How to enable SSL on a SharePoint 2010 web application ?


Hello my friends, I thought that to start blogging about SharePoint 2010 with very basics, like creation of the site with host address that configured in the DC, enable SSL, enable Kerberos authentication etc.  

Being a developer we won’t do these configurations regularly but for admin guys it will be a cake walk J 

So, let me start with the details of my machine details. I have two machines, first machine is my Domain Controller with Active Directory, I have installed SQL server 2008 with SP1 + CU2 in this machine.  

Second machine has SharePoint 2010 Public Beta, Visual Studio 2010 Beta, Office 2010 Beta, SharePoint designer 2010 Beta 

Both machines are running with Windows Server 2008 R2 and domain name is “sowmyan.com”  

My first task is create a very basic team site with a URL www.sowmyan.com 

1.  First I am going to enter a host entry in the DNS in my Domain Controller(you can do it even after creating the site, but here I am going to add a new host entry with name “www”, thus the FQDN will be www.sowmyan.com) and pointing it to the IP address of my SharePoint server.  

 

               clip_image002 

 

2.   Now create a new web application in SharePoint central administration site. While creating the web application specify the port as 80 and host header as www.sowmyan.com, so while accessing the URL it will be neat and no need to specify port number.  

 

             clip_image004 

 

 

   3.       After creating the web application creating a new site collection at the root.

 

            clip_image006 

 

  4. Once the site got created browse to the site and if there is a loop back check then we can’t successfully login to the site, it may prompt for credentials 3 times and will show blank page. To resolve this issue follow the below KB article : 

      

http://support.microsoft.com/kb/896861#letmefixit  

 

In my environment the issue got resolved after adding the DisableLoopBackCheck entry in the registry settings and a reboot by following the above mentioned KB. 

 

 

            clip_image008

 

5.       Finally here is our site J

 

          clip_image010

 

 

Now we will see how we can make our site SSL enabled.

 

Note: strongly recommend to use Central Administration or PowerShell to extend the web application with port HTTPS instead of doing the manual HOST name entry IIS by adding a new URL in AAM like the below  method . Once you get the second IIS website , you can configure the SSL certificate binding in IIS. Specifically with the claim based authentication as the default option in SharePoint 2013 and NTLM deprecated, it is highly recommend to implement the zones using AAM. Also, in 2013 you can implement streamlined topology where a single web application with Host Named Site Collections with the support for zones. When I wrote this post , SharePoint 2010 was on beta stage 🙂

 

We can either configure the web application to use SSL whenever we create new web application or extend the web application. In my scenario since I’m going with the manual method (which is not suggested – please follow the above note).

For that I am going to do the following. 

 

      1.       Go to Alternate Access Mappings: Central Administration à Application Management à Alternate Access Mapping.

 

 

     clip_image012 

 

      2.       Select the web application in the right most drop down and click on “Add Internal URLs”

 

 

    clip_image014

 

 

 

 

      3.  Add a new URL with HTTPS, here I have added https://www.sowmyan.com and select a zone, here I have  

           selected Intranet zone. Then AAM collection will show the list of URLs with zones.

 

 

    clip_image016

  

      4.       Now if we try to browse to the site using https it won’t browse because we have to install the certificate and 

            configure the website in IIS.  

 

      5.       If you are not using DNS host entry then can create a self-signed certificate in IIS 7 or get a certificate from a third

            party CA and can bind it with your SharePoint   website. You can refer the following article for getting more

            information about it.   

       http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-70/ 

 

       http://blog.mikeobrien.net/PermaLink,guid,12d9628c-a350-4f7b-a573-9d05429b54e8.aspx 

 

Follow the below TechNet to know more about the “Configuring Server Certificates in IIS 7” 

 

http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx

 

But in my scenario since I am using DNS and thus I can’t use self-signed certificate if the host entry is in DNS. If I use a self-signed certificate I will get a Certificate Error:

 

clip_image018

 

For that I have to first add “Active Directory Certificate Service” Role in my Domain Controller. Please follow my post to know how to add that role in Windows 2008 R2.

Now we are ready for the configuration of IIS website for SSL.

