Changing Default Sharepoint 2010 site to use only https

Question

Hi,

I'm quite new to both IIS and Sharepoint 2010 Administration, and would appreciate, if anyone has any, some links to documentation on how to change our Sharepoint 2010 installation to use https.

Our initial install was quite basic; we are using two WFEs, no load balancing (this was set up before my time, so not sure I entirely understand this, either!) and would like both internal and external access through https.

I have a wildcard certificate and have installed it on both the servers through IIS.

I  have read a lot about deleting the site from IIS using Central Admin (through the manage web applications section) and then recreating to use https, but am unsure about what to fill in when creating a new Web Application in sections such as "Host Header". Is there any way I can instead just change the *existing* settings?

If not, when creating a new Web App, would I need to specify the port for the new web app as 443? Will the Application Pools have been deleted if I delete the existing http site through Central Admin?

Should the Public URL section read https://our.domain.com ?

Sorry to ask these very basic questions. Any help is greatly appreciated, even if it is just a link to "Dummy's guide to how to change your Sharepoint 2010 site from http to https".

Answer 1

Hi Onion,

There is no need to delete and recreate web applications or their associated sites.  You can simply change the Access Mapping for the Default Zone by selecting Application Management and then Configure Alternate Access Mappings in Central Admin.  From there you can click on Edit Public URL's and change the Default Zone from http to https.  You will need to add the binding for the SSL certificate once this change has been made.

If you only have one IP address you may have to use SSL host headers in IIS which can be configured as documented in the following link:

http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

If you're using IIS 7.5 you can actually configure this using the GUI.

You can also remove the binding for HTTP in IIS and create a new site in IIS that will redirect all traffic from HTTP to HTTPS.  Also, you may want to check the Content Sources section in your Search Service Application and ensure only the HTTPS versions of the sites are listed after the changes have been made.  Please let me know if this helps.

---

-Chopps

Answer 2

Hi, thank you very much for your response. Unfortunately, I had made such a hash of things whilst attempting this on my own that I was forced to delete the IIS site through Central Admin and re-create it.

I have now followed the steps you have outlined, with success, although not to the letter as our certificate is a wilcard certificate, and if we access internally using https://sharepoint, this throws errors. Instead I have left site as HTTP for internal, but added https for external access using https://sharepoint.mydomain.com which seems to be working great!

Unfortunately, it seems that access through http://sharepoint.mydomain.com still "works", in that the site loads and (some) content is displayed (although there are a lot of errors due to SP being unable to resolve the plain http address).

Could anyone suggest a way I could maintain my https external URL, whilst also keeping my http internal URL, but redirect those attempting to access the HTTP external URL to the secure site? If that makes sense...

I thought about making a little redirector web part, until I figured that they will already have entered their password by then...

Answer 3

Hi Onion,

How are the host headers and AAMs setup currently?  The three core things you need to get anything like this setup are SharePoint AAMs, IIS Host Headers, and the appropriate DNS entries.  As long as those core three pieces exist correctly then it should work.  So for example you should have:

AAMs:
Internal URL                                    Zone                 Public URL for Zone
https://sharepoint                          Intranet    https://sharepoint
https://sharepoint.mydomain.com    Default    https://sharepoint.mydomain.com

IIS Host Header Bindings (single IIS site, multiple bindings):
Type - https
IP Address - [your IP here]
Port - 443
Hostname: sharepoint
SSL certificate: *.yourdomain.com

Type - https
IP Address - [your IP here]
Port - 443
Hostname - sharepoint.yourdomain.com
SSL Certificate - *.yourdomain.com

Is it setup differently from this?

---

Kyle Rideout - SharePoint Administrator

Answer 4

Hi Kyle,

Yes, it is different. I had to set up the Intranet zone without https because it displayed a certificate error (due to the fact, I guess, that it is not *.mydomain.com).

I was thinking I would create one web application for Intranet, accessed at http://sharepoint, and then extend this to a new IIS site for access over the internet, using https. This way I can, I understand, completely disable http for this one.

In IIS, neither of my current binding lists an IP address or hostname. I have http, Port 80, with no other info, and https, Port 443, with * for the IP address.

I guess if I want to extend my http web application to https, I will need a secondary IP address? Or can I just pick a port to distinguish the two?

Thank you again for your help... I find the best way of learning is by doing it wrong. Many times.

Edit: I have done as I wrote, by creating one Web Application accessed at http://sharepoint internally. I then extended this Web Application to a new one on Port 443. Went into IIS, edited the binding for the new IIS site to use our wildcard cert, and went into the SSL Settings and checked the "Require SSL" box.

Unfortunately, when typing http://sharepoint.mydomain.com in, it allows this and does not redirect to https before asking for a username and password. Actually, when accessing through http, it asks for a username and password TWICE, and THEN loads https. What have I done wrong?!

Answer 5

Hello Onion,

If I were you I would just use SSL for both internal and external requests so the web application would be created as  https://sharepoint.mydomain.com.  You could then set up a separate site in IIS to handle all http requests and redirect them to the https version.  

Also, there is no reason to extend a web application unless you are planning on using a different authentication method (i.e. NTLM vs Forms-based authentication).  In fact, the reason you are getting double authentication prompts is probably because it was extended instead of just adding an Alternate Access Mapping.  

Although it may appear the prompt is coming over http it is actually coming over https.  If you open fiddler and hit the site in IE you should see a 301 or 302 directing it to https and then a 401 requesting authentication to the site.  

---

-Chopps

Answer 6

Hi Onion,

There is no need to delete and recreate web applications or their associated sites.  You can simply change the Access Mapping for the Default Zone by selecting Application Management and then Configure Alternate Access Mappings in Central Admin.  From there you can click on Edit Public URL's and change the Default Zone from http to https.  You will need to add the binding for the SSL certificate once this change has been made.

If you only have one IP address you may have to use SSL host headers in IIS which can be configured as documented in the following link:

http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

If you're using IIS 7.5 you can actually configure this using the GUI.

You can also remove the binding for HTTP in IIS and create a new site in IIS that will redirect all traffic from HTTP to HTTPS.  Also, you may want to check the Content Sources section in your Search Service Application and ensure only the HTTPS versions of the sites are listed after the changes have been made.  Please let me know if this helps.

---

-Chopps

Hi,

I tried to create the same way as you suggested.

https://localhost/Pages/Default.aspx ( iis localhost site for 443 is working fine) but

https://server.domain.com/ is not working.(Internet explorer cannot display the page error) Not sure what is the isse.

Please help me out here.

Thanks

Answer 7

Are you testing both domains locally on the server?  Is there a valid A record for server.domain.com?  Try pinging that domain to see what you get.  Also, if you are using Windows Firewall or a hardware firewall you may also want to verify port 443 is open.

---

-Chopps

Answer 8

Are you testing both domains locally on the server?  Is there a valid A record for server.domain.com?  Try pinging that domain to see what you get.  Also, if you are using Windows Firewall or a hardware firewall you may also want to verify port 443 is open.

---

-Chopps

Https sharepoint site is working fine..

But I want both to work http as well as https. Do I need to do any configuration?

Thanks