IIS6 and IIS7 subtle differences in programming for HTTPS binding

In fact, the most important information in this article is:

The problem is on that little--iis6. Wildcards are not supported, the first part is empty-time (all Unsigned), and IIS7 supports both empty or wildcard notation, and if NULL is automatically converted to *:443: We change the call line to: Addhttpsbinding (" : 443: "," MY ", hash), after the problem is resolved.

Article turned from: http://linwx1978.blog.163.com/blog/static/1504106920111281434624/

Recently solved a problem that has been troubling for a long time, sent to everyone to share.
The problem is simple, that is, we are doing an automatic deployment of the site program, need to support the implementation of HTTPS in IIS6 and IIS7, that is, to program to increase the HTTPS binding, the beginning of my code is this:

private void Writebinaryarraytodirectoryentry (PropertyValueCollection entry, byte[] data)
{
string[] Arrstr = new String[data. Length];
for (int i = 0; i < data. Length; i++)
{
Arrstr[i] = String.Format ("{0:x2}", Data[i]);
}
object[] Arrobj = new Object[arrstr.length];
Arrstr.copyto (arrobj, 0);

Entry. Clear ();
Entry. ADD (Arrobj);
}

public void addhttpsbinding (string binding, String Namestore, byte[] hash)
{
DirectoryEntry entry = new DirectoryEntry ("IIS://LOCALHOST/W3SVC/1");//point to default Web Site
Entry. properties["SecureBindings"]. Clear ();
Entry. properties["SecureBindings"]. ADD (binding);
Writebinaryarraytodirectoryentry (entry. properties["SSLCertHash"], hash);

Entry.commitchanges ();
}
The marked line needs to be noted, if you need to point to a non-default site may need to modify, of course, this is a digression.
The call is as follows:
Addhttpsbinding ("*:443:", "MY", hash);
*:443: means specify 443 ports, any IP (all Unassigned IP).

As a result, it runs well on the IIS7 and has encountered many problems on IIS6 and IIS5, and HTTPS is inaccessible.

First we checked the HTTPS binding, and the results found that the certificate binding failed. Check with Metabase Explorer that there should be three entries related to HTTPS binding in the/LM/W3SVC/1, respectively:
SecureBindings, specify port, IP, and header information.
SSLCertHash, specifies the hash value of the target certificate.
SSLStoreName, specify the directory where the target certificate resides.
If the binding succeeds, all three entries should appear and fill in the values we specify, but after the above program runs on IIS6, there are only the first two entries without sslstorename, which causes the HTTPS service to fail to find the target certificate.
The reason is that in IIS6, it is necessary to set sslstorename, and it must be before setting SSLCertHash.but in IIS7, SSLStoreName is automatically set by the system, if the program attempts to set itself, the system throws an exception: "A specified logon session does not exist. It may already has been terminated. (Exception from hresult:0x80070520) ".

As a result, we had to change the program to this:
public void addhttpsbinding (string binding, String Namestore, byte[] hash)
{
DirectoryEntry entry = new DirectoryEntry("IIS://LOCALHOST/W3SVC/1");
Entry. properties["SecureBindings"]. Clear ();
Entry. properties["SecureBindings"]add (binding);
Writebinaryarraytodirectoryentry (entry. properties["SSLCertHash"], hash);

Entry.commitchanges ();

if (TryGetValue ("IIS://LOCALHOST/W3SVC/1", "SSLStoreName") == "")
{
Entry. properties["SSLStoreName"]. Clear ();
Entry. properties["SSLStoreName"]. ADD (Namestore);
Writebinaryarraytodirectoryentry (entry. properties["SSLCertHash"], hash);
Entry.commitchanges ();
}
}
With the blue part, after the previous setting is finished, test whether the sslstorename is empty, and if it is empty, set sslstorename and SSLCertHash in turn. The tests were successful on both IIS6 and IIS7.

Then we ran into a second problem: now IIS6 binding is successful, from the IIS Manager can also see the bound certificate information, but still cannot access with HTTPS, download a Microsoft SSL Tool SSL Diagnostics test, It may be problematic to say that the bound IP does not match the SSL IP. So we open IIS Manager, right-click on the website, go to the Property->web Site page, click Advanced, in multiple SSL identities for this web site column, discover IP Address a column written incredibly is 255.255.255.255, indeed there is a problem! After you manually change it to (all Unsigned), the problem is resolved.

Using the Metabase Explorer check, it was found that the securebindings wrote: 443:, that is, the problem is on that small * number on the--IIS6 does not support wildcard characters, the first part is empty-time representation (all Unsigned), While IIS7 supports both empty or wildcard notation, if NULL is automatically converted to *:443: We change the call line to:
Addhttpsbinding (": 443:"," MY ", hash);
After the problem is resolved.

IIS6 and IIS7 subtle differences in programming for HTTPS binding