70473 iisu failing bindings

CHANGELOG.md

@@ -1,16 +1,26 @@
+2.6.1
+* Documentation updates for the 2.6 release
+* Fix a naming typo in the 2.5 migration SQL script
+* Update integration-manifest.json
+* Updated the Alias in IIS to also include Site-Name.  NOTE: Inventory will need to be performed prior to any management job to include new Alias format.
+* Added Bindings check when attempting to add bindings that already exist or are ambiguous.  NOTE:  If you wish to add multiple bindings with the same IP:Port, Hostname must be included and SNI flag must be set to a minimum of '1'. Failure to do this can result in failed jobs with a binding conflict error message.
+* Bumped Keyfactor.Orchestrator.Common to 3.2.0 to correct signing issue.
+* Bumped System.IO.Packaging to 6.0.2 & 8.0.1 for .Net vulnerabilities.
+
 2.6.0
 * Added the ability to run the extension in a Linux environment.  To utilize this change, for each Cert Store Types (WinCert/WinIIS/WinSQL), add ssh to the Custom Field <b>WinRM Protocol</b>.  When using ssh as a protocol, make sure to enter the appropriate ssh port number under WinRM Port.
 * NOTE: For legacy purposes the Display names WinRM Protocol and WinRM Port are maintained although the type of protocols now includes ssh.
 * Moved all inventory and management jobs to external PowerShell script file .\PowerShellScripts\WinCertScripts.ps1
+* NOTE:  This version was not publicly released.
 
 2.5.1
 * Fixed WinSQL service name when InstanceID differs from InstanceName
 
 2.5.0
 * Added the Bindings to the end of the thumbprint to make the alias unique.
-* Using new IISWebBindings commandlet to use additional SSL flags when binding certificate to website.
+* Using new IISWebBindings cmdlet to use additional SSL flags when binding certificate to website.
 * Added multi-platform support for .Net6 and .Net8.
-* Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absense of the WebAdministration module in PS SDK 7.4.x+)
+* Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absence of the WebAdministration module in PS SDK 7.4.x+)
 * Fixed issue to update multiple websites when using the same cert.
 * Removed renewal thumbprint logic to update multiple website; each job now updates its own specific certificate.
 
@@ -19,7 +29,7 @@
 * Fix an issue with "Delete" script in the Legacy IIS Migration that did not remove some records from dependent tables
 
 2.4.3
-* Adding Legacy IIS Migration scripting and Readme guide
+* Adding Legacy IIS Migration scripting and ReadMe guide
 
 2.4.2
 * Correct false positive error when completing an IIS inventory job.
@@ -64,7 +74,7 @@
 	* Display name for IISU changed to "IIS Bound Certificate".
 	* Display name for WinCert changed to "Windows Certificate".
 	* Display names for several Store and Entry parameters changed to be more descriptive and UI friendly.
-* Significant readme cleanup
+* Significant ReadMe cleanup
 
 2.1.0
 * Fixed issue that was occurring during renewal when there were bindings outside of http and https like net.tcp
@@ -75,7 +85,7 @@
 * Removed any password references in trace logs and output settings in JSON format
 
 2.0.0
-* Add support for reenrollment jobs (On Device Key Generation) with the ability to specify a cryptographic provider. Specification of cryptographic provider allows HSM (Hardware Security Module) use.
+* Add support for re-enrollment jobs (On Device Key Generation) with the ability to specify a cryptographic provider. Specification of cryptographic provider allows HSM (Hardware Security Module) use.
 * Local PAM Support added (requires Universal Orchestrator Framework version 10.1)
 * Certificate store type changed from IISBin to IISU. See README for migration notes.
 
@@ -98,6 +108,6 @@
 * Last release to support Windows Orchestrator (KF8)
 
 1.0.2
-* Remove dependence on Windows.Web.Administration on the orchestrator server.  The agent will now use the local version on the managed server via remote powershell
+* Remove dependence on Windows.Web.Administration on the orchestrator server.  The agent will now use the local version on the managed server via remote PowerShell
 * add support for the IncludePortInSPN flag
 * add support to use credentials from Keyfactor for Add/Remove/Inventory jobs.  

