forked from aspnet/DataProtection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Provision-AutoGenKeys.ps1
117 lines (107 loc) · 3.85 KB
/
Provision-AutoGenKeys.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
param (
[Parameter(Mandatory = $True)]
[string] $appPoolName
)
# Provisions the HKLM registry so that the specified user account can persist auto-generated machine keys.
function Provision-AutoGenKeys {
[CmdletBinding()]
param (
[ValidateSet("2.0", "4.0")]
[Parameter(Mandatory = $True)]
[string] $frameworkVersion,
[ValidateSet("32", "64")]
[Parameter(Mandatory = $True)]
[string] $architecture,
[Parameter(Mandatory = $True)]
[string] $sid
)
process {
# We require administrative permissions to continue.
if (-Not (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Error "This cmdlet requires Administrator permissions."
return
}
# Open HKLM with an appropriate view into the registry
if ($architecture -eq "32") {
$regView = [Microsoft.Win32.RegistryView]::Registry32;
} else {
$regView = [Microsoft.Win32.RegistryView]::Registry64;
}
$baseRegKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $regView)
# Open ASP.NET base key
if ($frameworkVersion -eq "2.0") {
$expandedVersion = "2.0.50727.0"
} else {
$expandedVersion = "4.0.30319.0"
}
$softwareMicrosoftKey = $baseRegKey.OpenSubKey("SOFTWARE\Microsoft\", $True);
$aspNetKey = $softwareMicrosoftKey.OpenSubKey("ASP.NET", $True);
if ($aspNetKey -eq $null)
{
$aspNetKey = $softwareMicrosoftKey.CreateSubKey("ASP.NET")
}
$aspNetBaseKey = $aspNetKey.OpenSubKey("$expandedVersion", $True);
if ($aspNetBaseKey -eq $null)
{
$aspNetBaseKey = $aspNetKey.CreateSubKey("$expandedVersion")
}
# Create AutoGenKeys subkey if it doesn't already exist
$autoGenBaseKey = $aspNetBaseKey.OpenSubKey("AutoGenKeys", $True)
if ($autoGenBaseKey -eq $null) {
$autoGenBaseKey = $aspNetBaseKey.CreateSubKey("AutoGenKeys")
}
# SYSTEM, ADMINISTRATORS, and the target SID get full access
$regSec = New-Object System.Security.AccessControl.RegistrySecurity
$regSec.SetSecurityDescriptorSddlForm("D:P(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;$sid)")
$userAutoGenKey = $autoGenBaseKey.OpenSubKey($sid, $True)
if ($userAutoGenKey -eq $null) {
# Subkey didn't exist; create and ACL appropriately
$userAutoGenKey = $autoGenBaseKey.CreateSubKey($sid, [Microsoft.Win32.RegistryKeyPermissionCheck]::Default, $regSec)
} else {
# Subkey existed; make sure ACLs are correct
$userAutoGenKey.SetAccessControl($regSec)
}
}
}
$ErrorActionPreference = "Stop"
if (Get-Command Get-IISAppPool -errorAction SilentlyContinue)
{
$processModel = (Get-IISAppPool $appPoolName).processModel
}
else
{
Import-Module WebAdministration
$processModel = Get-ItemProperty -Path "IIS:\AppPools\$appPoolName" -Name "processModel"
}
$identityType = $processModel.identityType
Write-Output "Pool process model: '$identityType'"
Switch ($identityType)
{
"LocalService" {
$userName = "LocalService";
}
"LocalSystem" {
$userName = "System";
}
"NetworkService" {
$userName = "NetworkService";
}
"ApplicationPoolIdentity" {
$userName = "IIS APPPOOL\$appPoolName";
}
"SpecificUser" {
$userName = $processModel.userName;
}
}
Write-Output "Pool user name: '$userName'"
Try
{
$poolSid = (New-Object System.Security.Principal.NTAccount($userName)).Translate([System.Security.Principal.SecurityIdentifier]).Value
}
Catch [System.Security.Principal.IdentityNotMappedException]
{
Write-Error "Application pool '$appPoolName' account cannot be resolved."
}
Write-Output "Pool SID: '$poolSid'"
Provision-AutoGenKeys "4.0" "32" $poolSid
Provision-AutoGenKeys "4.0" "64" $poolSid