I want to modify the IIS Web application Handler mappings permissions.
I did this manually like below.
Open IIS , Site/Web application, Clicked Handler Mappings, in Actions Clicked “Edit Feature Permissions “, then uncheck/Check the Script.
I want to automate this using PowerShell.
I can read the permission status using the below code.
Get-WebConfigurationProperty -Filter /system.webServer/handlers -name accesspolicy -PSPath IIS:\ -Location 'Default Web Site/WebApplication’
I tried same way to modify the permission using below code. But this is not working. Could anyone please let me know What I did wrong here.
Set-WebConfigurationProperty -Filter /system.webServer/handlers -name accesspolicy -value "Script" -PSPath IIS:\ -Location 'Default Web Site/WebApplication’ –Force
I think you're very close, but you're aiming for ISAPI-dll, not individual handlers. Here is the code for individual handlers (I'm still using ISAPI-dll as an example):
Set-WebConfiguration "/system.webServer/handlers/add[#name='ISAPI-dll']/#requireAccess" -Value "Execute" -PSPath "IIS:/sites/Default Web Site"
Here is the code to enable access for all handlers (including ISAPI-dll):
Set -WebConfiguration "/system.webServer/handlers/#AccessPolicy" -value "Read, Script, Execute"
Leave the -PSPath part out to do it at the server level.
Remove "Execute" to disable ISAPI-dll.
Also, this link may serve as a useful reference.
Related
I'm working on setting up an application getaway with a group of backend app services. I am in the final configuration steps of configuring a listener, but first I need to set Application Gateway to support key vault reference certificates. I follow this guide from the official Microsoft documentation: Key Vault Azure Role-Based Access Control Permissions Model
via azure powershell, but i get this series of errors. In the case of getAzApplicationGateway, I have already verified that the name in which my resource is located is correct. As for get-AzApplicationGateweyIdentity and Add-Az-ApplicationGatewaySslCertifacate, I get: Cannot bind argument to parameter 'ApplicationGateway' because it is null. I can't find the cause for this error, am I entering the wrong argument?
Your first command in the posted snippet "Get-AzApplicationGateway" doesn't find your gateway.
At least in the snipped provided you don't give -name and -ResourceGroupName as strings, meaning in " ".
Wenn I run your commands with strings where they are required it works just fine
When I ran the below command directly, I got the same error.
$appgw = Get-AzApplicationGateway -Name YourApplicationGatewayName -ResourceGroupName YourRGName
First, we need to create an Application Gateway.
Create a Managed Identity.
After creating the ApplicationGateway and ManagedIdentity, now run the below commands.
$appgw = Get-AzApplicationGateway -Name YourApplicationGatewayName -ResourceGroupName YourRGName
Set-AzApplicationGatewayIdentity -ApplicationGateway $appgw -UserAssignedIdentityId "/subscriptions/YourSubscriptionID/resourceGroups/YourRGName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyYourManagedIdentityName"
Create a KeyVault and certificate by following the steps from the document and run the below command to
$secret = Get-AzKeyVaultSecret -VaultName "YourKeyVaultName" -Name "YourCertificateName"
Add-AzApplicationGatewaySslCertificate -KeyVaultSecretId $secretId -ApplicationGateway $appgw -Name $secret.Name
Before running the below command make sure you have created the Access policy with Get selected on Secret permissions and provided the created Managed Identity.
Set-AzApplicationGateway -ApplicationGateway $appgw
Specifically, I am looking to write an automation runbook for changing a Function App's HTTP Version from it's 1.1 default to 2.0. I know there is a simple way to do this via CLI commands, but I'm trying to get a working solution using a powershell runbook.
So far, I've been able to find the setting by doing...
$FA = Get-AzFunctionApp -Name <foo> -ResourceGroupName <bar>
$FA.Config.Http20Enabled
False
I've attempted to alter $FA and then pipe it through Update-AzFunctionApp...
$FA.Config.Http20Enabled = $True
$FA | Update-AzFunctionApp
with no success.
Not sure if I'm close to the right solution but I can't seem to find any Azure functionality that changes platform settings in this way. Any insight would be much appreciated!
I was able to find a solution to my original question. Instead of using the AzFunctionApp cmdlets, I used AzResource.
$FA = Get-AzResource -ResourceGroupName <foo> -Name <bar> -ResourceType Microsoft.Web/sites/config -ApiVersion 2021-02-01
$FA.Properties.http20Enabled = $True
Set-AzResource -ResourceId $FA.ResourceId -Properties $FA.Properties
I presume other config settings can be changed along with the property I needed.
I found (as well as the Azure CLI) you can use the PowerShell cmdlets for Web Apps. These work on Azure Functions too!
For simple examples, perhaps to just toggle a feature you can call Set-AzWebApp in one line. Here are two examples:
(1) to enable HTTPS only:
Set-AzWebApp -Name $functionName -ResourceGroupName $rg -HttpsOnly $true
Or (2) to disable FTP/FTPs:
Set-AzWebApp -Name $functionName -ResourceGroupName $rg -FtpsState "Disabled"
For more complex property changes, like enabling HTTP 2.0. You can do this in just a few more lines of PowerShell. See for example:
$funcAsApp = Get-AzWebApp -Name $functionName -ResourceGroupName $rg
$funcAsApp.SiteConfig.Http20Enabled = $true
$funcAsApp | Set-AzWebApp
For more information see the MSDN help here: https://learn.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-6.6.0
In the Azure Application Gateway UI, when creating a HTTP Setting, there's a tickbox called "Use for App service":
I'm trying to replicate this HTTP Setting in PowerShell using the following command:
Add-AzureRmApplicationGatewayBackendHttpSettings -Name $MaintenanceToggleHTTPSetting -ApplicationGateway $AppGW -Protocol Http -Port 80 -Probe $probe
Having checked the documentation, I can't find any parameter to replicate this.
