none
Windows Security Updates break fully qualified AlternateAccess Mappings

    Question

  • Hi

    has anyone noticed that 2 Security Updates, 2019-05 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x86-based systems (KB4498206) and 2019-05 Security Monthly Quality Rollup for Windows 7 for x86-based Systems (KB4499164) breaks fully qualified AlternateAccess Mappings. The only way to access the sites is to remove the domain at the end of the Access Mapping. http://site.domain.co.uk does not work but http://site does. removing the updates fixes this.

    Friday, May 17, 2019 8:46 AM

All replies

  • This is an interesting change:

    • Adds "gov.uk" to the HTTP Strict Transport Security Top Level Domains (HSTS TLD) for Internet Explorer. 

    This means it only impacts AAMs with *.co.uk. It also means you MUST be using SSL on your Web App, which you should already be doing.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, May 17, 2019 2:20 PM
    Moderator
  • Trevor

    Sorry typing error  http://site.domain.gov.uk does not work but http://site does.

    Friday, May 17, 2019 2:35 PM
  • Trevor

    Sorry typing error  http://site.domain.gov.uk does not work but http://site does.

    Right, which makes sense. This isn't a SharePoint issue, it is an HSTS list issue which IE/Edge respect. As you can see in the KB, *.co.uk was added to the HSTS list, which means any subdomain of .co.uk MUST have an SSL certificate, http:// will no longer work.

    But it does look like Microsoft is working with the UK to resolve this issue, eventually.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, May 17, 2019 2:53 PM
    Moderator
  • do you still have FQDN in Central Administration > Web application management > Alternate access mappings for you web app? Also is FQDN is specified in IIS site bindings for web app?

    Blog - http://sadomovalex.blogspot.com
    Dynamic CAML queries via C# - https://github.com/sadomovalex/camlex

    Friday, May 17, 2019 2:55 PM
  • do you still have FQDN in Central Administration > Web application management > Alternate access mappings for you web app? Also is FQDN is specified in IIS site bindings for web app?

    Blog - http://sadomovalex.blogspot.com
    Dynamic CAML queries via C# - https://github.com/sadomovalex/camlex

    This won't matter. As long as you're attempting to use http:// with any site in the co.uk subdomain, IE/Edge will fail to connect to it due to the HSTS list. This isn't exclusive to IIS on Windows, or SharePoint Server, etc.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Friday, May 17, 2019 2:56 PM
    Moderator
  • Microsoft have rolled out a fix for the issue on Windows 10 hopefully Windows 7 fix isn't 2 far away as we still have some machines on 7.

    Cheers Ross Urquhart

    Monday, May 20, 2019 8:07 AM
  • Hi,

    There is a fix Cumulative update for Internet Explorer: May 18, 2019 (KB4505050) which fix the issue that prevent access to some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) when using Internet Explorer 11. It applies to Internet Explorer 11 on Windows 7 SP1.

    Best regards,

    Grace Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Monday, May 20, 2019 9:39 AM
  • Hi,

    I’m checking how the things are going on about this issue. Whether the post helps you?

    You can mark the post as answer if it helps.

    Best regards,

    Grace Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Monday, May 27, 2019 9:47 AM