Thursday, July 12, 2007

The RIGHT way to enable SSL on MOSS Web Applications

I have been going back and forth a few times on enabling SSL on MOSS 2007 Web applications and here is the way that I have found to work best.

1. Go to central admin --> Create or extend a new web application --> Create a new web application.
2. Fill in the Web app, DB and App pool names as usual. Select yes to enable SSL on the web application. If you are using host headers for this web app, then enter those too. (Important: Make sure to set the port to 443, not 80).
3. After the web application has been created, reset IIS and then open up IIS mmc. Scroll to the IIS website that MOSS just created for you and select the right SSL certificate from the available certificates (Ask your network folks to generate an internal or external SSL cert for you depending on whether this is a test or prod server). Important: Go to the Home Directory tab and click Advanced. Make sure you set the host header and the right IP for port 80. For SSL entries, select port 443 and the IP. (If you have multiple IP's on the server, I usually pick one here for these entries). Click on the edit button for SSL entries and check the 'Require SSL' box. Also check 'Require 128 bit encryption' to make this more secure.
4. Now go ahead and create your first site collection for this web app. MOSS will automatically create a new site collection for you and present you with a "https://.." link upon completion. You should now have a SSL ready web app.
5. By default, if you want multiple web apps using SSL on the same server - this does not work in IIS 6. If you want multiple MOSS 2007 Web apps to be SSL enabled, there are two ways of going about this. One way is to get as many IPs as you want SSL web apps for that web server and assign one IP per host header settings for port 80 and 443 under IIS Website properties --> Home Directory --> Advanced. The other option is to modify the IIS metabase to allow multiple SSL web apps on the same IP. Be careful with the second option and make sure you know what you are doing.

37 comments:

Nathaniel said...

Hi Faraz!

I've implemented your recommendation on the project I'm currently working on. I'd like to confirm something with you however:

The project is an e-comm site that needs only a portion of the site to be SSL. From what I've seen of your suggested implementation, the SSL enabled site collection is a separate entity from the non-SSL site collection.

This would mean the SSL requiring pages need to be located in the new site collection on port 443, right?

Is there a way of allowing SSL and non-SSL traffic to a site collection?

Jason said...

Nathaniel,

I've implemented something like what you're describing with SSL switching. What I did is write a web part that you can add to your pages which basically says "If the current protocol is http, redirect to the same page with the https protocol".

The only issue is I now have to set up a new Site Collection that does the same thing. I think getting a new IP Address and installing another certificate on it will work...

SharePoint Boy said...

Hi,

What I wanted to do is for the user to access my SharePoint site www.site.com then when they click on the login or user login tab, it will prompt them to login through SSL. once successfully login, they should change the url from https back to http to save process usage on the server. any clues on how to do this?

Thanks,

Kyle

Faraz said...

Nathaniel,

I apologize, I have not been getting notified of comments of late.

You can allow SSL and non-SSL traffic to a site collection. My recommendation is to go through the motions of creating a SSL enabled Website and site collection and then after go to IIS --> Your website properties --> Directory Security --> Secure Communications --> edit --> Clear the 'Require secure channel' checkbox. Your pages should now work in both SSL and non-SSL mode.

Faraz said...

Kyle,

Two options come to mind right away.

1) Use a WSD or ISA server that does the SSL encryption/decryption for you. This will cost you more, but your server will only serve http requests, so less processing.

2) Another option is to use mixed mode (SSL and non-SSL) with a cookie to detect if the user has logged in or not, if they haven't redirect them to the login page with a https:// in the redirect link.

There are also other scenarios, but please test all options before you go down any route.

Andy said...

Hey, when it comes to mixed mode (ssl and non ssl), is it actually secure to only encrypt the login page? Frankly i'd like to secure only the login, but i have read that unless you encrypt the forms auth ticket, then this mixed mode approach is pretty badly insecure.
reference
"• If SSL is used only on the initial logon page to encrypt the credentials passed for authentication, you should ensure that the Forms authentication ticket (contained within a cookie) is protected, because it is passed between client and server on each subsequent Web request. To encrypt the Forms authentication ticket, configure the protection attribute of the forms element and use the Encrypt method of the FormsAuthentication class to encrypt the ticket."
http://msdn2.microsoft.com/en-us/library/aa302386.aspx

Any thoughts on this? has anyone tried to encypt the ticket instead of doing ssl on all secured pages?

Anonymous said...

Hello Faraz,

Thanks for the writeup on securing the site collection.

What I have been unable to find any information on is what the 'Enable SSL' when creating the SSP itself does.

What I would like is ensure that as well as the users name and password is encrypted (achieved as you outlined), that the service accounts are also encrypted and the pages with which these accounts are set are encrypted. At present, a warning appears on the top along the lines of 'Warning: This page is not encrypted..'

I do not want any usernames and passwords for user accounts and service accounts sent across the lan or internet in clear text.

Any thoughts you have on this would be greatly appreciated

Faraz said...

Hi,
When creating the SSP, the enable SSL option allows you to 'Enable SSL connections to the SSP Web service by installing a certificate on each IIS server that hosts an SSP administrative site'.