IISU/ClientPSCertStoreReEnrollment.cs

@@ -30,6 +30,7 @@
 using System.Linq;
 using Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU;
 using Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinSql;
+using System.Numerics;
 
 namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore
 {
@@ -39,7 +40,7 @@
         private readonly IPAMSecretResolver _resolver;
 
         private PSHelper _psHelper;
         private Collection<PSObject>? _results;
 
         public ClientPSCertStoreReEnrollment(ILogger logger, IPAMSecretResolver resolver)
         {
@@ -127,10 +128,68 @@
                             switch (bindingType)
                             {
                                 case CertStoreBindingTypeENUM.WinIIS:
+                                    OrchestratorJobStatusJobResult psResult = OrchestratorJobStatusJobResult.Unknown;
+                                    string failureMessage = "";
+
                                     // Bind Certificate to IIS Site
                                     IISBindingInfo bindingInfo = new IISBindingInfo(config.JobProperties);
-                                    WinIISBinding.BindCertificate(_psHelper, bindingInfo, thumbprint, "", storePath);
+                                    var results = WinIISBinding.BindCertificate(_psHelper, bindingInfo, thumbprint, "", storePath);
+                                    if (results != null && results.Count > 0)
+                                    {
+                                        if (results[0] != null && results[0].Properties["Status"] != null)
+                                        {
+                                            string status = results[0].Properties["Status"]?.Value as string ?? string.Empty;
+                                            int code = results[0].Properties["Code"]?.Value is int iCode ? iCode : -1;
+                                            string step = results[0].Properties["Step"]?.Value as string ?? string.Empty;
+                                            string message = results[0].Properties["Message"]?.Value as string ?? string.Empty;
+                                            string errorMessage = results[0].Properties["ErrorMessage"]?.Value as string ?? string.Empty;
+
+                                            switch (status)
+                                            {
+                                                case "Success":
+                                                    psResult = OrchestratorJobStatusJobResult.Success;
+                                                    _logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned successfully with Code: {code}, on Step: {step}");
+                                                    break;
+                                                case "Skipped":
+                                                    psResult = OrchestratorJobStatusJobResult.Failure;
+                                                    failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} - message:\n {errorMessage}");
+                                                    _logger.LogDebug(failureMessage);
+                                                    break;
+                                                case "Warning":
+                                                    psResult = OrchestratorJobStatusJobResult.Warning;
+                                                    _logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned with a Warning on step: {step} with code: {code} - message: {message}");
+                                                    break;
+                                                case "Error":
+                                                    psResult = OrchestratorJobStatusJobResult.Failure;
+                                                    failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} with code: {code} - message: {errorMessage}");
+                                                    _logger.LogDebug(failureMessage);
+                                                    break;
+                                                default:
+                                                    psResult = OrchestratorJobStatusJobResult.Unknown;
+                                                    _logger.LogWarning("Unknown status returned from New-KFIISSiteBinding: " + status);
+                                                    break;
+                                            }
+                                        }
+                                        else
+                                        {
+                                            _logger.LogWarning("Unexpected object returned from PowerShell.");
+                                            psResult = OrchestratorJobStatusJobResult.Unknown;
+                                        }
+                                    }
+                                    else
+                                    {
+                                        _logger.LogWarning("PowerShell script returned with no results.");
+                                        psResult = OrchestratorJobStatusJobResult.Unknown;
+                                    }
+
+                                    jobResult = new JobResult
+                                    {
+                                        Result = psResult,
+                                        JobHistoryId = config.JobHistoryId,
+                                        FailureMessage = failureMessage
+                                    };
                                     break;
+
                                 case CertStoreBindingTypeENUM.WinSQL:
                                     // Bind Certificate to SQL Instance
                                     string sqlInstanceNames = "MSSQLSERVER";
@@ -139,18 +198,26 @@
                                         sqlInstanceNames = config.JobProperties["InstanceName"]?.ToString() ?? "MSSQLSERVER";
                                     }
                                     WinSqlBinding.BindSQLCertificate(_psHelper, sqlInstanceNames, thumbprint, "", storePath, false);
+
+                                    jobResult = new JobResult
+                                    {
+                                        Result = OrchestratorJobStatusJobResult.Success,
+                                        JobHistoryId = config.JobHistoryId,
+                                        FailureMessage = ""
+                                    };
+
                                     break;
                             }
-
                         }
-
-                        jobResult = new JobResult
+                        else
                         {
-                            Result = OrchestratorJobStatusJobResult.Success,
-                            JobHistoryId = config.JobHistoryId,
-                            FailureMessage = ""
-                        };
-
+                            jobResult = new JobResult
+                            {
+                                Result = OrchestratorJobStatusJobResult.Failure,
+                                JobHistoryId = config.JobHistoryId,
+                                FailureMessage = "There was no thumbprint to bind."
+                            };
+                        }
                     }
                     else
                     {