1. Double click on “Server Certificates” and it will open the configuration window.

    clip_image002

2. On left side it will show the actions, and select “Create Domain Certificate”.

    clip_image004[1]

3. It will open the below window and provide the details, but make sure the certificate’s “Common Name” (CN)     matches the host header in the request, e.g. if the client is making a request to www.contoso.com, then the CN must also be www.contoso.com

   clip_image005

4. In the next screen you have to provide the Online Certification Authority details. You have to provide it in a specific format like below ( see the red box)

   clip_image006

If you don’t know the certification authority’s name then open the server manager in the DC machine and can find it out under “Active Directory Certificate services”

   clip_image007

You may get some error if you didn’t specify the certificate authority name correctly or didn’t import it to the local machine’s trusted certificates folder (how it is done here – last portion)

5. Once it completed successfully you can see the certificates and once you click on the newly created certificate you 

    can see the details.

    clip_image009

6. Next step is create a new binding with HTTPS and use the certificate that we just created.

Create an SSL Binding

 

Select a site in the tree view and click Bindings… in the Actions pane.  This brings up the bindings editor that lets you create, edit, and delete bindings for your website.  Click the Add… button to add your new SSL binding to the site.

clip_image010

New bindings default to http on port 80.  Select https in the Type drop-down. Select the certificate that we created earlier from the SSL Certificate drop-down and click OK.

clip_image011

Now you have a new SSL binding on your site and all that remains is to verify that works.
clip_image012

Verify the SSL Binding

Look in your site’s Actions pane for a link that will browse your site over your new HTTPS binding. Click this link to test your new binding.
               clip_image013

Once it is done just browse to your site with https: If everything is fine then you can see a small lock sign in the address bar and once you click on it will give you the details of your certificate and it will say that the connection to the server is encrypted.

               clip_image015 

 


Comments (33)

  1. Tomas says:

    Thank you for this post. It's help me a lot 😉

  2. Rynhardt says:

    Thank you for the post, this helps alot.

    I do have a further problem, after I did all of this, my webparts are breaking. I can view a Issue list, Document Library or anything. Any ideas?

  3. sowmyancs says:

    1. After changing to HTTPS do an IIS Reset and see the behaviour

    2. Make sure that everything working correctly without SSL by turning it off and removing all entries from  

      AAM

    3. If it is  test / dev machine run the PSConfig wizard without disconnecting from the farm and see the

      behaviour.

    what type of authentication that you are using ?

  4. Rynhardt says:

    HI.

    Thank you for the reply.

    Everything is working 100% on normal http, but when viewing the page in HTTPS, the web parts fail to load.

    We are running NTLM authentication, authenticating through our AD server.

    I have done an IIS reset, i have even completely rebooted the server last night, but no joy. 🙁

  5. Sowmyan says:

    hmm, try to run the PSConifg wizard and see the behaviour, Haven't encountered this issue before, if you are really stuck then contact Microsoft Customer service support for getting assistance.

  6. Ryan says:

    Hi,

    We have successfully set up an extranet website with FBA in place using this walkthrough, however, we are trying to do the same with a second website and it's not working. We have used a different IP address on the bindings and it's a different certificate but when we try to navigate the url appears to be going to the correct IP address but the page never loads. In the status bar of the browser it says "Connect to extranet.lighthouseas.co.uk" (the same with a fully qualified https address and there is a URL rewrite in place that would be redirecting to https if the browser was actually reaching it).

    Is there some sort of issue with having two certificates on one server, do the ports need to be different in the bindings even if the IP addresses in the bindings are different?

  7. plentym says:

    hey ryan, just reading through this post and stumbled across your question & thought I'd post something back to you in case you were still haning out for a solution. It makes sense that you are experiencing this.

    Whilst normal http sites listening on port 80 can differentiate the different requests from the http GET information, there can only be one https-encrypted site listening on 443 at a time (essentially becuase it is an IIS application that needs to decrypt the ssl before it can see any the GET request info – and by then it is too late). You'll have to move your second https-enabled site to a different port number or bind another ip address to the box to use 443 with.

    (Hope this helps, now i'm off to give this walkthrough a try)

  8. Anthony says:

    So I configured everything successfully, with one exception, the HTTPS URL is in the internet zone instead of the intranet zone. Now, using HTTPS I can successfully login with the administrator account, but my other user account gets 401 unauthorized. On HTTP both accounts login fine. Any ideas?

  9. Mike says:

    When I do this, my first browse of the web site is using HTTPS, but then it converts to the public zone which is still HTTP.

  10. I'm having the same problem as Mike 🙁

  11. Eric Schrader says:

    Thanks, nice post.

    I think part of this process is wrong. I may be wrong here…

    When you create an Alternate Access Mapping (AAM), you are not actually editing the IIS binding, which is why later you have to go in to IIS and edit your binding (I dont think this is MS best practices).

    I think if you extend your web application to the https URL with host header, the AMM and bindings is created for you automatically, and managed through SharePoint.

    I didnt read the entire blog, but skimmed so maybe I missed a disclaimer or reason you went to IIS directly for the binding.

  12. Raj Bathula says:

    Thanks a lot for the information. I am trying to provide a "https" level of access to my sharepoint intranet site. I could able to do dis by adding Alternate Access Mapping and Adding a https binding with port 443 and by attaching valid certificate to my sharepoint site.