So to answer some of your questions, ensure that all administrative Web applications (such as Central Admin and SSP Web apps) are SSL enabled. Standardizing the ports these 2 apps run in all the farms will help you in the long run. After that, SSL enable all your content Web applications - this ensures that all your usernames and passwords that the business users enter will be encrypted as they are passed from the client machine to the server for authentication.

You should NOT allow access to the administrative web applications over the internet - also SSL enabling them will ensure that even over the lan these usernames and passwords are secured.

Take a look at this blog post, it has great information on hardening and securing various types of MOSS environments. Security, Compliance, Server Hardening, and IP Protection

Anonymous said...

I enabled ssl on my https://intranet.endvizionz.com and i can access it within my network, but not outside. Do you know what might be wrong. I can see
If i type in http://intranet.endvizionz.com it tell me to use the https://

syed said...

Hi Faraz
In short before you read the details i want my completed designed website sharepoint-80 to run as ssl but when i enable or extend the existing sharepoint-80 to ssl it says it is aleardy used by sharepoint. Am i doing some blunder here.
Please advice - thanks Syed.
Thanks for the ssl info i tried but my problem is i have implemented MOSS 2007 on a standalone single server that suits our need at the moment. however i was using http with integrated authentication but now becoz of some proxy server concern from overseas users who are using squid proxy they are not able to complete authentication based on http becoz of proxy limitations. hence only solution is to implement https but i need to know now my website is running with all design already on sharepoint:80 as default but when i extend this 80 and manipulate it for SSL and later for http to use ssl at IIS after installing a self created Certificate the sharepoint:80 does not work nor does the ssl works. i do understand that you are asking to create as a new web app in the create or extend under central admin but how to migrate the website contents from sharepoint-80 to this new ssl - just copy over the wss virtual folder will it work.
- Thanks & Best Regards.
- Syed.(syedhussainy@gmail.com)

nabeel said...

Hi Faraz!

I restore my sharepoint 2007 backup but i am getting this error:
"Warning: this page is not encrypted for secure communication. usernames, passwords, and any other information will be sent in clear text. For more information, contact your administrator.
This page contains one or more error. Fix th following before continuing".

Please kindly help me to solve the error.

Thank you

Regards

Nabeel said...

Hi all!

I restore my sharepoint 2007 backup but i am getting this error:
"Warning: this page is not encrypted for secure communication. usernames, passwords, and any other information will be sent in clear text. For more information, contact your administrator.
This page contains one or more error. Fix th following before continuing".

Please kindly help me to solve the error.

Thank you

Regards

Nabeel said...

Hi All!

I restore my sharepoint 2007 backup but i am getting this error:
"Warning: this page is not encrypted for secure communication. usernames, passwords, and any other information will be sent in clear text. For more information, contact your administrator.
This page contains one or more error. Fix th following before continuing".

Please kindly help me to solve the error.

Thank you

Regards

Faraz said...

Hi Nabeel,
Please give me more details. You are restoring your 2007 backup? Can you give more details?

Did you have SSL enabled on the Web application before? or did you enable it just before the restore?

krish said...

Hi Faraz,

Can I enable SSL after creating the web application?, We have'nt checked the SSL checkbox at the time of creating, and we would like to enable SSL now. How can we achieve in doing this, Please let me know how this can be achieved.

Thanks
Kris

Kalvador said...

Hi, Faraz!
At first, sorry for my english :) hope all will be clear. In my occasion SSL is utilized by another way ... I use (at least i want) SLDAP with forme based authentication. As the directory service is OpenLDAP on unix like machine. When I use ldp.exe tool it work. FBA (forme based authentication) work always without SSL-encryption through 389 port but when I try to utilize secure LDAP through 636 port it is failed. Any suggestion will be appreciated.
Thanks

Hanif said...

I enabled SSL on the Sharepoint V3 site as per your instructions and once I do, the site breaks and says "page cannot be displayed". The SSL certificate is a wildcard certificate for a domain name. Please help

Faraz said...

Haneef,
I have tried this process many times and it has worked. Can you try it once more on a new Web application - make sure to follow my directions very clearly. Let me know if you still have the error.

Kalvador said...

Hi all, my truble is resolved. It was the problem with certificat :)
Thanks

Nalaka said...

I am facing a issue with SSL enabling host named site collections.
This is a shared hosting senario with WSS Host-named site collections with Forms based authentication
to authenticate users against ASP.NET SQL membership database using a aspnet custom sql membership provider.

Each user uses their uniqe email address to login to their WSS site and we use wildcard DNS with root domain *.mydomain.com so the site collections will have sub domains such as site1.mydomain.com , site2.mydomin.com etc.Sharepoint web application which serves site collections to internet users with FBA is running on port 80 in the default zone under alternate access mappings.

Now I am having a problem with SSL enabling my WSS site collections. I am not using AD.

Also because its host-named site collections I cannot use extranet scenarios provided by alternate access mappings, such as SSL termination capabilities.

What are the options I have for applying SSL to host-named wss site collections that use custom SQL membership based forms authentication ?

Nalwi

wow power leveling said...

