使用 Powershell 更新 IIS 的 SSL 绑定 7

Question

I'm trying to update a PS5 script to PS7, mainly because the script does work that requires a PS Core module.

Part of the script involved updating IIS bindings to use a different SSL Certificate. The cert is in the store and ready to be used - I just need to change the thumbprint on the binding.

My PS5 script used Get-WebConfiguration to get the bindings and then just looped through, calling RebindSslCertificate on relevant bindings.

I've tried using Set-WebConfigurationProperty and Set-WebBinding ; neither errors but neither actually updates the binding with IIS - example:

Set-WebConfigurationProperty  -Name 'certificateHash'  -Value $newCert.Thumbprint -PSPath "IIS:\\"  ` 
-Filter "/system.applicationHost/sites/site/bindings/binding[@protocol='https'][@bindingInformation='*:443:hostname']"   `

Could anyone help point me in the right direction for what I'm missing?

Thanks, Mark.

PS, Apologies if this is a repeat question but all I can find is old stuff that doesn't work or relates to "-Set-Item IIS:\SslBindings" Maybe there is someway to get the IIS drive working with remoting?

Answer 1

Ran into this on 9/10/2021 using Powershell 7.1.4.

As of date of writing, this is an open issue on github for PowerShell.

Link for reference: https://github.com/PowerShell/PowerShellModuleCoverage/issues/14

Issue is that PowerShell 7 is based on .NET Core and the PS module WebAdministrator is based on .NET Framework.

When you run

Import-Module WebAdministration
WARNING: Module WebAdministration is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell please use 'Import-Module -SkipEditionCheck' syntax.

Notice the mention of 'WinPSCompatSession' in the warning. If the module manifest doesn't indicate that the module is compatible with PowerShell Core, then it gets loaded via the Windows PowerShell Compatibility Feature.

It seems this module partially works in compatibility mode, however if you try to work with IIS:\ then you start getting errors.

Alternatively, if you run the parameter in the warning you get this.

Import-Module -SkipEditionCheck WebAdministration
Import-Module: Could not load type 'System.Management.Automation.PSSnapIn' from assembly 'System.Management.Automation, Version=7.1.4.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

A quick test in PowerShell 7.1.4 will show you that you can't access the IIS connector.

PS C:\Windows\System32> Import-Module WebAdministration
WARNING: Module WebAdministration is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell please use 'Import-Module -SkipEditionCheck' syntax.
PS C:\Windows\System32> cd IIS:\
Set-Location: Cannot find drive. A drive with the name 'IIS' does not exist.

However, if you open up PowerShell 6 you can do this no problem.

PS C:\WINDOWS\system32>  Import-Module WebAdministration
PS C:\WINDOWS\system32> cd IIS:\
PS IIS:\> dir

Name
----
AppPools
Sites
SslBindings

My next step is trying to get this to work by loading the .NET assembly directly. Will update with the solution

[System.Reflection.Assembly]::LoadFrom("$env:systemroot\system32\inetsrv\Microsoft.Web.Administration.dll")