    I am able to open my site  with https.  however, when i select any list item check box, th edit, view buttons on ribbon are greyed out. I am not even able to select the ECB/Context menu of list/library items.

    don't know where it went wrong. please help me out.

    regards

    raj

    rajkumar.bathula@gmail.com

  13. seanann says:

    cool,man!

    you were a big help to me.

  14. sowmyancs says:

    Hi Raj,

    It is an expected behaviour for anonymous users. You have to login to the site to do any contribute level actions. Please look at my latest blog on a related topic.

    blogs.msdn.com/…/custom-sign-in-control-redirection-from-http-site-https.aspx

    Eric – yes you were right, we can extend the web application to different zones, that way no need to configure AAM , but still need to configure the certificate in IIS. Also that approach will be good because there will two different w3wp.exe to server each zones.

    Thanks,

    Sowmyan

  15. jnalley says:

    very helpful and was a sufficiently good guide. Thanks!

  16. Jacob says:

    I am experiencing the same issue as Raj (I think). On my internal application at HTTP, everything works fine, but on my extended app at HTTPS, the Javascript ECB menus and Silverlight functions don't work – even for authenticated users.

  17. Schmeush says:

    Hi all

    Old subject but very cool post

    I have the same advice than Eric Schrader (12 Sep 2011 11:28 AM). Usually every manual changes in IIS will not be seen by SPoint. So better not touch it.

    Extend the web app is the right way…

  18. Alex says:

    Hi sowmynacs,

    thank you for your article… The hint with the "DisableLoopbackCheck" solved my problem 🙂

  19. Ashish says:

    Thanks for the article.

    Generally its a best practice to secure SharePoint Central Administration and External web applications with SSL (HTTPS access).

    Here is an article on Setting up SSL in SharePoint 2010:

    <a href="salaudeen.blogspot.com/…/configuring-ssl-certificates-in.html"> Configuring SSL Certificates in SharePoint for HTTPS Access </a>

    Regards,

    Ashish

  20. ronan says:

    Even we given inherit permission from the top level site. too

  21. Joe B says:

    Everything works to the root domain e.g. https://sharepoint:443, but if I try to drill down into any sub-sites e.g. https://sharepoint:443/sites/hr, it breaks. How do I bind SSL to the rest of the site?

  22. I'm having the same issue as Joe B, the root site collection can be accessed but not any of the other site collections. Not exactly sure what's happening here.

  23. Daniel says:

    Good article..

    I created my my web app on my dev machine via an entry in the Host file.  Later I added the A record in my DNS.

    I need to reboot my PDC / DNS  to progress the creation of my  certificate that was bound to my host entry

    Pointed the browser at mynewdevsite.domain.com/thesitecollection and all good – nice padlock

    I notice some of the blog posst suggest that we should create our web app with SSL settings and not your approach (port 80). Just wondered as what are the pros and cons……

    Also, do we just delete the binding on port 80 to disable the http access  as you would if this was production implementation.

    cheers

    Daniel

  24. thx says:

    thx,  search service doesn't seems to work with an self-signed certificate.

  25. Umar says:

    Configuring AAM with Manual change in IIS binding ? Are we not repeating Mistake 4 mentioned in Plan for AAMs in TechNet Article, Search for "Mistake 4" at  blogs.msdn.com/…/alternate-access-mappings-explained.aspx

  26. sowmyancs says:

    Umar – thanks for the comment. I have updated the post, this was posted when SP 2010 was on beta.

  27. Waliullah says:

    I followed all the steps but when I opened the site, it is not opening and showing "Internet Explorer cannot display the webpage"

  28. Akash says:

    Great Post!!!

    I have one question.

    I have created certificate using makecert.exe and used wildcard certificate.I am able to run a site in http and https in my dev env where no DNS entries are used.

    When I deployed the changes in SIT(2 WFE) where DNS entries are used, I ran into a problem and the site is not opening from outside the server using Https. I dont have DNS server access, Do we need to create the certificate from DNS server only? Can you suggest any possible solution

  29. Aditya Reddy says:

    Great article. I'm looking for https repeated credentials since 3 weeks, this solved my problem.

    Vert thanks.

  30. sharepoint administration training says:

    The way you deliver the content is awesome and very neat

    staygreenacademy.com/sharepoint-administrator-training

  31. Shruthi says:

    Hi,

    I have a requirement where i need to move all the web applications from HTTP to HTTPS and there are about 20 web applications in our environment.

    Could you please suggest me the best solution in performing this as i am confused with below 2 options.

    1. Edit the public URL of existing web app in default zone.

    2. Extend the existing web app.

    If i perform first option, do i need re-deploy custom solutions? Also could you be help me configuration/changes to be done on DNS.

    Thanks.