This is continued from "Creating an ALL-IN-ONE VM Image - Part 1"
WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.
Following components will be installed.
01. Install OS (Windows 2008 R2 - English)
02. Microsoft Loopback Adapter
03. Active Directory
06. Certificate Authority
07. MSSQL 2012
08. JDK 1.7.0_80 (32bit and 64bit)
09. NewAtlanta ServletExec 6.0
10. ASF Apache
11. CA Directory
12. Oracle Directory Server 11g
13. CA Single Sign-On Policy Server
14. CA Single Sign-On AdminUI
15. CA Single Sign-On Web Agent/Option Pack
16. CA Single Sign-On Secure Proxy Server
17. CABI 3.3
Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.
Actually, Installing IIS and Configuring Certificate Services are performed at the same time.
Select "Web Server (IIS)" and "Active Directory Certificate Services".
Select "Certification Authority Web Enrollment" and "Online Responder".
It will ask for Role Services components to select. Click "Add Required Role Services".
By default, "SHA-1" is selected for the hash algorithm but I am choosing SHA256.
I am naming this ROOTCA as "TESTLABCA".
In order to configure WebAgent, following components need to be selected.
- ISAPI Extensions
- ISAPI Filters
- IIS Management Console
- Windows Authentication (for the CA SiteMinder® Windows Authentication Scheme)
You should see those roles listed in the Server Manager.
Testing the web site to see if it is serving requests fine.
In this case, I copied my sample index.asp pages and set "index.asp" as default document in IIS.
Now, trying the http://www.sso.lab/certsrv/ to see if the certificate authority works as well.
It did not work using www.sso.lab but it works with testmc1.sso.lab hostname.
The reason is because of the kerberos ServicePrincipalName is not matching so it is unable to Authenticate the user.
Run the following command to register "www.sso.lab"
Now the Certificate Services can be accessed via "http://www.sso.lab/certsrv".
Going back to IIS configuration, I want to limit IIS from listening on port 80 on every IP address.
This will conflict with other web servers that need to listen on port 80 as well.
As such, I need to force IIS to listen on specific IP only.
By default, "netsh http show iplisten" will show no IP address and that means it is not configured to listen on specific IP.
This will make it listen on 0.0.0.0 so it need to listen on specific IP address.
As you can see from above, I have set IIS to listen on 192.168.201.101 only.
So, when I run netstat, it shows it actually listen on 192.168.201.101:80 only and not 0.0.0.0:80.