Microsoft Server

Prerequisites

  • You must be a local admin user
  • You must have read and write permissions for the folder specified as the discovery path and the push location.
  • You must have the access permissions to the drive, and the drive must be configured in sharing mode to allow discovery and push operations.
  • You must have Read and write access to the trust store to discover and push certificates to the store,.
  • If the Gateway type is selected as WMI, ensure that WMI is properly configured.
  • The iisreset.exe file is expected at the default location. (C:\Windows\System32) to support IIS Service restart

Microsoft Server Discovery

The discovery process for Microsoft servers can leverage multiple sources as outlined:

  • File System Discovery: Requires at least one file path to be specified during device addition.
  • Microsoft Certificate Store Discovery: Automatically scans the server’s certificate store for available certificates.
  • Port Scan Discovery: Identifies certificates by scanning specified ports on the server.

The AppConnector is created dynamically based on the discovery method used.

Connector Behavior

  • For certificates discovered from the File System, a Push-only/Default Connector is created by default.
  • Profile Naming Convention:
    • deviceName
    • deviceName::StoreName
  • You can only push certificates to the Certificate store or Centralized File System.
  • If the customer wants to perform custom operations (such as validations, service-related activities, backup, etc) before the push or after a successful push operation, they need to configure and use the Pre-Script and Post-Script Execution options.
  • One or more Store profiles can be selected to push the certificate to the respective store.

Custom Certificate Order for Microsoft Server (PEM Format Push)

When pushing certificates in the PEM format to a Microsoft Server, the certificate chain order is controlled through metadata stored in the database.

  1. The default format is server:inter:root.
  2. If a non-standard certificate order is required, this can be enabled and defined via metadata:
    db.cert_metadata.update({_id:"CERT_VENDOR_BASED_CONDITIONS"},{"$set": {"map.server_microsoft_server_push_certificate_order" : "server:root:inter"}})

Supported Certificate types for File System Push

  • JKS
  • Default JKS (creates the JKS file with default password changeit in the Catalina basepath)
  • PEM (*.pem, *.cer and *.crt)
  • DER (*.der and *.cer)
  • PKCS#12 (*.p12 and &.pfx)
  • PKCS#7 (*.p7b and *.p7c)

Onboarding Microsoft Server

  1. Go to (Menu) > CLM > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
    The Device details page is displayed.
  4. Select Microsoft Server logo from the Vendors list. The following screen is displayed.
  5. In the Server Details section button, enter details as mentioned below.
    Table 1. Server Details - Fields Description Table
    Field Name Description
    Server Type Select Server Type as Microsoft Server.
    *Server name Enter the name of the designated Microsoft server.
    Data center Choose the desired data center.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Communication mode Select the Gateway or SSM protocol to be used for communication between the AppViewX node and the Microsoft server. Gateway is the preferred communication mode.
    Host name Enter the hostname of the server to be onboarded.
    Note: If the Microsoft Server is configured for the integrated Windows Gateway mode, ensure that the hostname used is resolvable in the cloud connector. The usage of FQDN is preferred.
    Cert sync Choose from the any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, enter the details as follows.
    If Communication mode = Gateway the fields are as follows:
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - xyz (All the configured external vaults.)
    • Gateway credentials
    Note: If Gateway credential is selected no other fields are displayed.
    *Username This filed is displayed only if the Credential Type = Manual.

    Enter the designated username for authentication.

    *Password This filed is displayed only if the Credential Type = Manual.

    Enter the secure password.
    *Credentials list When Credential list - xyz is selected as the credential type, the Credentials List dropdown appears. Select the desired preconfigured credential list from the available options.
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 3. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - cloudAccount
    • Gateway credentials
      Note: If Gateway credential is selected no other fields are displayed.
    • IAM ROLE ACCESS: An IAM role-based approach is used for authentication instead of direct access keys. Access is provided based on IAM roles.
      To enable this feature:
      1. Create a role in one of your AWS accounts that trusts the AppViewX AWS account OR the AWS account for an AppViewX node deployed in your organization's infrastructure that will be used as the trusted entity.
      2. From AppViewX, assume the role created in your account.
      3. Using the assumed role from the above step, assume the roles created in the respective child accounts to perform the required CLM actions.
      To do this, you can download the Cloud Formation template from the Device :: Cloud > Add AWS onboarding page, which can be used to create a role in your AWS account that trusts the AppViewX AWS account.
      For a SaaS deployment, the Trusted Node field is displayed that lets you select the node that must be trusted by AWS for communicating the temporary credentials.

