SungHoon_Kim

Creating an ALL-IN-ONE VM Image - Part 2

Blog Post created by SungHoon_Kim Employee on Oct 26, 2015

This is continued from "Creating an ALL-IN-ONE VM Image - Part 1"

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

05. IIS

Actually, Installing IIS and Configuring Certificate Services are performed at the same time.

 

Load the "Server Manager" and select "Add Roles"

SharePoint_106.jpg

SharePoint_107.jpg

SharePoint_110.jpg

Select "Web Server (IIS)" and "Active Directory Certificate Services".

 

 

06. Certificate Authority

 

SharePoint_111.jpg

SharePoint_112.jpg

Select "Certification Authority Web Enrollment" and "Online Responder".

It will ask for Role Services components to select. Click "Add Required Role Services".

SharePoint_113.jpg

SharePoint_114.jpg

SharePoint_115.jpg

SharePoint_116.jpg

SharePoint_117.jpg

SharePoint_119.jpg

By default, "SHA-1" is selected for the hash algorithm but I am choosing SHA256.

SharePoint_120.jpg

I am naming this ROOTCA as "TESTLABCA".

SharePoint_121.jpg

Setting the Validity of this ROOTCA to 35 years.

SharePoint_122.jpg

SharePoint_123.jpg

SharePoint_124.jpg

In order to configure WebAgent, following components need to be selected.

  • ASP.NET
  • CGI
  • ISAPI Extensions
  • ISAPI Filters
  • IIS Management Console
  • Windows Authentication (for the CA SiteMinder® Windows Authentication Scheme)

SharePoint_125.jpg

SharePoint_126.jpg

SharePoint_127.jpg

SharePoint_128.jpg

You should see those roles listed in the Server Manager.

 

Testing the web site to see if it is serving requests fine.

In this case, I copied my sample index.asp pages and set "index.asp" as default document in IIS.

SharePoint_129.jpg

 

Now, trying the http://www.sso.lab/certsrv/ to see if the certificate authority works as well.

SharePoint_130.jpg

SharePoint_132.jpg

It did not work using www.sso.lab but it works with testmc1.sso.lab hostname.

 

SharePoint_131.jpg

 

The reason is because of the kerberos ServicePrincipalName is not matching so it is unable to Authenticate the user.

Run the following command to register "www.sso.lab"

SharePoint_133.jpg

Now the Certificate Services can be accessed via "http://www.sso.lab/certsrv".

SharePoint_134.jpg

 

Going back to IIS configuration, I want to limit IIS from listening on port 80 on every IP address.

This will conflict with other web servers that need to listen on port 80 as well.

 

As such, I need to force IIS to listen on specific IP only.

By default, "netsh http show iplisten" will show no IP address and that means it is not configured to listen on specific IP.

SharePoint_135.jpg

This will make it listen on 0.0.0.0 so it need to listen on specific IP address.

SharePoint_137.jpg

As you can see from above, I have set IIS to listen on 192.168.201.101 only.

So, when I run netstat, it shows it actually listen on 192.168.201.101:80 only and not 0.0.0.0:80.

 

 

This concludes Part 2 of ALL IN ONE Image.

Outcomes