Joy in warcraft leveling living comes wow lvl from having wow lvl fine emotions,wow power level trusting them,power leveling giving them power leveling the freedom of wrath of the lich king power leveling a bird in the open.wlk power leveling Joy in living can age of conan gold never be assumed as a pose,or put on from guildwars gold the outside as a mask. People who have this joy don not need maple story mesos to talk about it; they radiate it. They just live out their joy and let it splash its sunlight and glow into other lives as naturally as bird sings.We can never get it by working for it directly.

Anonymous said...

How do you enable SSL AFTER the SITE is up and running? I've tried Alternate Access Mapping but it did not work.

xxmy said...

Weekends to peopleig2tmean that they can have a two-day wowgold4europe good rest. For example, people gameusdcan go out to enjoy themselves or get meinwowgoldtogether with relatives and friends to talk with each storeingameother or watch interesting video tapes with the speebiewhole family.
Everyone spends agamegoldweekends in his ownmmoflyway. Within two days,some people can relax themselves by listening to music, reading novels,or watchingogeworld films. Others perhaps are more active by playing basketball,wimming ormmorpgvipdancing. Different people have different gamesavorrelaxations.
I often spend weekends withoggsalemy family or my friends. Sometimes my parents take me on a visit to their old friends. Sometimesgamersell I go to the library to study or borrow some books tommovirtexgain much knowledge. I also go to see various exhibition to broadenrpg tradermy vision. An excursion to seashore or mountain resorts is my favorite way of spending weekends. Weekends are always enjoyable for me.
igxe swagvaultoforu wowgold-usaignmax wowgoldlivebrogame thsaleGoldRockUbrogameswagvaultgoldsoonoforuigxethsale

Dhanush Kumar said...

Hi Faraz,

I have implemented a site collection with SSL. The issue, howevr, is I have multiple domains that are redirected to the secured host.
I need to be abble to find the domain that made the original request. Is there a way to achieve this?
Thanks
DK

Anonymous said...

I prolly know the answer to this already, but I am not useing forms, I am useing windows auth and NTLM.

Is it realy nessisary to SSL the site. There is not data that needs to be secured.

ds r4 said...

I've implemented something like what you're describing with SSL switching. What I did is write a web part that you can add to your pages which basically says "If the current protocol is http, redirect to the same page with the https protocol".

Balakrishna Basa said...

I have sharepoint 2007 server installed on windows server 2003 with IIS 6.0
On Port 80 we have a sharepoint intranet portal running
Now we have a requirement for another web application which needs to be hosted on this sharepoint server with a unique host header (FQDN), which will be browsable through internet using https url and within the intranet through http url.
I want to know which port do i use for SSL Port for this web application.
In future the default intranet portal running on port 80 will be also configured to SSL.
Can i use different port nos for SSL Configuration other than 443?
If i can use different port nos for SSL Configuration will the site browsable through the FQDN or need to specify the port no along with FQDN?
Please let me know the impact of using other port now for SSL configuration other than 443.

Bruce said...

Today,we are proud to announce the launch of the new wedding support service sell ffxi gil,packed with features sure to sell ffxi gils delight adventurers across Vana'diel looking to exchange eternal vows with their beloved!Responding to player demands for greater customization,the new service will grant brides and grooms freedom in choosing location,timing,dialogue,and sell Final Fantasy XI Gil more for their ceremony,allowing them to create a truly memorable event all their own.Information on all the features,including in-game sell ffxi gil item vendors and wedding certificates,can be found on the new wedding support site,so head on over sell ffxi gils and get started planning the wedding of your dreams sell Final Fantasy XIGil!

Anonymous said...

Nice to meet you!!!
[URL=http://superjonn.50webs.com/cafe-boulud-restaurant-week-menu.html]cafe boulud restaurant week menu[/URL]

Anonymous said...

Nice to meet you!!!
[url=http://tennis-avenue.cphoster.com/]http://tennis-avenue.cphoster.com/[/url]
http://tennis-avenue.cphoster.com/

Anonymous said...

I want not approve on it. I over polite post. Specially the title-deed attracted me to review the unscathed story.

Anonymous said...

Amiable brief and this enter helped me alot in my college assignement. Say thank you you for your information.

Kitty said...

Hi Faraz,

Hope you are doing good.

Actually i have enabled SSL on my web application on SharePoint 2007.

Previously the web application was working but now when i am trying to access the site it is displaying the prompt box and after entering the credentials it is displaying the blank page(Some Certificates are also enabled with it).Can you please help Faraz on this.

Regrads,
Kitty

Mani Kandan said...

Thanks for this step by step walk-through!

To Configure SSL Certificates in SharePoint 2010 for HTTPS Access - Step by Step, this article could help: http://www.sharepointdiary.com/2012/03/configuring-ssl-certificates-in-sharepoint-2010.html

Rachel Burr said...

Thanks for this i have bookmark the guide just incase i ever have to do this again next time my server crashes cheap wildcard ssl

mogali said...

Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

digital signature Adobe Reader said...

EXCELLENT information. Your directions are clear and concise, and easy to follow. Thanks for your hard work in posting this info.