      For an on-prem deployment or deployment in a non-AWS environment, a data center must be deployed on an EC2 instance to act as the trusted entity. The user must select this data center and enable strict routing so that all AWS access requests and related communications are routed through the selected AWS datacenter.
    *Access key Enter the access key to login to the EC2 instance of the AWS cloud machine.
    *Secret key Enter the secret key to login to the EC2 instance of the AWS cloud machine.
    *Account name If Credential list - cloudAccount is selected, the Account name dropdown field is displayed. Select any of the preconfigured cloud account values.
    Download Cloud Formation Template (CFT) For Credential type = IAM ROLE ACCESS, to download the CloudFormation template, click the Download Cloud Formation Template link that is displayed below the Credential Type dropdown list.
    The downloaded CloudFormation template is pre-configured with the AppViewX AWS account details that need to be trusted. Ensure that you:
    • Use the downloaded template to create a role in any of your AWS accounts.
    • Provide a unique string as the External ID for the role you are creating.
    To read more on CloudFormation templates, read the documentation here.
    *Trusted Node This field is displayed when Credential Type = IAM ROLE ACCESS. For retrieving temporary credentials for authentication and communication purposes, from the following options, select the node that must be trusted by AWS:
    • AppViewX Cloud DC: Select this option if the AppViewX cloud data center must act as the trusted entity. AWS access requests will then originate from the AppViewX-managed cloud environment.
    • Customer Selected Data Center: Select this option when a specific AppViewX node deployed within your organization's infrastructure must act as the trusted entity. AWS access requests will then originate from this location.
    *Master Account Role This field is displayed when Credential type = IAM ROLE ACCESS.

    Enter the Amazon Resource Name (ARN) of the AWS IAM role created using the downloaded CloudFormation Template.

    The IAM role input for this field can be:
    • a simple name (as a alpha-numeric string)
    • an identifier in a full path format (e.g., /service-prefix/role-name)

      AWS allows roles to be created within paths to help manage large numbers of roles and delegate permissions. With path support, users can onboard resources where the IAM Role is nested.
    *External Id This field is displayed when Credential type = IAM ROLE ACCESS.

    Enter the unique identifier generated to establish a secure trust relationship between AWS and AppViewX.
    *: Mandatory fields
  7. Enter the Windows gateway details.
    Note: This section is displayed only when Communication mode = Gateway.
    Table 4. Windows Gateway Details - Field Description Table
    Fields Description
    *Windows Gateway Mode For communicating with Windows-based devices, from the following options, select the gateway agent mode to be used:
    • External

      This mode will use the AppViewX Windows Gateway Agent that is set up on a Windows device.

    • Integrated

      This mode will use the prepackaged gateway that is integrated in the AppViewX Cloud Connector (enabled only in the SaaS and Managed Kubernetes installations).

      Prerequisites for using the Integrated Windows Gateway mode

      Note: The integrated gateway functionality is not compatible with the following feature:
      • Server addition using the import feature
    *Gateway type From the following options, select the required gateway type:
    • PowerShell
    • WMI
    Note: The integrated gateway uses only the PowerShell gateway command execution mode and therefore, this field is not displayed when Windows Gateway Mode = Integrated.
    *Gateway location From the following options, select the gateway location:
    • Remote
    Note: By default, the integrated gateway is remotely located. and therefore, this field is not displayed when Windows Gateway Mode = Integrated.
    *Select gateway From the following options, select the gateway:
    • New
    • Existing
    *Windows gateway name For Windows Gateway Mode = External and Select gateway = New, enter a name for the Windows Gateway.

    For Windows Gateway Mode = Integrated, this field is auto-populated with the value integrated-gateway and is non-editable.
    *Windows gateway URL
    Note: This field is displayed only when Windows Gateway Mode = External.
    Enter the URL of the Windows Gateway endpoint.
    Client authentication certificate
    Note: This field is displayed only when Windows Gateway Mode = External and Select gateway = New.
    Upload the client certificate used while installing Windows Gateway. You can use the default client certificate (ClientCertificateGateway.pfx) or a custom certificate.
    *Windows gateway
    Note: This field is displayed only when Select gateway = Existing.
    From the dropdown list, select an existing Windows gateway.
    *: Mandatory fields
  8. In the Vendor Specific Details section, select/enter the details as follows.
    If Communication mode = Gateway the fields are as follows:
    Table 5. Vendor Specific Details - Field Description Table
    Fields Description
    *Services Select checkbox values as MS Server, or Exchange Server, or Windows Gateway or all. The default value is MS Server.
    Note:
    • Selecting all of the services will discover the certificates from MS Server, Exchange Server, and Windows Gateway.
    • If no services are selected, the service implementation will default to MSServer and CSR generation will be disabled.
    • The Exchange Server option is not supported for Windows Gateway Mode = Integrated and SSM.
    • Windows Gateway service can be used to enable the CLM support for the Windows GW certificate.
    *Location Type Select the location type to discover certificates.
    • File system
    • Certificate store
    • Port scan

    By default, All the Location type are selected as configured in the global device setting page.

