{"id":2757,"date":"2021-12-06T12:00:01","date_gmt":"2021-12-06T11:00:01","guid":{"rendered":"https:\/\/laurentvanacker.com\/?p=2757"},"modified":"2022-12-09T09:50:09","modified_gmt":"2022-12-09T08:50:09","slug":"multiple-auth-iis-with-automatedlab","status":"publish","type":"post","link":"https:\/\/laurentvanacker.com\/index.php\/2021\/12\/06\/multiple-auth-iis-with-automatedlab\/","title":{"rendered":"Multiple IIS authentications in one place with AutomatedLab"},"content":{"rendered":"<p><a href=\"#en-us\" name=\"fr-fr\">Go to English version<\/a><\/p>\n<p>[MAJ :\u00a0 06\/12\/2021] Migration des machines sous Windows Server 2022 et ajout d&rsquo;une seconde machine de de test CLIENT02. CLIENT01 restant sous Windows Server 2019 et Internet Explorer 11.<\/p>\n<p>Toujours dans la veine d&rsquo;<a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab<\/a>, je propose dans cette article (qui fait suite \u00e0 ces deux-ci : <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/11\/15\/nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">1<\/a> et <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/11\/15\/nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">2<\/a>) un petit environnement de test pour toutes les authentifications <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> :<\/p>\n<ol>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/anonymousauthentication\">Anonyme<\/a>.<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/basicauthentication\">Basique<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/windowsauthentication\/\">Kerberos<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/windowsauthentication\/\">NTLM<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/digestauthentication\">Digest<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/clientcertificatemappingauthentication\">Certificat Client AD<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/clientcertificatemappingauthentication\">Certificat Client IIS 1:1<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/Multiple%20Authentications\/AutomatedLab%20-%20IIS%20-%20Multiple%20Authentications%20-%20WS2022.ps1\">Certificat ClientIIS N:1<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.web.security.formsauthentication?view=netframework-4.8\">Formulaire<\/a><\/li>\n<\/ol>\n<p>J&rsquo;ai donc \u00e9labor\u00e9 le script <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/Multiple%20Authentications\/AutomatedLab%20-%20IIS%20-%20Multiple%20Authentications%20-%20WS2022.ps1\">suivant.<\/a> Ce <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/Multiple%20Authentications\/AutomatedLab%20-%20IIS%20-%20Multiple%20Authentications%20-%20WS2022.ps1\">script<\/a>\u00a0a besoin de :<\/p>\n<ul>\n<li><a id=\"a1c12e5284a026a9c64e60982cd65099-5229870145b432fed53217e27bede5f07debcc1a\" class=\"js-navigation-open\" title=\"contoso.com.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/IIS%20-%20Multiple%20Authentications\/contoso.com.zip\">contoso.com.zip<\/a> : qui contient la source de notre site Web.<\/li>\n<\/ul>\n<p>L&rsquo;environnement est compos\u00e9 de 5 serveurs :<\/p>\n<ul>\n<li>IISNODE01 : Serveur <a href=\"https:\/\/www.iis.net\/\">IIS<\/a><\/li>\n<li>CLIENT01 : Poste client sous windows Server 2019 avec Internet Explorer 11<\/li>\n<li>CLIENT02 : Poste client<\/li>\n<li>CA01 : Autorit\u00e9 de certificats<\/li>\n<li>DC01 : Contr\u00f4leur de domaine (contoso.com)<\/li>\n<\/ul>\n<p>Le nom des serveurs est \u00e9crit dans le code (faites un \u00ab\u00a0Global Replace\u00a0\u00bb CTRL+H si les noms ne vous conviennent pas). De m\u00eame que certains autres param\u00e8tres tels que :<\/p>\n<ul>\n<li>Le nom du Lab (\u00ab\u00a0IISAuthLab\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le compte d&rsquo;administration \u00e0 utiliser (\u00ab\u00a0Administrator\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le compte de test pour les divers authentifications (\u00ab\u00a0JohnDoe\u00a0\u00bb par d\u00e9faut).<\/li>\n<li>Le mot de passe associ\u00e9 (\u00ab\u00a0P@ssw0rd\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le nom du domaine (FQDN et NetBIOS) (\u00ab\u00a0contoso.com\u00a0\u00bb et \u00ab\u00a0CONTOSO\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le compte du compte de d\u00e9marrage de l&rsquo;application pool <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> (\u00ab\u00a0IISAppPoolUser\u00a0\u00bb par d\u00e9faut)<\/li>\n<li>Le nom des sites web utilis\u00e9s (anonymous.contoso.com, basic.contoso.com &#8230;)<\/li>\n<li>Le compte d&rsquo;impersonation pour l&rsquo;authentification par certificat IIS (N:1).