Programmatically add binding on IIS 8 with SNI option

Asked 9/12, 2013 at 11:16 Answered 19/3, 2015 at 8:19

I'm trying to create bindings for IIS 8 that have the flag SNI checked (Server Name Indication) using Microsoft.Web.Administration library (.NET Framework).

This is necessary to me because I want to get multiple SSL bindings for the same website under IIS, all using just one IP address. This is one of the main new features of IIS 8.

I've been looking into the Binding class and I can't find any flag or option to indicate it.

Is it possible with current Microsoft.Web.Administration v 7.0.0.0? Will I need a new version that I haven't found?

I know that version 7.9.0.0 is only for IIS express, and it isn't my scenario, so I haven't looked into it.

Amylase answered 9/12, 2013 at 11:16 Comment(1)

More technical details behind the scene can be found in blog.lextudio.com/2015/05/… No matter whichever source you use to acquire the MWA assembly at the very beginning, you should stick to the copy shipped with IIS (like you discovered at last). – Glarum 30/5, 2015 at 3:29

I finally managed to do it using the Microsoft.Web.Administration from the folder %windir%\system32\inetsrv\ but only in Windows 8/Windows 2012 with IIS 8.

These libraries had the SslFlags option in the Add function for BindingCollection class. There is no documentation from microsoft yet for this new overload, or at least I haven't found it.

The SslFlags.Sni is available to use in this one and creates the binding with SNI check perfectly.

Amylase answered 18/12, 2013 at 14:4 Comment(7)

There is a NuGet package (community one) for this now: nuget.org/packages/IIS.Microsoft.Web.Adminstration. Don't know why MS is not updating it. – Anthracoid 29/5, 2015 at 18:16

@Mrchief, Don't ever use a NuGet package. Your application should always refer to the version installed on the machine under system32\inetsrv and never copy it locally. – Glarum 30/5, 2015 at 0:6

@LexLi Unfortunately that practice is slowly getting outdated. NuGet packages and local copy (bin deployables) is the way forward! – Anthracoid 30/5, 2015 at 2:0

@Mrchief, "the way forward" just does not apply to MWA, which was designed in such an OS dependent way (bind to COM unfortunately). The MWA case is not "out-of-date", but by design, and so far I don't see any change coming in this assembly. – Glarum 30/5, 2015 at 2:41

The way forward argument was for bin deployable vs machine deployable. The official Nuget package was meant for IIS 7.x administration whereas we have IIS 10 coming now. It is by any means quite getting quite outdated. – Anthracoid 30/5, 2015 at 3:6

When IIS 10 comes, you should use its own version of MWA. I can only hope that "bin deployable" breaks worse in IIS 10's case to remind people of the simple facts they neglect. – Glarum 30/5, 2015 at 3:28

Is there a way to do this through appcmd? I have tried but it does not recoginze the sslFlags property or it could be that I'm not doing it right. The docs show the property but none of the examples show how to use it. IIS Docs – Kilocycle 22/9, 2015 at 17:26

Is it possible with current Microsoft.Web.Administration v 7.0.0.0?

Indeed it is, by manually adding the SslFlags attribute to the <binding> node:

Binding mySslBinding;
bool enableSni;

using (var serverManager = new ServerManager())
{
    // ... create or get value of mySslBinding...

    mySslBinding.SetAttributeValue("sslFlags", Convert.ToInt32(enableSni ? 1 : 0));

    serverManager.CommitChanges();
}

See the documentation of SslFlags here: https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/bindings/binding

Note that executing the above code on a machine with any version of IIS earlier than 8.0 will cause the CommitChanges() method to throw an exception, because sslFlags doesn't exist in those versions.

Warning: Enabling SNI on an existing binding may cause its certificate to be unselected!

To avoid this problem, you can do this:

var cert = mySslBinding.CertificateHash;
mySslBinding.SetAttributeValue("SslFlags", Convert.ToInt32(1));
mySslBinding.CertificateHash = cert;

Dekeles answered 19/3, 2015 at 8:19 Comment(1)

Doing it this way may cause further issues: #30536505 – Anthracoid 29/5, 2015 at 17:59

Recommended topics

Hot tags