On Friday I successfully bound my certificate to port 443 using netsh.
Today I need to change the port, so I tried to 'unbind' it with netsh:
netsh delete sslcert ipport=0.0.0.0:443
The result is an error message
The following command was not found: delete sslcert
ipport=0.0.0.0:443.
Confusingly the command is exactly as specified in the Microsoft documentation for netsh.
How do I remove a port binding so that I can rebind the certificate to another port?
Try this one
netsh http delete sslcert ipport=0.0.0.0:443
You were missing the http parameter.
Related
I'm trying to register wcf net tcp port sharing, for a process to listen on this port (currently the client machine can't even ping this port eventhough the process is up so I read this command is needed):
netsh http add urlacl user=domain\svcUser url=net.tcp://+:8092/Service1
getting Url reservation failed, Error 87. The parameter is incorrect.
Also tried changing the user, the port, removing the Service1, adding a trailing /. Is there anything else that should be done?
Remark: The following command does succeed (but does not help): netsh http add urlacl user=domain\svcUser url=http://+:8092/Service1
This post shows the usage of netsh in this case
This post deals with error 87 but did not solve in my case
You mean the command succeed but it didn't work. This is not normal.
Maybe you can try this:
netsh http add urlacl url=http://+:8092 user=domain\svcUser
When hosting a WCF service in a windows service, we can use netsh http add urlacl url=https://+:1234/xService user=DOMAIN\USER
Then to add SSL we could do:
netsh http add sslcert ipport=0.0.0.0:1234 certhash="xxxxx" appid="{xxxxx}".
In the example code here https://msdn.microsoft.com/en-us/library/ms733791(v=vs.110).aspx they seem to use a http address.
Does this make any difference? If you run netsh http add sslcert on a port reserved with a http:// address will it still be secured by the certificate, or does it have to be a https address?
It needs to use https and your service should also serve https://...
I'm selfhosting a NancyFx service with Owin (on intranet from a Windows 8 machine) and it works fine. Trying to switch to HTTPS but have run into problems.
I have:
Created self-signed root CA
Created exchange-cert using above CA (CN=mycomputer)
Exported public key of CA and installed on client-machine
Used netsh to add urlacl to https://+:5001
Used netsh to add sslcert with thumb-hash etc.
The service-host looks to start allright on my address, https://mycomputer:5001, but when I try to access this address I first get the warning about unsecure connection (which I shouldn't if I have installed the public key CA-cert right?) and when continuing anyway I get a "service not available"-respons.
Any hints to what could be wrong?
Do I have to config Nancy/Owin to use the certificate somehow or is it enough to have it attached to the endpoint with netsh?
I've got it working. I've found it useful to have a number of checks in the process.
CHECK1 - Cert import ok:
- After you install the cert on the machine run certutil -store MY
- You shoudle see the cert details there (sha/user created/name etc)
- If not STOP. You probably imported into the user store (or the cert is invalid). You MUST start with empty mmc and import certificates for the MACHINE.
CHECK2 - url is added to urlacl list in netsh
- After you add the uri to acl run netsh http show urlacl
- If your uri / port is not listed STOP. The url isn't added correctly.
CHECK3 - ssl is bound to urlacl
- After running the add sslcert command run netsh http show sslcert
- If your port/sha combination is not listed then check the sha has no spaces / appid is unique / app id + braces surrounded by quotes (if executing from PS)
Hope it helps. I created the above after 6 hours of head banging. It now works!
ServiceHost.Open() is throwing this error:
HTTP could not register URL http://+:8001/. Your process does not have
access rights to this namespace (see
http://go.microsoft.com/fwlink/?LinkId=70353 for details).
So I used netsh to add the url. But event though it is added, i'm still getting the error. This is the command I use:
netsh http add urlacl url=http://+:8001/ user=djerryy
djerryy is my computername. When I run netsh http show urlacl i see it was added.
What am I doing wrong?
Thanks in advance.
It looks like you are missing the name of the user account who is running the service. Here's a couple of options:
Local user account:
netsh http add urlacl url=http://+:8001/ user=ComputerName\Username
Domain user account:
netsh http add urlacl url=http://+:8001/ user=DomainName\Username
Built-in NetworkService account:
netsh http add urlacl url=http://+:8001/ user="NT AUTHORITY\NETWORK SERVICE"
I must stress:
netsh http add urlacl url=http://+:8001/ user="NT AUTHORITY\NETWORK SERVICE"
will work only on a system with the English locale!
