ID 0 so, Remove-PswaAuthorizationRule ID 0, and now I want to uninstall that web application.
So Uninstall-PswaWebApplication, I'm gonna specifiy the application name is pwa and the website was management. Now I want to verify that not only did the application get removed, but so did the app pool. So I'll go out, I'll refresh my screen for IIS, tells me it doesn't exist - yeah, I know. Let's go back up here and refresh it. See it's gone, and let's check app pools.
The app pool for it is now gone as well. So, here's what I want to do. I want to go to my web server and I want to set up my own website, which I'm gonna show you how to do, and I want the application not to be a web app underneath that website, I want it to be right at the root of that website. So all's I have to type is, let's say, remote.company.loc and hit enter and it goes right to that webpage and I don't want to set up a redirection rule.
Not sure how to do that anyway. So, let me show you how to do this. And from scratch, we're gonna create a brand new website. Now again, if you're not an IIS person, this is actually what we would normally do. I'm gonna go to the application pool and I'm gonna create my own application pool. I'm gonna give it a name. So I'm gonna call this pwa_pool I like to name my app pools with an _pool in it, .net framework version is 4.0 or above and you need to be in an integrated manage pipeline.
I'll say okay, and now I've got an application pool for this. You need to do the application pool first. At least that's my preference, cause when we go to create a website, it wants to know what that application pool is. So let me go to sites, I'm gonna right click, say add a website, and in this time, I'm gonna call it remote, so you know that I'm not cheating. It's gonna be something different. Notice as I typed remote, what it put in over here for the application pool.
It's going to automatically create an application pool called remote. Well I don't want that. I want the one that I created. So I'm gonna say select, go down and pick the pwa_pool and now you need to give a physical path to the website. Hmmmm physical path to the website I don't know if you remember in the last section, but I actually showed you where that physical path for PowerShellWebAccess is, and this is kind of interesting, when you installed the feature here it added these files.
So let me show you where that is. I'm gonna use the little browse box, and I've got a brand new website, notice there's no web app underneath, it's right to PowerShellWebAccess. We're almost ready to test this, but I need a DNS record that points to this, so... Let me take you out to DNS and show you how I set up the DNS record. I'm gonna do this graphically. So, here's what I'm gonna do.
DNS happens to be on another one of my boxes. So let me bring up my DC, it has my DNS. Here's my zone, forward lookup zone, company.loc. I'm gonna right click, say new A record. Remote. Notice it fills in the URL that I'll be typing in, I just need to give it an IP address and in my environment that will be 3.51. (clicking) Done.
So I've got everything set up, I can jump right in and try to test this right now. So let's go ahead and test this. (clicking) As a matter of fact, see here, clear the screen, start-iexplore https remote .Company .loc. Oh this is gonna be beautiful! (clears throat) Hey! I'm there, it's working great.
Company administrator password and we'll put in the DC, and we'll sign in. Oh... Oh! I know what it is! I know what it is. I don't think I have an authorization rule. Right? I got rid of it when I was cleaning things up, so. I need, although this isn't the same error message though, but I don't have an authorization rule so let's do the same thing we did before and we're gonna go add-pswa and add an authorization rule, let me just be real quick about this.
And we'll go back, and I'll do the same thing, I'll put my password in, and I'll say sign in. Still not working. Notice the error, it's different than the last error message we got. The last error message told us, you're not authorized for this. We needed a rule. This error message is completely different, it says (chuckle) an unexpected error has occurred in the sign-in process. Contact yourself (laughs) I love those errors.
Here's the thing. When you decide to create the website, the app pool, for PowerShellWebAccess. Notice I didn't use any PowerShell commands to install the web app, there's something that's missing. When you used PowerShell to install the pswa web application, it set up permissions. When you do it manually, you're responsible for those permissions. Here's the permissions that you need. PowerShellWebAccess, that application pool we created needs to have permissions to see the authorization file, the people that are allowed to use it.
If the app pool doesn't have permissions to that file, it's not gonna work and the error message says I don't know why it's not working, it's just not working. So this is one of those little tips and tricks that you have to make sure you keep around or you jot down if you're going to manually create this, and I usually manually set this up so, let me show you how to fix this problem. The application pool doesn't have permissions to a specific file. So let me take you out to that file. It's a file in the website, so I'm gonna go hit explore, and just to show you, I'm out at those website files.
Windows Web, PowerShellWebAccess. Now the challenge is this, it's not under wwroot. I need to back up one. There's this folder called data, and underneath data there's a file called authorization rules, in fact let me turn on the extensions so that you can see, this is an XML file. So when you're using add psw authorization rule, this is where the authorization rules are going, and the application pool that's allowing PowerShellWebAccess to run, needs to be able to read those rules or stop.
We're not gonna do it. So he needs to have read permissions to that file, nothing else, just that file. So I like to keep things really restrictive as much as I can, so on the authorization rules file I'm gonna right click, go into properties. We're gonna go into the whole security tab thing with NTFS permissions. Now this is gonna get a little bit tricky, so let me show you. I'm gonna edit, and I need to add something here for the application pool. This is where a little bit of knowledge about IIS helps out quite a bit.
Application pools have an identity on the local machine, not active directory. That's one issue. The identity for the application pool is called IIS App Pool/the name of the app pool. It's weird. So let me show you the steps for this. I'm gonna add in a user; however I want you to notice the first problem I'm gonna run into is the default's gonna be for the domain if this computer was joined to a domain.
The application pool identity only exists on the local machine so I need to change that to the local machine. Here's the weird part. The identity is called IIS space App Pool and then the name of the application pool, which was pwa_pool. Now what I like to do to make sure I've found the right account is click on check names. If he can't resolve it, he's gonna come up with a box saying I didn't find that.
If he can resolve it, watch what happens to the name. See how it shortened it and put an underscore under it? That means he found that application pool. I'll say okay. Now the application pool only needs to have read permissions, so you can get rid of the execute one. It doesn't need anything else. I'll apply. It's letting me know that you're changing permissions. I'll say okay. Okay. Let's go try it now. So I'm gonna bring up screen.
Let's put in the password, (typing) and try to sign in. Voila. So now it works. (sigh) Something to keep in mind, if you're gonna do this manually, which is the preferred way I have that I like to do it. A couple things you're gonna need to do, you're gonna need to create you're own website from scratch. So once again, you'll create your website, create the app pool, which is what I do first; however, you can use the application pool that gets created when you make the website.
When you make the website make sure, and I'm gonna go in to the basic settings of this website to show you, the path that you want is where the PowerShell WebAccess files are located, and you're gonna need an https binding which you can do all at once. Make sure you have an authorization rule, but most important, when you manually set this up, you've got to give permissions to the application pool to that authorization XML file. Well now I've got PowerShellWebAccess set up in the website that I want without having to do the slash whatever, it goes right to the website, it's perfect.
What else could we possibly do? Well in the next section what else we could possibly do is do all of this remotely to a server. As a matter of fact, we'll do it to a core server, my favorite server, we'll do it completely remotely, completely through PowerShell including manually creating the website, the app pool, setting the permissions, all of that.