How to: Install the IIS 6.0 Compatibility Components on Windows Server 2008 R2


The IIS 6.0 Management Compatibility Components are required to allow Venafi Encryption Director to interact with IIS 7 on Windows Server 2008 R2:

More Information:

1. Click Start, click Administrative Tools and then Server Manager.
2. In the left navigation pane, expand Roles, and then right-click Web Server (IIS) and select Add Role Services.
3. On the Select Role Services pane, scroll down to IIS 6 Management Compatibility.
4. Select the check boxes for IIS 6 Metabase Compatibility and IIS 6 Management Console.
5. Click Next from the Select Role Services pane, and then click Install at the Confirm Installations Selections pane.
6. Click Close to leave the Add Role Services wizard.


Frequently asked questions:

1: Why do we need the Compatibility components?
Management of certificates and private keys on IIS7 requires that it be configured in IIS6 Compatibility Mode. Director requires this to be turned on in order to continue to use of the IIS6 APIs. IIS6 features an interface called CertObj that enables remote, secure remote certificate and private key management on that platform. Venafi has worked with Microsoft to investigate other alternatives for securely managing certificates & keys remotely on IIS7, but the current solution is to use IIS6 Compatibility Mode.
2: What precise APIs are we using in II6?
We are using the IISCertobj Interface. A detailed description of this interface can be found here: http://technet.microsoft.com/en-us/library/cc757595(v=ws.10).aspx
3: Could we use the Microsoft Web Administration API (WMA)?

No. While you can control just about any setting via this API, there is no method within that API to get the certificate to the target machine. In order to use that API, the certificate already needs to be in the CAPI store and you tell the API to use the certificate by providing the certificate hash.


Post is closed for comments.