A better way is to remove that one space and make it:
netsh http add urlacl url=http://+:8001/ user="NT AUTHORITY\NETWORKSERVICE"
Now the command will work on any locale. I spent a good 0,5h battling this today... all because of a single char. ;)
To add even more to this answer: You MUST specify a port number! Spend quite a while trying to authorize a service to bind to a normal HTTP address, it only started working when I explicitly specified:
netsh http add urlacl
url=http://some.example.com:80/extension/
user="NT AUTHORITY\NETWORKSERVICE"
I've built a self hosted wcf server, using wsHttpBinding. I'm running Win 2003 server R2 SP2.
If I configure it to listen on http://localhost:443/MyService, everything works fine. I can connect to http://localhost:443/MyService with Internet Explorer, and I get the standard "Bad Request" message
Now, if I try to switch to HTTPS, I'm witnessing a strange phenomenon.
Here's what I've done :
I've changed my wcf config file from http://localhost to https://localhost and from Security=None to Security=Transport (as explained in numerous wcf tutorials)
I've registered my HTTP port like this :
httpcfg delete ssl -i 0.0.0.0:443
httpcfg set ssl -i 0.0.0.0:443 -h ea2e450ef9d4...
Note that the certificate I've used is a "real certificate" (i.e. issued by a trusted CA, namely Comodo). The server responds to ping on the NS mentioned in the certificate.
Now, the following will timeout :
Microsoft Telnet> open localhost 443
Here's the output from netstat (The Pid '4' is the 'System' process):
netstat -nao
Proto Local Adress Remote Adress State Pid
TCP 0.0.0.0:443 0.0.0.0:0 Listening 4
And here's a screenshot from TCPView captured when I issued the open command in telnet :
alt text http://img26.imageshack.us/img26/3376/tcpview2si6.jpg
I'm a bit puzzled. To me, if netstat says the server is listening on 443, the telnet connection to 443 shouldn't timeout, and I should have at least a blank prompt, expecting me to type some encrypted stuff :)
So far I've tried to :
Redo all the steps from scratch following exactly the MSDN tutorial
Used port 10443 instead of 443
Disable the firewall
Use a self signed certificate
I don't know what to try next .. any ideas?
The telnet client is not going to know to send a properly constructed request to initiate an https handshake, so I imagine the ssl secured server is just waiting for more data.
The telnet client is certainly not going to know what to do with the response from a ssl secured server (it's certainly not going to prompt you for data to send along). Communication can only happen once the https handshake has completed.
You need to use a client that knows how to do a handshake. The openssl binary can do this out of the box.
Telnet cannot be used to comunicate with encrited webs.
Checkout this microsfot note. It says "NOTE: This example assumes that the Web server is configured to use the default HTTP port (TCP 80). If the Web server is listening on a different port, substitute that port number in the first line of the example. Also, this example does not work properly over an HTTPS/SSL connection (TCP 443, by default), because the telnet client cannot negotiate the necessary encryption commands to establish the SSL session. Although an initial connection is possible over the HTTPS/SSL port, no data is returned when you issue a GET request."
Update: Checkout this other note HOW TO: Determine If SSL Connectivity Is Not Working on the Web Server or on an Intermediate Device
As FerrariB said, telnet does not perform the negotiations necessary to open an SSL connection. Telnet knows nothing about certificates, nor encryption. Thus, you are guaranteed to not be able to communicate with HTTPS port 443 via telnet. You will have to find another way to do whatever you are trying to do.
Check out the Wikipedia page on TLS for example, where it says directly:
If any one of the above steps fails, the TLS handshake
fails, and the connection is not created.
This is precisely what you are seeing by trying to use telnet to communicate with an SSL endpoint.
in command prompt: netstat -nao |find "443"
the last columns show a number:
pic no.1
Now open task manager.find result number in 1st section in pid column (if pid wasn't enabled, choose it from view tab) program name show the program which uses the port.
disable the program that uses the port /in my case I stopped it from services