Using IIS Centralized Certificate Store with Azure File Share

4
votes

I've successfully set up a file share (via a storage account) in Azure...and then on a VM in that subscription I've successfully mounted a drive to the file share (M drive in the example below). This works fine. Next I upload a certificate to the azure file share. The cert is clearly available in the VM via windows explorer. I then attempt to set up IIS Centralized Certificates to read the certificate from the M drive I have mounted. IIS isn't happy about this.

Again, I can access the mounted drive from my VM with no problem...but when setting up the Central Certificates Location, IIS will not allow use of this mounted drive. IIS requires a username and password for the share and will not accept either a local user or the user/key credentials of the file store (although neither should be necessary as the share connection itself contains the connection user and key). It looks as if this feature of IIS is incompatible with Azure file share. Is there a way to make this work?

enter image description here

1
azureiisiis-8azure-files

1 Answers

1
votes

There is a way!

You need to setup a local machine account with username/password of the storage account (name/key), which you will use as the Username/Password in the config. You need to provide the Path as the UNC path to the file share.

However, this won't work as the GUI does not accept the path, so you can do it via Powershell, by setting the path to a local path, and then changing it in the registry:

param
(
    [Parameter(Mandatory = $true)]    
    [string] $StorageAccountName,

    [Parameter(Mandatory = $true)]    
    [string] $StorageAccountPassword,

    [Parameter(Mandatory = $true)]    
    [string] $FileShareName,

    [Parameter(Mandatory = $true)]    
    [string] $CertificatePrivateKeyPassword
)

net localgroup Administrators $StorageAccountName /add
Enable-WebCentralCertProvider -CertStoreLocation "C:\Windows\Temp" -UserName $StorageAccountName -Password $StorageAccountPassword -PrivateKeyPassword $CertificatePrivateKeyPassword
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider -Name CertStoreLocation -Value "\\$StorageAccountName.file.core.windows.net\$FileShareName"
net localgroup Administrators $StorageAccountName /delete

This will allow the feature to work, but you will find that only the first VM/Server to load/access a certificate from the store will be able to use it, the other machines will not be able to serve the https content due to a connection reset.

Microsoft have not been able to explain why.