build:c4f8a91 · runtime:iis_10+ · tls:1.3 · [READY]

    ╔══════════════╤══════════════╤══════════════╤══════════════╗
    │   ┌──────┐   │   ╔═════╗    │   ▓▓▓▓▓▓▓    │   ┌──────┐   │
    │   │ POST │   │   ║ 200 ║    │   ▓     ▓    │   │ EXEC │   │
    │   │ /api │──▶│   ║  OK ║───▶│   ▓ AD  ▓───▶│   │ DONE │   │
    │   └──────┘   │   ╚═════╝    │   ▓▓▓▓▓▓▓    │   └──────┘   │
    │   ORCHESTR.  │   LISTENER   │   APP_POOL   │   AUDITED    │
    ╚══════════════╧══════════════╧══════════════╧══════════════╝

# >SECURE WINDOWS
AUTOMATION, over an API.

RemoteMethod is a listener web application running on IIS that turns the messy world of Remote PowerShell sessions into clean, idempotent HTTPS endpoints. Your orchestration tools — vRO, Ansible, Terraform, Jenkins — call the same API. Active Directory and Windows obey.

PROTOCOL HTTPS · REST

PRIVILEGE APP_POOL_ACCT

AUDIT EVERY_TXN

STATUS // AVAILABLE

[REQUEST_DEMO_] [SEE_PRICING]

> ACTIVE_DIRECTORY > IIS_10+ > APP_POOL_IDENTITY > KERBEROS > VMWARE_VRO > ANSIBLE > TERRAFORM > JENKINS > POWERSHELL_7 > WINDOWS_SERVER > ACTIVE_DIRECTORY > IIS_10+ > APP_POOL_IDENTITY > KERBEROS > VMWARE_VRO > ANSIBLE > TERRAFORM > JENKINS > POWERSHELL_7 > WINDOWS_SERVER

// 01

THE PROBLEM WITH PS-REMOTING

$ diff traditional remotemethod

DIAGRAM_01 Traditional vs RemoteMethod handle: diff/01v1.4.0

LEGACY

PS-Remoting / Manual Scripts

stateful · brittle · privileged

✗ Stateful sessions break on network blips
✗ Domain admin creds passed around
✗ WinRM ports + double-hop nightmares
✗ Every team writes its own scripts
✗ No standardized audit trail

REMOTEMETHOD

API-First Listener on IIS

stateless · idempotent · scoped

✓ Stateless HTTPS — survives network hiccups
✓ No domain creds leave the orchestrator
✓ One port (443), one contract
✓ Same endpoint for every team & tool
✓ Every transaction logged & signed

// 02

REQUEST FLOW · END-TO-END

$ trace request --verbose

DIAGRAM_02 RemoteMethod Architecture Flow handle: arch/02v1.4.0

POST /api/v1/users — orchestrator submits a structured JSON intent over HTTPS. No PowerShell session, no shared script library.

Mutual TLS + Windows Auth. Caller presents pinned cert; Kerberos identifies the orchestrator account. No domain creds traverse the wire.

IIS-hosted listener validates the schema and runs the extreme negotiation engine — checking that the requested transaction matches a registered, signed contract before any privileged action.

RBAC + rate-limit + signed audit. Every accepted request is hashed and written to an append-only audit log before execution begins.

App pool identity performs the work — a least-privilege Windows account scoped to exactly the operations RemoteMethod is allowed to do. Privilege separation by design.

Native AD / Windows operations run inline. No script files on disk, no temp PSSessions, no double-hop.

Structured JSON response returns to the orchestrator with transaction ID, status, and audit handle — fully traceable end-to-end.

// 03

CAPABILITY NODES

5 of 5 active

NODE_01 ● ACTIVE handle: cap/01

API-First Architecture

Every operation is a discrete, idempotent HTTPS endpoint. No sessions to nurse, no scripts to maintain, no double-hop voodoo. Speak JSON, get structured results.

POST /api/v1/ad/users

NODE_02 ● ACTIVE handle: cap/02

App Pool Privilege Separation

The IIS app pool runs as a scoped Windows identity. Your orchestrators never hold domain admin credentials. The least-privilege boundary lives where it should.

identity = scoped_acct

NODE_03 ● ACTIVE handle: cap/03

Extreme Negotiation Engine

Every transaction is validated against a registered, signed contract before execution. Schema, scope, and intent must all match — or the request never touches AD.

contract.verify() → exec

NODE_04 ● ACTIVE handle: cap/04

Signed, Append-Only Audit

Every accepted request is hashed and chained to an append-only log. Forensics-friendly. Compliance-friendly. Auditor-friendly. No "who ran this?" mysteries.

tail -f audit.log

NODE_05 ● ACTIVE handle: cap/05

Tool-Agnostic Contract

vRO calls the same endpoint Ansible calls. Terraform calls the same endpoint Jenkins calls. One API, one set of behaviors, one source of truth across teams.

curl · pwsh · python · *

NODE_06 ● ACTIVE handle: cap/06

Drop-In IIS Deployment

Ships as a standard IIS web application. Deploy with the same MSI/WebDeploy patterns your team already uses. No new agents on every Windows host.

msiexec /i remotemethod.msi

// 04

USE CASE FLOWS

$ ls /scenarios

DIAGRAM_03 Common Use Cases — One API, Many Callers handle: usecase/03v1.4.0

// VM_PROVISIONING.flow

vRO triggers a workflow when a new VM lands. One POST /api/v1/computers joins the domain, drops it in the right OU, applies baseline GPO, sets local admin, and registers it in the CMDB. Three steps, one transaction, one audit row.

