Ideally the easiest way to setup SSL with SharePoint is when you create the web application to check off that you plan on using SSL, this will setup the AAM for you and save you a few steps (Although you still need to generate the cert, install it, etc.).

image

Past few times I've created web applications, SSL wasn’t a requirement at the beginning and had to be configured after the fact.

First, you’ll need to generate a CSR request from the IIS website.  Make sure you do this from the correct site, otherwise the SSL won’t be valid.

How to Generate a CSR from IIS

Steps for how to generate a CSR from Verisign

image 

image

image

image

image

image

image

image

image

image

image

Send the CSR request off to your certificate authority.  They will send you a valid certificate that you can then install on the IIS site

How to Install SSL Certificate in IIS

Steps for how to INSTALL a certificate from Verisign

image

Open your IIS site that you want to install the SSL cert onto and click the “Server Certificate” button

image

Hit NEXT

image

IIS knows that you initiated an SSL request, so it asks if you want to process that request now and install the SSL cert that matches that request.

image

Select the SSL cert that you received from your SSL authority

image

Select the SSL port number that you want you use.  Default is 443, but be sure to know that only 1 site can have SSL running on port 443 for 1 IP address.  Do have multiple sites using SSL on port 443, you’ll need multiple IP addresses and each site needs to be on a separate IP address.

image

If the cert if valid, you’ll see a summary of its information.

image

Hit FINISH when you are done to install the SSL cert.

image

If you look at the IP configuration for your website now, you should see that you know have an entry for SSL with port 443.

FYI, I just recently found this out but IIS can ONLY do SSL on port 443 on 1, yes 1, site per IP address EVEN with host headers.  You have 2 options to get around this, 1) use a different port for SSL if you only have 1 IP address or 2) Add more IP addresses to the server and assign your SSL sites appropriately, 1 per IP address.

After all the above, if you go to your SharePoint site, you should now have it working under SSL.

image

image

Be sure to take a look in the AAM (alternate access mappings) to make sure you have entries for SSL for your site.

image

Force SSL

To force users to use SSL all the time, you have a few options

In order to make sure that the sites are access over SSL you need to force the request to always go over HTTPS. To accomplish this, a simple HTML page with some basic javascript is used.

Create the redirect HTML page with the following code:

<html>

<body>

<SCRIPT type=text/javascript>
<!--
if (location.protocol != 'https:')
{
window.location = 'https://'+ location.host + location.pathname + location.search;
//alert(location.host + location.pathname + location.search); Just for sanity check
}
// -->
</SCRIPT>

</body>

</html>

Save the file as “redirectssl.htm” and save it to c:\inetpub\wwwroot. The reason for saving it to this location is so that multiple sites can access it and you only need 1 file to keep updated.

image

Open IIS manager and select properties on the site which you want to force SSL on.

image

Go to the Custom Errors tab and you need to change the 403;4 to point to our redirectssl.htm file.

image

Click edit on 403;4 and enter in the location to our “redirectssl.htm” and hit OK.

image

In addition we need to make sure that the IIS site needs to force the site to require SSL, that way it will throw the 403.4 error if someone access it through HTTP.

Perform an IISRESET

IIS redirect (Alternative SSL redirect option)

Another way to redirect to SSL is to use whats natively built into IIS.  I am not an expert on this solution but it looks promising as well depending on your specific needs.  If you go into an IIS site and goto the Home Tab, you’ll see the option for “a redirection to a URL” and then the “Redirect to:” field lets you specify where to redirect to.  IIS has a redirect syntax that you can use to redirect users to a site and can then force SSL as well.

image

IIS Redirect Syntax

 

Issues with Search

Forcing SSL tends to cause issues with the search crawler if not corrected.  Go into search settings and make sure that your crawler settings are point to HTTPS and not HTTP anymore.  SPS3 / SPS3S

image

http://www.tonytestasworld.com/post/2009/03/23/MOSS-Search-Protocal-Handlers.aspx

 

Good link that walks through at a low level what happens behind the scenes over the wire for HTTPS

http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html


Posted in:   Tags:
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2017 Tony Testa's World