Configure the DNS Web Client

Configure the DNS Web Client

To enable communications between the DNS Provider and the DNS Provider client components, you must configure the DNS Web client on the DNS server to use Secure Sockets Layer (SSL) and basic authentication. You also must configure the default domain with a value of "\".

After you have enabled communications between the DNS Provider and the DNS Provider client, if you do not want to use the default settings, you can configure the protocol and error tracing settings.

Tasks

• Import the Certificate into Internet Information Services (IIS)
• Configure the DNS Web Client
• (Optional) Configure Settings for DNS Provider Components

Import the Certificate into IIS

First, import the DNS Web client certificate into Internet Information Services (IIS).

Procedure DWSPV.54: To import the certificate into Internet Information Services for DNS01

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Expand the local server name, expand Web Sites, and then right-click Default Web Site.
3. Click Properties, and then click Directory Security.
4. Click Server Certificates. The Web Server Certificate Wizard will open.
5. On the Welcome to the Web Server Certificate Wizard page, click Next.
6. On the Server Certificate page, choose Assign an existing certificate, and then click Next.
7. On the Available Certificates page, click the certificate that is listed in the Select a certificate selection, and then click Next.
8. On the SSL Port page, accept the default of port 443, and then click Next.
9. On the Certificate Summary page, verify the proper settings, and then click Next.
10. Click Finish to close the Web Server Certificate Wizard.
11. Click OK to close the Default Web Site Properties dialog box. Do not close the Internet Information Services (IIS) Manager as you will need it for the next procedure.

Configure the DNS Web Client

Next, configure the DNS Web client.

Procedure DWSPV.55: To configure the DNS Web client

1. Right-click DNSProvider, click Properties, and then click Directory Security.

2. In Authentication and Access Control, click Edit to open the Authentication Methods dialog box.

3. Clear all check boxes except for the Basic Authentication check box.

4. In the Authentication Methods dialog box, clear Default Domain and replace it with the string value "\". Click OK to save the changes.

5. In Secure Communications, click the Edit button to open the Secure Communications dialog box.

   Note

   The Secure Communications button is enabled only if a certificate is available. You can get a certificate from a public certificate server, or you can install Certificate Server from Microsoft Windows Server 2003.

6. Select Require Secure channel (SSL), and then click OK to save changes.

7. In the DNSProvider Properties dialog box, click OK to save configuration changes for the DNS Provider Web client.

8. Close Internet Information Services (IIS) Manager.

9. The following additional security configuration is recommended for all DNS servers that host the DNS Web client:

   • IIS Listening Configuration - IIS should only listen to the internal network. By default, IIS listens to all available connections. By restricting the Web site that the DNS Web client listens to, you can reduce the surface area against which an attack can be placed.
   • IIS Connection Configuration - IIS should only accept connections from the range of IP addresses that belong to the Provisioning Engine. This ensures that only the assigned IP addresses will be handled by IIS. This also reduces the number of computers that can actually make a request to the target IIS site/virtual directory.

(Optional) Configure Settings for DNS Provider Components

This section describes how you can configure the protocol and error tracing settings for the DNS Provider and the DNS Provider client. By default, the DNS Provider is configured to use HTTPS and Port 443. You do not need to make changes if you are using the default settings.

First, you should check the configuration of the Web.config file on the DNS01 server in the DNSProvider virtual directory, to ensure that it contains the following entries:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">&lt;identity impersonate="true"/&gt; &lt;authentication mode="Windows"/&gt; &lt;wellknown mode="SingleCall" type="Microsoft.Provisioning.Providers.DnsManagement, DnsManagement" objectUri="Dns.rem"/&gt; </pre>

You can make changes to the protocol and error tracing settings in the following ways:

• Protocol Settings

  You can change protocol settings for the DNS Provider components within the Dnsprovider.dll.config file. This file exists on the Microsoft Provisioning System (MPS) server in the installation folder of the Dnsprovider.dll and contains provider configuration key values that you can modify as follows:

  • RemotingProtocol - This key determines the protocol used. The default value is https, as shown; however, you should change the value to http if you are not using Secure Sockets Layer (SSL):<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">&lt;add key="remotingProtocol" value="https"/&gt;</pre>
  • RemotingPort - This key determines the port the DNS Provider uses to connect to the DNS Provider client. The default value is port 443; however, you might need to change it to port 80 if you are not using SSL:<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">&lt;add key="remotingPort" value="443"/&gt;</pre>
  • RemotingURI - This key defines a value that points to the remoting endpoint. The value should be DnsProvider/Dns.rem, unless you make changes to the default in code:<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">&lt;add key="remotingUri" value="DnsProvider/Dns.rem"/&gt;</pre>

• Error Tracing Settings

  • EnableTrace - This key enables you to turn error tracing on and off. The default value is false for disabling error tracing. If you want to turn on error tracing, you must explicitly enable it by specifying the value true, as shown below:<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">&lt;add key="enabletrace" value="true"/&gt;</pre>

  • TraceFile - This key determines the file location where errors are logged. You can specify the directory path and log file name, as indicated:<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">&lt;add key="tracefile" value="C:\DnsProvider1.log"/&gt;</pre>

    If you specify an invalid directory location, no tracing will be generated, although operations will continue.

    Also, the account under which the provider is currently running must have permission to write to the indicated directory; by default this is the MPFServiceAcct. If your account doesn't have permissions to write to the log file directory, add MPFServiceAcct to the DNSAdmins group.

    Procedure DWSPV.56: To add the MPFServiceAcct to the DNSAdmins group

    1. Log on to AD01 as a member of Domain Administrators.
    2. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
    3. Under the domain node in the console tree, click the Users folder, right-click DNSAdmins, click Properties, and then click the Members tab.
    4. Click Add.
    5. In the Enter the object names to select box, type MPFServiceAcct.
    6. Click Check Names to ensure that the name resolves correctly.
    7. On the Multiple Names Found screen, select MPFServiceAcct, and then click OK.
    8. Click OK, and then click OK again.
    9. Close the Active Directory Users and Computers management console.

    Note

    Event logging will not occur if the user credentials used by a DNS Provider request do not have write permissions to the log file directory. When a request is executed without impersonation, the request is executed using the MPFServiceAcct credentials; therefore, you must grant the MPFServiceAccts group write permissions to the log file directory. Or if impersonation is used, ensure that the impersonated user has write permissions to the log file directory.