// USER_ONBOARDING.flow

HRIS hands Ansible a new hire. Playbook calls POST /api/v1/users — RemoteMethod creates the AD account, attaches groups, enables M365 licensing, and provisions a home directory. New employee is productive before lunch.

// SYSTEM_CONFIG.flow

Terraform owns infrastructure state. POST /api/v1/config applies registry keys, service configurations, firewall rules, and scheduled tasks. Drift reports come back to plan/apply natively.

// OFFBOARDING.flow

Jenkins runs nightly offboarding. POST /api/v1/offboard disables the AD user, revokes groups, archives the mailbox, rotates shared keys, and moves the object to the disabled OU. Compliance evidence in one log entry.

$ curl --example handle: snippet/curl

# onboard a new user — same call from any orchestrator
curl -X POST https://rm.corp.local/api/v1/users \
  -H "Content-Type: application/json" \
  --cert ./client.pfx \
  -d '{
    "samAccountName": "j.doe",
    "ou":             "OU=NewHires,DC=corp,DC=local",
    "groups":         ["VPN_Users","Confluence"],
    "contract":       "user.onboard.v3"
  }'

# → 201 Created
# → { "txId": "rm-9c4f...", "audit": "/audit/9c4f", "status": "ok" }

// 05

INTEGRATION TARGETS

$ which orchestrator

01 ● COMPATIBLE

VMware vRO / Aria

Drop-in REST host action. Map workflow inputs straight to RemoteMethod contracts. No PowerShell host required.

vRO → REST → /api/v1/*

02 ● COMPATIBLE

Ansible / AWX

Use ansible.builtin.uri against RemoteMethod from your Linux control node. No Windows nodes, no WinRM, no kerberos config.

uri: url=/api/v1/users

03 ● COMPATIBLE

Terraform

Use the http provider or wrap RemoteMethod in a custom provider. Plan/apply against AD and Windows like any other resource.

resource "rm_user" "x"

04 ● COMPATIBLE

Jenkins

Pipeline step or HTTP request plugin. Make Windows operations a normal stage in your CI/CD — no agents, no slaves.

httpRequest url:'/api/v1/*'

05 ● COMPATIBLE

ServiceNow

Outbound REST messages from catalog items or flows. Turn SNOW requests into validated, audited Windows changes.

RESTMessageV2 → /api/v1

06 ● COMPATIBLE

Custom · curl · Python

It's HTTPS + JSON. Anything that speaks REST can drive RemoteMethod. SDKs available for PowerShell, Python, and Go.

requests.post(...)

// 06

SECURITY POSTURE

tls 1.3 · ed25519 · least_privilege

[01]

TLS 1.3 with optional mutual auth

Modern ciphers only. Client certificate pinning supported for orchestrator-to-listener trust.

[02]

Windows / Kerberos identity

Caller is identified by their Windows account or service principal. No shared API keys floating in pipeline secrets.

[03]

App pool privilege separation

The IIS app pool runs as a dedicated, least-privilege identity. Domain admin credentials never touch your orchestrators.

[04]

Extreme negotiation engine

Every transaction must match a registered, signed contract. Schema, scope, and intent are validated before any privileged call.

[05]

Append-only signed audit log

Every accepted request is hashed and chained. Tamper-evident, exportable, and compatible with SIEM ingestion.

[06]

RBAC + rate-limiting

Per-caller scopes and per-contract throttles. Stop a runaway pipeline before it stops you.

// 07

LICENSE TIERS

$ cat /etc/remotemethod/license

TIER_01

STARTER

single environment · pilot

$ 99 /mo

✓ 1 IIS deployment
✓ Up to 5,000 calls / day
✓ Core AD + Windows endpoints
✓ Standard audit log
✓ Email support · 24h
— No HA · no custom contracts

[START_PILOT]

TIER_02

PROFESSIONAL

production · multi-team

$ 299 /mo

✓ 3 IIS deployments
✓ Up to 100,000 calls / day
✓ Full endpoint catalogue
✓ Custom contract authoring
✓ SIEM-ready audit export
✓ Priority support · 4h

[REQUEST_DEMO]

TIER_03

ENTERPRISE

global · regulated

$ 999 /mo

✓ Unlimited deployments
✓ Unlimited calls
✓ HA / DR reference architecture
✓ Hardware security module support
✓ Dedicated solutions architect
✓ 24/7 support · 1h SLA

[CONTACT_SALES]

// all tiers include perpetual right-to-use of installed binaries · annual prepay available · gov / multi-tenant pricing on request

// 08

OPEN A SECURE CHANNEL

tls 1.3 · ed25519

$ ssh demo@remotemethod.io

The authenticity of host 'remotemethod.io' can't be established.
ED25519 key fingerprint is SHA256:r3m0t3/method//v1.4.0
Are you sure you want to continue? [yes]

> Initiate engagement.

Architecture reviews, technical demos, proof-of-concept deployments. Tell us your stack and we'll show you a working integration in under 30 minutes.

EMAIL hello@remotemethod.io
DOCS docs.remotemethod.io
STATUS status.remotemethod.io
SUPPORT support@remotemethod.io

# >SECURE WINDOWS AUTOMATION, over an API.