Programmatically add binding on IIS 8 with SNI option

2.4k views Asked by At

I'm trying to create bindings for IIS 8 that have the flag SNI checked (Server Name Indication) using Microsoft.Web.Administration library (.NET Framework).

This is necessary to me because I want to get multiple SSL bindings for the same website under IIS, all using just one IP address. This is one of the main new features of IIS 8.

I've been looking into the Binding class and I can't find any flag or option to indicate it.

Is it possible with current Microsoft.Web.Administration v 7.0.0.0? Will I need a new version that I haven't found?

I know that version 7.9.0.0 is only for IIS express, and it isn't my scenario, so I haven't looked into it.

2

There are 2 answers

7
tittodiego On BEST ANSWER

I finally managed to do it using the Microsoft.Web.Administration from the folder %windir%\system32\inetsrv\ but only in Windows 8/Windows 2012 with IIS 8.

These libraries had the SslFlags option in the Add function for BindingCollection class. There is no documentation from microsoft yet for this new overload, or at least I haven't found it.

The SslFlags.Sni is available to use in this one and creates the binding with SNI check perfectly.

1
Ian Kemp On

Is it possible with current Microsoft.Web.Administration v 7.0.0.0?

Indeed it is, by manually adding the SslFlags attribute to the <binding> node:

Binding mySslBinding;
bool enableSni;

using (var serverManager = new ServerManager())
{
    // ... create or get value of mySslBinding...

    mySslBinding.SetAttributeValue("sslFlags", Convert.ToInt32(enableSni ? 1 : 0));

    serverManager.CommitChanges();
}

See the documentation of SslFlags here: https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/bindings/binding

Note that executing the above code on a machine with any version of IIS earlier than 8.0 will cause the CommitChanges() method to throw an exception, because sslFlags doesn't exist in those versions.

Warning: Enabling SNI on an existing binding may cause its certificate to be unselected!

See also Setting Server Name Indication (SNI) takes off certificate binding

To avoid this problem, you can do this:

var cert = mySslBinding.CertificateHash;
mySslBinding.SetAttributeValue("SslFlags", Convert.ToInt32(1));
mySslBinding.CertificateHash = cert;