<\/li>\n<\/ul>\n<p>Une fois le script termin\u00e9, connectez-vous sur CLIENT01 ou CLIENT02 en tant que CONTOSO\\JohnDoe et d\u00e9marrez Internet Explorer ou Edge (et cliquez sur l&rsquo;ic\u00f4ne \u00ab\u00a0Home\u00a0\u00bb &#8211; Si rien n&rsquo;appara\u00eet lancer un \u00ab\u00a0gpupdate \/force \/wait:-1\u00a0\u00bb). Toutes les sites web s&rsquo;ouvriront automatiquement et vous obtiendrez alors (un onglet par site\/authentification):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2833 aligncenter\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth.png\" alt=\"\" width=\"985\" height=\"560\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth.png 985w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth-300x171.png 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth-768x437.png 768w\" sizes=\"auto, (max-width: 985px) 100vw, 985px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>Quelques liens utiles :<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/archive\/blogs\/friis\/the-complete-list-of-changes-to-make-to-activate-client-certificate-mapping-on-iis-using-active-directory\">https:\/\/docs.microsoft.com\/en-us\/archive\/blogs\/friis\/the-complete-list-of-changes-to-make-to-activate-client-certificate-mapping-on-iis-using-active-directory<\/a><\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/iis-support-blog\/configuring-many-to-one-client-certificate-mappings-for-iis-7-7\/ba-p\/346732\">https:\/\/techcommunity.microsoft.com\/t5\/iis-support-blog\/configuring-many-to-one-client-certificate-mappings-for-iis-7-7\/ba-p\/346732\u00a0<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/manage\/configuring-security\/configuring-one-to-one-client-certificate-mappings\">https:\/\/docs.microsoft.com\/en-us\/iis\/manage\/configuring-security\/configuring-one-to-one-client-certificate-mappings<\/a><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/01\/012717_1333_Fusionnerde1.png\" alt=\"\" \/><\/p>\n<p><a href=\"#fr-FR\" name=\"en-us\">Aller \u00e0 la version fran\u00e7aise<\/a><\/p>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"text-wrap tlid-copy-target\">\n<div class=\"result-shield-container tlid-copy-target\" tabindex=\"0\">[Update: 09\/03\/2020] Migration of machines under Windows Server 2022 and addition of a second CLIENT02 test machine. CLIENT01 remaining on Windows Server 2019 and Internet Explorer 11.<\/div>\n<div tabindex=\"0\"><\/div>\n<div class=\"result-shield-container tlid-copy-target\" tabindex=\"0\">Still working on <a href=\"https:\/\/github.com\/AutomatedLab\/AutomatedLab\" target=\"_blank\" rel=\"noopener noreferrer\">AutomatedLab<\/a>, I propose in this article (which follows these two articles: <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/11\/15\/nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">1<\/a> and <a href=\"https:\/\/laurentvanacker.com\/index.php\/2019\/11\/15\/nlb-arr-iis-dfs-r-shared-configuration-ssl-offload-windows-authentication-sni-ccs-in-one-place-with-automatedlab\/\">2<\/a>) a small test environment for all <a href=\"https:\/\/www.iis.net\/\">IIS<\/a> authentications:<\/div>\n<div tabindex=\"0\">\n<ol>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/anonymousauthentication\">Anonymous<\/a>.<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/basicauthentication\">Basic<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/windowsauthentication\/\">Kerberos<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/windowsauthentication\/\">NTLM<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/digestauthentication\">Digest<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/clientcertificatemappingauthentication\">AD Client Certificat<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/clientcertificatemappingauthentication\">IIS <\/a><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/clientcertificatemappingauthentication\">Client Certificat One To One<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/clientcertificatemappingauthentication\">IIS <\/a><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/configuration\/system.webserver\/security\/authentication\/clientcertificatemappingauthentication\">Certificat Client Many to One<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.web.security.formsauthentication?view=netframework-4.8\">Forms<\/a><\/li>\n<\/ol>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>So I developed the following <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/Multiple%20Authentications\/AutomatedLab%20-%20IIS%20-%20Multiple%20Authentications%20-%20WS2022.ps1\">script<\/a>. This\u00a0<a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/Multiple%20Authentications\/AutomatedLab%20-%20IIS%20-%20Multiple%20Authentications%20-%20WS2022.ps1\">script<\/a> needs:<\/p>\n<ul>\n<li><a id=\"a1c12e5284a026a9c64e60982cd65099-5229870145b432fed53217e27bede5f07debcc1a\" class=\"js-navigation-open\" title=\"contoso.com.zip\" href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/tree\/master\/Windows%20Powershell\/IIS\/AutomatedLab\/IIS%20-%20Multiple%20Authentications\/contoso.com.zip\">contoso.com.zip<\/a> : which contains the source of our website.