Create a Microsoft IIS machine
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Create a Microsoft IIS machine
Creating a machine enables Next-Gen Trust Security to connect directly to Microsoft IIS so certificates can be installed and managed. After creating the machine, you can provision certificates to it.
Before you begin
Choose the most secure authentication method supported by your environment.
The following methods are listed from most to least secure:
- Kerberos authentication over HTTPS (recommended)
- Kerberos authentication over HTTP
- Basic authentication over HTTPS
You will also need:
- Windows Remote Management (WinRM) enabled on the target host
- Credentials with permissions to create, read, and write to the IIS certificate stores
- Supported Windows versions:
- Windows Server 2019
- Windows Server 2022
Ensure that the required Windows Remote Management (WinRM) ports are open from the Next-Gen Trust Security VSatellite machine to the target Windows Server. Firewalls or network security controls that block these ports will prevent certificate operations, discovery, or provisioning.
Required ports
| Purpose | Protocol | Port | When required |
|---|---|---|---|
| WinRM over HTTP | TCP | 5985 | When the machine uses WinRM over HTTP (for example, Kerberos over HTTP). |
| WinRM over HTTPS | TCP | 5986 | When the machine uses WinRM over HTTPS (for example, Kerberos over HTTPS or Basic Authentication over HTTPS). |
| Kerberos authentication | TCP and UDP | 88 | Required whenever Kerberos authentication is used. The Next-Gen Trust Security VSatellite must reach a domain controller’s Kerberos service. |
Important:
- Confirm that TCP 5985 and/or TCP 5986 are reachable if you're using the default WinRM listener configuration.
- When using Kerberos authentication, verify that TCP/UDP 88 is open between the VSatellite and your domain controller.
- If your environment uses custom WinRM ports, ensure those ports are reachable.
- Blocked ports frequently cause Test Access failures or authentication errors during machine creation or certificate provisioning.
Configure the machine
From Authentication Type, select the method you want to use, then follow the corresponding steps.
Warning: Always use the most secure authentication method allowed by your environment. Less secure methods increase the risk of credential exposure.
Note:
- If a username in UPN format (for example, user@domain.com) fails, try using only the username (for example, user).
- Windows Management Framework (WMF) 5.1 or later is required.
Kerberos authentication over HTTPS
Prerequisites
- The IIS host must already have a valid TLS server certificate installed.
- The certificate must be located in the LocalMachine\My certificate store.
- The account used must have local administrative permissions.
- Enter the Microsoft IIS Hostname and WinRM Port.
- Enable Use TLS for WinRM.
- Enter the Domain Name, Key Distribution Center Address, and Service Principal Name.
- Select Enter Credentials or Select Credentials, then provide the required credentials.
Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Create.
Kerberos authentication over HTTP
Prerequisites
- The IIS host must allow unencrypted WinRM traffic.
- The account used must have local administrative permissions.
- Enter the Microsoft IIS Hostname and WinRM Port.
- Leave Use TLS for WinRM disabled.
- Enter the Domain Name, Key Distribution Center Address, and Service Principal Name.
- Select Enter Credentials or Select Credentials, then provide the required credentials.
Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Create.
Basic authentication over HTTPS
Prerequisites
- The IIS host must have a valid TLS server certificate installed.
- The account used must be a local administrator.
- Enter the Microsoft IIS Hostname and WinRM Port.
- Enable Use TLS for WinRM.
Warning: Disabling TLS sends credentials in plaintext and is not recommended.
- Select Enter Credentials or Select Credentials, then provide the required credentials.
Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Continue.
What's next?
- Complete discovery and provisioning scheduling. See Create a new machine.