IISU/ImplementedStoreTypes/WinIIS/IISBindingInfo.cs

@@ -16,8 +16,10 @@
 
 // 021225 rcp   2.6.0   Cleaned up and verified code
 
+using Markdig.Syntax;
 using System;
 using System.Collections.Generic;
+using System.Web.Services.Description;
 
 namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU
 {
@@ -27,8 +29,14 @@
         public string Protocol { get; set; }
         public string IPAddress { get; set; }
         public string Port { get; set; }
         public string? HostName { get; set; }
         public string SniFlag { get; set; }
+        public string Thumbprint { get; private set; }
+
+        public IISBindingInfo()
+        {
+
+        }
 
         public IISBindingInfo(Dictionary<string, object> bindingInfo)
         {
@@ -40,15 +48,44 @@
             SniFlag = MigrateSNIFlag(bindingInfo["SniFlag"].ToString());
         }
 
+        public static IISBindingInfo ParseAliaseBindingString(string alias)
+        {
+            if (string.IsNullOrWhiteSpace(alias))
+                throw new ArgumentException("Alias cannot be null or empty.", nameof(alias));
+
+            var parts = alias.Split(':');
+            if (parts.Length < 4 || parts.Length > 5)
+                throw new FormatException("Alias must be in the format of Thumbprint:IPAddress:Port[:Hostname]");
+
+            return new IISBindingInfo
+            {
+                Thumbprint = parts[0],
+                SiteName = parts[1],
+                IPAddress = parts[2],
+                Port = parts[3],
+                HostName = parts.Length == 5 ? parts[4] : null
+            };
+        }
+
+
         private string MigrateSNIFlag(string input)
         {
-            // Check if the input is numeric, if so, just return it as an integer
             if (int.TryParse(input, out int numericValue))
             {
                 return numericValue.ToString();
             }
 
-            if (string.IsNullOrEmpty(input)) { throw new ArgumentNullException("SNI/SSL Flag", "The SNI or SSL Flag flag must not be empty or null."); }
+            if (string.IsNullOrEmpty(input))
+                throw new ArgumentNullException("SNI/SSL Flag", "The SNI or SSL Flag must not be empty or null.");
+
+            // Normalize input
+            var trimmedInput = input.Trim().ToLowerInvariant();
+
+            // Handle boolean values
+            if (trimmedInput == "true")
+                return "1";
+            if (trimmedInput == "false")
+                return "0";
 
             // Handle the string cases
             switch (input.ToLower())

IISU/ImplementedStoreTypes/WinIIS/Inventory.cs

@@ -30,7 +30,7 @@
     public class Inventory : WinCertJobTypeBase, IInventoryJobExtension
     {
         private ILogger _logger;
         Collection<PSObject>? results = null;
 
         public string ExtensionName => "WinIISUInventory";
 
@@ -107,7 +107,7 @@
             {
                 _logger.LogTrace(LogHandler.FlattenException(ex));
 
-                var failureMessage = $"Inventory job failed for Site '{jobConfiguration.CertificateStoreDetails.StorePath}' on server '{jobConfiguration.CertificateStoreDetails.ClientMachine}' with error: '{LogHandler.FlattenException(ex)}'";
+                var failureMessage = $"Inventory job failed for Site '{jobConfiguration.CertificateStoreDetails.StorePath}' on server '{jobConfiguration.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
                 _logger.LogWarning(failureMessage);
 
                 return new JobResult
@@ -164,7 +164,7 @@
                             new CurrentInventoryItem
                             {
                                 Certificates = new[] {cert.CertificateBase64 },
-                                Alias = cert.Thumbprint + ":" + cert.Binding?.ToString(),
+                                Alias = cert.Thumbprint + ":" + cert.SiteName + ":" + cert.Binding?.ToString(),
                                 PrivateKeyEntry = cert.HasPrivateKey,
                                 UseChainLevel = false,
                                 ItemStatus = OrchestratorInventoryItemStatus.Unknown,