Configuring remote connection to a Microsoft Active Directory domain controller

To remotely manage a Microsoft Active Directory domain controller, you need to configure an HTTPS connection and authorization with a self-signed certificate via WinRM (Windows remote management technology).

Configuring an HTTPS connection to the domain controller via WinRM

You need to configure WinRM to connect to your Microsoft Active Directory domain controller over HTTPS.

To configure a Microsoft Active Directory domain controller:

  1. Start PowerShell as administrator.
  2. Check if WinRM is running by running the following command:

    WinRM enumerate winrm/config/listener

  3. If WinRM is disabled, enable it by running the following command:

    winrm quickconfig

  4. Select the certificate method of connecting to WinRM by running the following command:

    winrm get winrm/config/service/auth

    winrm set winrm/config/service/auth '@{Certificate="true"}'

  5. Create a self-signed certificate to connect to WinRM:
    1. Create variables for the host and IP address to add to the certificate by running the following command:

      $hostName='<domain controller address>'

      $hostIP='<DNS server>'

    2. Create a self-signed certificate by running the following command:

      $srvCert = New-SelfSignedCertificate -DnsName $hostName,$hostIP -CertStoreLocation <path to certificate>

    3. Check the contents of the $srvCert variable by running the following command:

      $srvCert

  6. Check which instances of Listener exist by running the following command:

    Get-ChildItem wsman:\localhost\Listener

  7. Remove existing instances of Listener for HTTPS by running the following command:

    Get-ChildItem wsman:\localhost\Listener\ | Where-Object -Property Keys -like 'Transport=HTTPS*' | Remove-Item -Recurse

  8. Create a new Listener instance for HTTPS with the issued certificate by running the following command:

    New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $srvCert.Thumbprint -Force

  9. Restart WinRM by running the following command:

    Restart-Service WinRM

Configuring a connection to WinRM using a certificate

You need to allow WinRM connections with the user certificate that was issued while configuring the HTTPS connection. After this, entering the user name and password to connect to WinRM will no longer be necessary.

You need a service account in the Microsoft Active Directory for the user identity service.

To configure the WinRM connection with a certificate:

  1. Create a service account for the user identity service connection.
  2. Add the created user to the group for reading the event log.
  3. Grant the user permissions to connect to WinRM:
    1. Start PowerShell as administrator.
    2. Open the window for managing permissions for connecting to WinRM by running the following command:

      winrm configSDDL default

    3. Click the Add... button and select the created user.
    4. Grant the user execution permissions by selecting the Execute check box in the Allow column.
    5. Click the OK button to apply the changes.
  4. Generate a self-signed certificate for the user:

    New-SelfSignedCertificate -Type Custom `

    -Container test* -Subject "CN=uaws" `

    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=<user name>") `

    -KeyUsage DigitalSignature,KeyEncipherment `

    -KeyAlgorithm RSA `

    -KeyLength 2048 `

  5. Save the certificate to the uawsuser.cer file:

    Get-ChildItem <path to certificate>\<certificate fingerprint> | Export-Certificate -FilePath uawsuser.cer -Type Cert

  6. Add the generated uawsuser.cer certificate to the store:

    Import-Certificate -FilePath .\uawsuser.cer -CertStoreLocation Cert:\LocalMachine\TrustedPeople

    Import-Certificate -FilePath .\uawsuser.cer -CertStoreLocation Cert:\LocalMachine\Root

  7. Bind the generated certificate to the service account:

    New-Item -Path <path to certificate> `

    -Subject 'uaws' `

    -URI * `

    -Issuer <certificate fingerprint> `

    -Credential (Get-Credential) `

    -Force

  8. When prompted, enter the name and password of the service account to which you want to bind the certificate.
  9. Restart WinRM by running the following command:

    Restart-Service WinRM

  10. Export the certificate and certificate key as a PFX file:

    $mypwd = ConvertTo-SecureString -String '<certificate password>' -Force -AsPlainText

    Get-ChildItem -Path <path to certificate>\<certificate fingerprint> | Export-PfxCertificate -FilePath <path to certificate and key>\uawsuser.pfx -Password $mypwd

  11. Copy the uawsuser.pfx file to the primary node of the ha-astra-1 cluster.
  12. Unpack the uawsuser.pfx file into a certificate and key file with the .pem extension using OpenSSL:

    openssl pkcs12 -in uawsuser.pfx -clcerts -nokeys -out uawsuser.pem

    openssl pkcs12 -in uawsuser.pfx -nocerts -nodes -out uawsuserkey.pem

  13. Copy the uawsuser.pem and uawsuserkey.pem to the /var/lib/uaws/collector/ssl directory.

    To deploy the user identity service in a high-availability cluster, you need to do this on both the primary and the backup node.

  14. Open the configuration file of the Collector component and specify the path to these files in the dc section, in the user-cert and user-cert-key parameters:

    user-cert: "/var/lib/uaws/collector/ssl/uawsuser.pem"

    user-cert-key: "/var/lib/uaws/collector/ssl/uawsuserkey.pem"

  15. Restart the WinRM service and verify that the settings have been applied:

    Restart-Service WinRM

Page top