Thursday, August 09, 2007
MOSS with SSL Wildcard Certificates and Host Headers
We needed a setup that would work with MOSS combined with Host Headers and SSL. It was using Host Headers or having to go to the Networks Department with a big smile and handing them a RFC for 150+ IP adresses...
Just using Host Headers with IIS is not a problem. Using Host Headers combined with SSL and MOSS is tricky at best. Joel has a good place to start. Combined with the article from Adrian Spear and a bit of testing for the missing MOSS piece of the puzzle we arrived at a working solution.
We have taken the following approach. First we get a list of site ID's and put them aside for later use. We install the Wildcard certificate on the websites, temporary disabling them. Then we tell IIS to set the Host Header on the SSL-enabled websites. As a last step we let MOSS know the Web Applications are using SSL:
Requirements
Just using Host Headers with IIS is not a problem. Using Host Headers combined with SSL and MOSS is tricky at best. Joel has a good place to start. Combined with the article from Adrian Spear and a bit of testing for the missing MOSS piece of the puzzle we arrived at a working solution.
We have taken the following approach. First we get a list of site ID's and put them aside for later use. We install the Wildcard certificate on the websites, temporary disabling them. Then we tell IIS to set the Host Header on the SSL-enabled websites. As a last step we let MOSS know the Web Applications are using SSL:
Requirements
- MOSS Web Applications are installed with host headers.
- FQDN's are present, either via hostfile or DNS entries.
- Wildcard SSL Certificate eg. *.domain.com
Installation
- Get a list of site ID's:
cscript %systemdrive%\inetpub\adminscripts\adsutil.vbs enum w3svc /p - Install the WildCard certificate on the IIS Websites.
Only the first website will keep on running, the rest of the modified websites will stop. This is due to conflicting settings. This will be resolved in the following step. - Set SecureBindings for all websites running SSL, using the following statement, for each website:
cscript %systemdrive%\inetpub\adminscripts\adsutil.vbs set /w3svc/<Site ID>/SecureBindings ":443:<Host Header> "
for example:
cscript %systemdrive%\inetpub\adminscripts\adsutil.vbs set /w3svc/1073495765/SecureBindings ":443:www.domain.com"
(Get the site ID's from the output of Step 1 and match the site ID with the site Host Header. This can be found in IIS Mananager) - Perform an IISreset to start all the websites again
- Now, go to Central Administration > Operations > Alternate Access Mappings > Edit Public Zone URLs and change all SSL-enabled sites from http:// to https://. The precise amount of editing depends on your AAM settings used.
- Backup your metabase!
I'm not entirely sure about the step 5, as there are other viable scenario's. On our six MOSS Farms hosting each more than 10 Web Applications it worked like a charm however.
If you want to know more about WildCard SSL Certificates and Host Headers in IIS 6.0, an article from Chris Adams is a good introduction on the subject matter.
Labels: moss
# posted by Martijn Plijnaer : 19:33
Comments:
Links to this post:
<< Home
This method has worked great for us in production but one thing I was not aware of that has caused us some confusion is that "the secure bindings for an IIS 6.0 Web site are removed when you install or renew a server certificate."
See this article:
http://support.microsoft.com/kb/896284
Post a Comment
See this article:
http://support.microsoft.com/kb/896284
Links to this post:
<< Home
Subscribe to Posts [Atom]