    Atleast one location type is mandatory to proceed with the save operation.
    *Keystore Formats Select the keystore formats to be discovered from the device. The following cert types are available for selection:
    • PEM (*.crt, *.cert, *.cer, *.pem)
    • DER (*.der)
    • PKCS7 (*.p7b, *.p7c)
    • PKCS12 (*.p12, *.pfx)
    • JKS (*.jks)

    By default, All the Keystore types are selected as configured in the global device setting page.

    Atleast one keystore formats is mandatory to proceed with the save operation.
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 6. Vendor Specific Details - Field Description Table
    Fields Description
    *Services For SSM the default services enabled is MS Server. (Exchange Server is not supported in the cloud).
    *Location Type Select the location type to discover certificates.
    • File system
    • Certificate store
    • Port scan

    By default, All the Location type are selected as configured in the global device setting page.

    Atleast one location type is mandatory to proceed with the save operation.
    *Region Enter the geographic region of the AWS instance.

    Example: us-east-2
    *Instance Id Enter the unique identifier for an EC2 instance in AWS. It is required to perform actions or execute commands on a specific EC2 instance

    Example: i-02573cafcftext

    Note: Click the (Settings) icon next to the field to configure the ARN Advanced Settings.
    *S3 bucket name Enter the S3 bucket name used to store command output or logs executed in the EC2 instance.

    Example: avxdiscoverydocument-c2

    Note: Click the (Settings) icon next to the field to configure the S3 Advanced Settings.
    Proxy Required Select the checkbox to enable the secure proxy service.
    *Keystore Formats Select the keystore formats to be discovered from the device. The following cert types are available for selection:
    • PEM (*.crt, *.cert, *.cer, *.pem)
    • DER (*.der)
    • PKCS7 (*.p7b, *.p7c)
    • PKCS12 (*.p12, *.pfx)
    • JKS (*.jks)

    By default, All the Keystore types are selected as configured in the global device setting page.

    Atleast one keystore formats is mandatory to proceed with the save operation.
    *: Mandatory fields
  9. In the Certificate details section, select/enter the details as follows.
    Note: The Certificate details section will not be displayed if Communication mode = Gateway and Services = Exchange Server (in the Vendor specific details)
    Table 7. Certificate Details - Field Description Table
    Fields Description
    *Keystore Credential Type Select the type of credential from the dropdown list.
    • Manual entry
    • Credential List - Delinea
    Note: If Credential list - Delinea is selected, the *Keystore Credential Name dropdown field is displayed. Select any of the preconfigured credential values.
    Certificate location Enter the directory/path where the application is installed.

    Example: C:\Microsoft\ADFS\
    Certificate Password Enter the certificate password. This field is only displayed for Keystore Credential Type = Manual entry)
    *: Mandatory fields
  10. Click Add.
    Once the server is added successfully, the path will be listed in the table.
  11. (optional step) Click the (Delete) icon, if you want to delete the server path from the list.
  12. Click Save
    The device is onboarded successfully.

Import/Export

The system now supports Location Type and Keystore Formats for Microsoft Server in Batch Import/Export operations and sample templates. The sample import files (XLSX and CSV) include the following additional columns:
  • Location Type - Supported values:
    • File System Scan
    • Certificate Store Scan
    • Port Scan
  • Discover Format (Keystore Formats) - Supported values:
    Note: The system already supports the Discover Format field for Linux servers. To maintain consistency across CSV files, it uses the Discover Format field instead of the Keystore Format field in batch import/export for Microsoft Server.
    • PEM-.crt
    • PEM-.cer
    • PEM-.pem
    • PEM-.cert
    • DER-.der
    • PKCS7-.p7b
    • PKCS7-.p7c
    • PKCS12-.p12
    • PKCS12-.pfx
    • JKS-.jks
Functionality for Import (XLSX and CSV)
  • Users must separate multiple values in the Location Type and Discover Format columns using a comma (,). The system does not support any other delimiter.
  • If users provide an invalid delimiter, the system processes only the first value and ignores all subsequent values, even if they are valid. If an invalid delimiter (such as ;) is used instead of a comma, the system splits values only on commas and ignores improperly separated segments. For example, in A;B,C, only C is processed, and in A,B;C, only A is processed.
  • The system ignores invalid or duplicate values in both columns.
  • If users leave both columns blank, the system applies the global device settings.
  • The system supports backward compatibility. If the import file does not include these columns (as in older versions), the system still completes the upload successfully and applies the global device settings.
Functionality for Export:
  • The system includes the Location Type and Discover Format columns in all export types:
    • All Columns
    • Displayed Columns
    • Columns to modify data and import
  • The system exports the values configured in the UI.
  • If users modify exported data and re-import it, the system applies the same validation and processing rules defined for import.

