How to set Require SSL for an IIS web site using Powershell IISAdministration module on Windows 2016
Answering my own question for posterity.
IISAdministration's New-IISSiteBinding cmdlet really confused me.
To start with, this was not part of my default Windows 2016 (loaded from an aws image), so I had to update to IISAdministration 1.1 by first doing
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
and thenInstall-Module -Name IISAdministration -Force
. You cannot use Update-Module as IISAdministration 1.0 wasn't installed with NuGet, it's part of Win 2016.Second, the
SslFlag
attribute on this has NOTHING to do with theSslFlags
forRequire Ssl
.SslFlag
onNew-IISSiteBinding
can be set toNone, Sni, CentralCertStore
. In IIS Manager, it is equivalent to clicking on a website, then Bindings link on the right, then Add/Edit, and the checkbox "Require Server Name Indication".
IISAdministration cmdlet Get-IISConfigSection is what's needed. The following code sets Require Ssl
on a web site (equivalent in IIS Manager to clicking on a website, then SSL Settings icon, "Require SSL" checkbox):
Import-Module IISAdministration$ConfigSection = Get-IISConfigSection -SectionPath "system.webServer/security/access" -Location "MyWebSite"#to set:Set-IISConfigAttributeValue -AttributeName sslFlags -AttributeValue Ssl -ConfigElement $ConfigSection#to read:Get-IISConfigAttributeValue -ConfigElement $ConfigSection -AttributeName sslFlags
These can be piped too. The possible values of this sslFlags are: None, Ssl, SslNegotiateCert, SslRequireCert, SslMapCert, Ssl128 (See Access Security access)
For those that require a client certificate the appropriate setting is "Ssl, SslNegotiateCert, SslRequireCert"
<system.webServer> <security> <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" /> </security> </system.webServer>