<\/li>\n<\/ul>\n<p>The environment is composed of 5 servers:<\/p>\n<ul>\n<li>IISNODE01: <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> server<\/li>\n<li>CLIENT01: Client machine with windows Server 2019 and Internet Explorer 11<\/li>\n<li>CLIENT02: Client machine<\/li>\n<li>CA01: Certificate Authority<\/li>\n<li>DC01: Domain Controller (contoso.com)<\/li>\n<\/ul>\n<p>The name of the servers is written in the code (make a \u00ab\u00a0Global Replace\u00a0\u00bb CTRL+H if the names do not suit you). As well as certain other parameters such as:<\/p>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"text-wrap tlid-copy-target\">\n<ul>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">Lab name (\u00ab\u00a0IISAuthLab\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The administration account (\u00ab\u00a0Administrator\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li>The test account for the authentications (\u00ab\u00a0JohnDoe\u00a0\u00bb by default).<\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The associated password (\u00ab\u00a0P@ssw0rd\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span title=\"\">The domain name (FQDN and NetBIOS) (\u00ab\u00a0contoso.com\u00a0\u00bb and \u00ab\u00a0CONTOSO\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">The <\/span><\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/technologies\/network-load-balancing\">IIS<\/a> <span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">application pool identity (\u00ab\u00a0IISAppPoolUser\u00a0\u00bb by default)<\/span><\/span><\/li>\n<li class=\"result-shield-container tlid-copy-target\" tabindex=\"0\"><span class=\"tlid-translation translation\" lang=\"en\"><span class=\"\" title=\"\">The name of the used websites (anonymous.contoso.com, basic.contoso.com &#8230;)<\/span><\/span><\/li>\n<li>The account used for the IIS Certificat Client Many to One.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Once the script is done, connect to either CLIENT01 or CLIENT02 as CONTOSO\\JohnDoe and start Internet Explorer (and click on the \u00ab\u00a0Home\u00a0\u00bb button &#8211; If nothing appears run a \u00ab\u00a0gpupdate \/force \/wait:-1\u00a0\u00bb command). All websites will open automatically and you will get (one tab per website\/authentication):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2833 aligncenter\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth.png\" alt=\"\" width=\"985\" height=\"560\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth.png 985w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth-300x171.png 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/05\/IISAuth-768x437.png 768w\" sizes=\"auto, (max-width: 985px) 100vw, 985px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>Some useful links:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/archive\/blogs\/friis\/the-complete-list-of-changes-to-make-to-activate-client-certificate-mapping-on-iis-using-active-directory\">https:\/\/docs.microsoft.com\/en-us\/archive\/blogs\/friis\/the-complete-list-of-changes-to-make-to-activate-client-certificate-mapping-on-iis-using-active-directory<\/a><\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/iis-support-blog\/configuring-many-to-one-client-certificate-mappings-for-iis-7-7\/ba-p\/346732\">https:\/\/techcommunity.microsoft.com\/t5\/iis-support-blog\/configuring-many-to-one-client-certificate-mappings-for-iis-7-7\/ba-p\/346732\u00a0<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/manage\/configuring-security\/configuring-one-to-one-client-certificate-mappings\">https:\/\/docs.microsoft.com\/en-us\/iis\/manage\/configuring-security\/configuring-one-to-one-client-certificate-mappings<\/a><\/li>\n<\/ul>\n<p>Laurent.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go to English version [MAJ :\u00a0 06\/12\/2021] Migration des machines sous Windows Server 2022 et ajout d&rsquo;une seconde machine de de test CLIENT02. CLIENT01 restant [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":2465,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,19,12],"tags":[20,54,48,25,39,41],"class_list":["post-2757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iis","category-powershell","category-securite-security","tag-net","tag-automatedlab","tag-github","tag-iis","tag-powershell","tag-securite"],"_links":{"self":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/comments?post=2757"}],"version-history":[{"count":24,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2757\/revisions"}],"predecessor-version":[{"id":3054,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2757\/revisions\/3054"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media\/2465"}],"wp:attachment":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media?parent=2757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/categories?post=2757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/tags?post=2757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}