Onboarding ADFS Server

Prerequsiste:
  • The user onboarding the device must have access to the private key.
  • The user should also be a Local Admin on the ADFS server.
The ADFS server can now be on-boarded into the AppViewX inventory. To onboard the ADFS server,
  1. Go to (Menu) > CLM > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
    The Device details page is displayed.
  4. Select Microsoft Server logo from the Vendors list. The following screen is displayed.
  5. In the Server Type radio button, select/enter the details below.
    Table 8. Server Details - Fields Description Table
    Field Name Description
    Server Type Select Server Type as ADFS Server.
    *Server name Enter the name of the designated Microsoft ADFS server.
    Data center Choose the desired data center.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Communication mode The Gateway is the default selected protocol to be used for communication between the AppViewX node and the Microsoft server.

    SSM is disabled by default.
    Host name Enter the hostname
    Cert sync Choose from the any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select/enter the details as follows.
    Table 9. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - xyz (All the configured external vaults.)
    • Gateway credentials
    Note: If Gateway credential is selected no other fields are displayed.
    *Username This filed is displayed only if the Credential Type = Manual.

    Enter the designated username for authentication.

    *Password This filed is displayed only if the Credential Type = Manual.

    Enter the secure password.
    *Credentials list When Credential list - xyz is selected as the credential type, the Credentials List dropdown appears. Select the desired preconfigured credential list from the available options.
    *: Mandatory fields
  7. In the Windows gateway details section, select/enter the details as follows.
    Table 10. Windows Gateway Details - Field Description Table
    Field Name Description
    *Gateway type PowerShell is the only option enabled and selected by default as the gateway communication mode.

    The WMI option has been disabled currently.
    *Gateway location The value Remote is selected by default.
    *Select gateway Select the New or Existing gateway to be used. The below fields are enabled/disabled according to the selection.
    *Windows gateway name Enter the new gateway name. (Enabled when New is selected as gateway)
    *Windows gateway URL Enter the URL for the new gateway. (Enabled when New is selected as gateway)
    Client authentication certificate Click Browse and upload the client authentication certificate for the new gateway. (Enabled when New is selected as gateway)
    *Windows gateway Select any of the existing configured gateways from the dropdown list. (Enabled when Existing is selected as gateway)
    *: Mandatory fields
  8. Click Save
    The device is onboarded successfully with the Status as Managed
    Once availabe in the device inventory, clicking the Status for the onboarded device displayed the device logs as follows:
    • Device communication Success/Failure
    • ADFS Configuration & Service Validation Success/Failure
    • Certificate Discovery From Device Success/Failure
      Note:
      • The certificate discovery process occurs only after the ADFS configuration and service validation complete successfully.
      • If device is onboarded with certificate synchronization as ignored, a profile is created; however, certificate discovery does not occur.
The ADFS Server device can also be onboarded by the import functionality using the standard .xlsx and .csv templates available.
Note:
  • The WMI option has been removed from the import files.
  • Supporting for “Gateway credential” authentication type is enabled through import.

To onboard the ADFS server into the AppViewX inventory using the import functionality:

  1. Go to (Menu) > CLM > ADMINISTRATION > Device Management.
  2. Click the Server tab.
  3. Click the Import button. The Import details page is displayed.
  4. Click on the CSV or XLSX icons in the Uploader Info section. The sample templates are downloaded and saved at the default file location.
  5. Open the CSV or XLSX templates, enter the relevant information for onboarding the ADFS server, and save the file.
    Note: Ensure all the mandatory and relevant fields are entered in the .csv or .xlsx template.
  6. Click the upload icon in the Import section, and select the .csv or .xlsx file from the file dialog box. The status of the uploaded file is displayed in the File Histories section.

Certificate Discovery in ADFS Server

ADFS Server disccovers certificates of the following types:
  • Encryption
  • Signature
  • Token-Decrypting
  • Token-Signing
  • Service-Communication
  • AdfsSslCertificate
Note the following while performing OnDemand and Scheduled discovery:
  • Enable the Associated Object and Discovered File Name columns in the Discovery dashboard to view certificate-related information, such as the machine where the certificate was discovered and the category to which it is bound and also other association details.
    • Associated Object column displays details about the certificate association within ADFS. For RPT (Relying Party Trust), this column also lists the RPT identifier names as comma-separated values.
    • Discovered File Name column shows the certificate Friendly Name from the My Store.
Additional Discovery Behaviour:
  • For RPT (Relying Party Trust) entries that contain multiple signature certificates, the discovery process retrieves all signature certificates.
  • For Token-decrypting and Token-signing configurations that include one primary certificate and multiple secondary certificates, the discovery process retrieves both the primary and all secondary certificates.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified CertSync status (Status Column).
    The status column will have the value Managed/Monitored/Ignored based on the CertSync status if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: