Adding Kerberos & SSL to Central Administration


This came up during the SharePoint AcademyLive Search class today, and isn’t the first time I’ve been asked how to do this, so I figured it was time to write a post. 🙂


When you’re first configuring your farm, it’s often easier to configure Kerberos & SSL later, once you’ve completed all the other farm deployment tasks and made sure everything else is working. Doing this for Central Admin requires a couple of minor tricks… the complete procedure listed is listed below.


Assumptions:



  • CA was originally installed on the desired server

  • you don’t have any web.config or other customizations applied to the CA webapp

  • all your Kerberos configuration (SPNs, delegation, etc.) is already configured

  • CA was originally installed with NTLM & HTTP.

Central Admin Web Application (Kerberos+SSL)


1.       Remove Existing CA site


a.       Navigate to Start Menu > All Programs > Microsoft Office Server > SharePoint Products & Technologies Configuration Wizard


b.      Click Next


c.       Click Yes


d.      Leave “Do NOT disconnect from this server farm” selected and click Next.


e.      Select “Yes, I want to remove the web site from this machine” and click Next.


f.        Click Next


g.       Click Finish


2.       Recreate CA site w/Kerberos auth


a.       Navigate to Start Menu > All Programs > Microsoft Office Server > SharePoint Products & Technologies Configuration Wizard


b.      Click Next


c.       Click Yes


d.      Leave “Do NOT disconnect from this server farm” selected and click Next.


e.      If asked, indicate that this server should host the central administration web application and click Next.


f.        Check the checkbox next to “Specify port number” and enter a port number of 12345.


g.       Select the Negotiate (Kerberos) authentication provider.


h.      Click Next


i.         Click Yes


j.        Click Next


k.       Click Finish


3.       Enable SSL for CA site


a.       Navigate to Start Menu > All Programs > Administrative Tools > IIS Manager


b.      Navigate to {Computer Name } > Web Sites


c.       Right-click SharePoint Central Administration V3 and select Properties


d.      Enter 12345 in the SSL port field.


e.      Enter 80 in the TCP Port field.


f.        Click Apply.


g.       Navigate to the Directory Security Tab


h.      In the Server Communications region of the tab, select Edit.


i.         Select Require Secure Channel and click OK.


j.        Navigate to the Directory Security Tab


k.       Select Server Certificate


l.         Click Next


m.    Select Import a certificate from a .pfx file and click Next


n.      Browse to the file


o.      Click Next


p.      Enter the password (if necessary) and click Next


q.      Confirm that 12345 is in the SSL port field and click Next


r.        Click Next


s.       Click Finish


t.        Click OK


4.       Execute an IISRESET on the central administration host server


5.       Update AAM for CA site


a.       Open the OPERATIONS PAGE of the central administration site in a web browser (i.e. https://contoso86:12345/_admin/operations.aspx  – if a specific page is not indicated in the address, it will fail to open since the AAM requires updating).


b.      If warned, ignore any certificate errors and continue browsing to the page.


c.       Select Alternate Access Mappings from the Global Configuration subheader.


d.      Click on the link for http://contoso86:12345


e.      Set the value in the URL protocol, host, and port field to https://contoso86.contoso.com:12345


f.        Click OK.


 


Comments (8)

  1. For those folks attending the MOSS and ECM class I delivered in Boston/Waltham, please find the notes

  2. Technorati Tags: SharePoint , MOSS , stsadm , SSL , port One of the common questions I get on the field

  3. Pete D says:

    Do you need to SetSPN to "setspn -A https/contoso86:12345 dnameuname" ?  Or will the SPN work with SSL whether or not it is http or https?

    Thanks

  4. bgeoffro says:

    When using setspn for an HTTP or HTTPS address, just use the "http/" prefix. What’s equally important is that you specify the hostname that the user will use to access the service – i.e. if it’s a standard port such as 80 for http or 443 for https, you DON’T need to include the port number. Something called service.company.com at port 80 will likely be accessed by users as "http://service.company.com", not "http://service.company.com:80", and same goes for a secure service on 443 – thry won’t usually include the port number in the address.

    If it’s a nonstandard port like 12345, you need to include the port number in the name regardless of which protocol is used, since users will always need to inlude the port number when accessing the service.

  5. meka38 says:

    Hi bgeoffro,

    I have fixed a sp site with ssl protocole (https) and and kerberos and it works good. but RSS view dont work in it. do you have any idea?

    thanks

  6. Body: You’ve already installed SharePoint. You want to use SSL to secure Central Admin because it is