Adding Kerberos & SSL to Central Administration

  • Article

This came up during the SharePoint AcademyLive Search class today, and isn't the first time I've been asked how to do this, so I figured it was time to write a post. :)

When you're first configuring your farm, it's often easier to configure Kerberos & SSL later, once you've completed all the other farm deployment tasks and made sure everything else is working. Doing this for Central Admin requires a couple of minor tricks... the complete procedure listed is listed below.

Assumptions:

  • CA was originally installed on the desired server
  • you don't have any web.config or other customizations applied to the CA webapp
  • all your Kerberos configuration (SPNs, delegation, etc.) is already configured
  • CA was originally installed with NTLM & HTTP.

Central Admin Web Application (Kerberos+SSL)

1. Remove Existing CA site

a. Navigate to Start Menu > All Programs > Microsoft Office Server > SharePoint Products & Technologies Configuration Wizard

b. Click Next

c. Click Yes

d. Leave “Do NOT disconnect from this server farm” selected and click Next.

e. Select “Yes, I want to remove the web site from this machine” and click Next.

f. Click Next

g. Click Finish

2. Recreate CA site w/Kerberos auth

a. Navigate to Start Menu > All Programs > Microsoft Office Server > SharePoint Products & Technologies Configuration Wizard

b. Click Next

c. Click Yes

d. Leave “Do NOT disconnect from this server farm” selected and click Next.

e. If asked, indicate that this server should host the central administration web application and click Next.

f. Check the checkbox next to “Specify port number” and enter a port number of 12345.

g. Select the Negotiate (Kerberos) authentication provider.

h. Click Next

i. Click Yes

j. Click Next

k. Click Finish

3. Enable SSL for CA site

a. Navigate to Start Menu > All Programs > Administrative Tools > IIS Manager

b. Navigate to {Computer Name } > Web Sites

c. Right-click SharePoint Central Administration V3 and select Properties

d. Enter 12345 in the SSL port field.

e. Enter 80 in the TCP Port field.

f. Click Apply.

g. Navigate to the Directory Security Tab

h. In the Server Communications region of the tab, select Edit.

i. Select Require Secure Channel and click OK.

j. Navigate to the Directory Security Tab

k. Select Server Certificate

l. Click Next

m. Select Import a certificate from a .pfx file and click Next

n. Browse to the file

o. Click Next

p. Enter the password (if necessary) and click Next

q. Confirm that 12345 is in the SSL port field and click Next

r. Click Next

s. Click Finish

t. Click OK

4. Execute an IISRESET on the central administration host server

5. Update AAM for CA site

a. Open the OPERATIONS PAGE of the central administration site in a web browser (i.e. https://contoso86:12345/_admin/operations.aspx  - if a specific page is not indicated in the address, it will fail to open since the AAM requires updating).

b. If warned, ignore any certificate errors and continue browsing to the page.

c. Select Alternate Access Mappings from the Global Configuration subheader.

d. Click on the link for https://contoso86:12345

e. Set the value in the URL protocol, host, and port field to https://contoso86.contoso.com:12345

f. Click OK.