Is it possible? Is it a combination of other parameters perhaps?
It seems there is no parameter for Use for App service option in the powershell command.
Besides, I found something weird, on my portal, I choose the Use for App service option ->Save, exit and enter again, then the option will not be chosen. Not sure if I do it right, if not, please correct me.
Also, I catch the request with choose the option/not choose via F12, after comparing, I find the request body is the same.
Edit:
We need to choose the pick hostname from backend address option in probe, then the Use for App service option will be saved.
Here is a specific powershell script as a supplement for the ansewer of #dunc, if someone waht to use Use for App service option, you could refer to it. For more details, refer to #dunc 's answer.
$AppGw = Get-AzureRmApplicationGateway -Name "joygateway" -ResourceGroupName "joywebapp"
$probe = Get-AzureRmApplicationGatewayProbeConfig -Name "testprobe" -ApplicationGateway $AppGw
Add-AzureRmApplicationGatewayBackendHttpSettings -Name "testsetting" -ApplicationGateway $AppGW -Protocol Http -Port 80 -Probe $probe -PickHostNameFromBackendAddress -CookieBasedAffinity "Disabled"
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw
Check in the portal:
I had a response from Microsoft this, which I have tested and confirmed:
The checkbox ‘Use for App service’ is a wrapper for 2 checkboxes followed by it.
So when you configure both checkboxes below it to ‘on’, this “use for App service” becomes active.
Basically, set the -Probe and -PickHostNameFromBackendAddress parameters when creating the HttpSettings. This ticks the "Use for App service" tickbox in the UI.
I used to use Get-AzureWebsite -Name myportal to get PublishingPassword what I can use inside Visual Studio to publish the WebApp to the cloud.
But now I was assigned with a new azure subscription that is not seen with the old azure command set (i.e. Get-AzureSubscription).
However this subscription is visible by Get-AzureRmSubscription (with "Rm" keyword). But Get-AzureRmWebApp doesn't contain PublishingPassword property.
Is there any other way to get PublishingPassword with new command set (that contains "Rm").
The cmdlet you are looking for is Get-AzureRmWebAppPublishingProfile At the time I looked for a more direct method, but didn't turn one up. It is a little bit convoluted, but it works. (it doesn't actually write anything to file, but as I recall it choked if it wasn't included)
This is what I did with it...
function Get-FTPCredentials
{
$Xml = [xml](Get-AzureRmWebAppPublishingProfile -OutputFile test.xml -Format Ftp -ResourceGroupName $AppServiceResourceGroupName -Name $AppServiceWebAppName )
$PublishProfile = $Xml.FirstChild.ChildNodes[1]
Write-Output ("FTP location is - " + $PublishProfile.publishUrl)
Write-Output ("FTP username is - " + $PublishProfile.userName)
Write-Output ("FTP password is - " + $PublishProfile.userPWD)
Write-Output ("Website URL is - " + $PublishProfile.destinationAppUrl)
}
Quick flow to get publishing password (PublishingPassword) for a website in Azure published via Visual Studio - manually by using PowerShell console:
Add-AzureRmAccount -TenantId 12343048-34cb-4322-b413-7b408837xxxx
Get-AzureRmWebAppPublishingProfile -Name myPortal -OutputFile test.xml -ResourceGroupName MyResourcesTestGroup
First command sets login to required tenant (directory) (i.e. adds your azure account to PowerShell session). Second gets the website (webapp) objects and prints publishing data including password.
I have created an automatic deployment script using powershell for one of our classic asp applications.
Everything executes correctly and now errors are show and the application is created and show in IIS Manager.
When I carryout the same process manually with IIS Manager the web application show three areas ASP.NET, IIS and Management.
The web application create with the powershell script only displays two areas, IIS and Managment.
The script line that I am using to create the web application is
$appPool = "Test"
New-WebApplication -Site "Default Web Site" -Name "Test" -PhysicalPath "C:\inetpub\wwwroot\Test" -ApplicationPool $appPool
The application pool is also newly created before the web application with the follow commands
New-Item $appPool
Set-ItemProperty $appPool "managedRuntimeVersion" "v2.0"
Set-ItemProperty $appPool "managedPipelineMode" 1
Set-ItemProperty $appPool -Name "enable32BitAppOnWin64" -Value "True"
Which also appears to work correctly.
The application does work correctly in the Web application created by the script.
I did find this question Error creating IIS WebApplication which details the same problem but I have check the only response to it about having the managed runtime option on the application pool set to none would cause this but it is set to .Net 2 as show by the script.
Can any one shed any light on what I am doing wrong.
I had the same problem with no asp.net section in IIS when I was creating web applications with Powershell. In the end I used:
ConvertTo-WebApplication -PSPath "IIS:\Sites\TESTPARENT\TEST\TEST-1"
https://technet.microsoft.com/en-us/library/ee807827.aspx