I have had numerous problems getting SSL, Kerberos working throughout the SharePoint project I'm on, the requirements were for secure sites built on SharePoint 2007 technology with various DSN entries pointing towards individual sites. Example [Workgroups, Project Center, Employee Profiles, Search Center]. The problem was that each had to have their own site and not become extensions of just one site like most Microsoft examples [see fake company topology for Fabrikam] , on that note if anyone disagrees with my example or has a better way please ping me and let me know. I have to give kutos to Martin Kearn [see http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx] for leading me in the right direction.
Prerequisites:
No sites are on port 80 except the default website.
Create your DNS entries for your sites.
Assumptions:
You have read Martin Kearns blog posts
You already have a certificate server or 3rd party certificate and know how to use and apply it
Steps:
Step 1 – Create a new site with the central administration page.
I. Application Management -> Create or Extend Web Application -> Create a new Web application
II. Enter the following:
a. Description: change default to whatever in my example I change it to `Workgroups'
b. Port: optional to change the port unless its 80 [later this will be your SSL port]
c. Host Header: this is your DNS entry for the site your creating in my example it will be `workgroups.devsharepoint'
d. Authentication Provider: Kerberos
e. Allow Anonymous: No
f. User Secure Socket Layer(SSL): Yes
g. Load Balancer: Leave default or choose some other site
h. Application Pool: Ensure you use an application pool that has SPN assigned to it, refer to the Martin Kearn blog
i. Restart Manually
j. Database Name: WSS_CONTENT_[SITENAME], e.g. WSS_Content_workgroups
k. Database authentication: However you access your data.
III. Click OK, a warning will appear ensure you read it and do have the necessary requirements the site will be created.
IV. Create your site collection , and click OK.
Issue a Certificate for the Web Site
Perform the following steps to install the current certificate from the CA authority:
| 1. | On the Web site (the Wrokgroups site in this example), click the Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager. |
| 2. | In the Internet Information Services (IIS) Manager console, expand the Web sites node and click on the Default Web Site. Right click the Default Web Site and click Properties. |
| 3. | In the Default Web Site Properties dialog box, click the Directory Security tab. On the Directory Security tab, click the Server Certificate button. |
| 4. | Click Next on the Welcome to the Web Server Certificate Wizard page. |
| 5. | On the Server Certificate Assignment page, select the Assign an existing Certificate option and click Next |
| 6. | Select your server Certification you assigned the server. |
| 7. | Ensure the SSL port is the same as your SharePoint site SSL port, click finish, and you site should be available. |
Now here is where the vanity happens cause the port number is awful to look at and even harder for users to remember. Here is what you need to do next in order for the site to be viewed by its DNS entry.
First create a new web site on the web server with the same name of the site you created but prefixed with AAM_[sitename] e.g. AAM_workgroups
Here are the steps:
1. Create the folder structure where your site are created the usual placement is `C:Inetpubwwwroot' but I'm not usual so I place mine here on a larger drive 'E:Inetpubwwwroot' so under this directory you would create new folders named after your SharePoint sites, e.g. workgroups
See photo for structure
In this folder you want to create a file called `default.aspx' in the file you want to place this code in order to redirect the request to the appropriate SSL page that corresponds to you're newly created SharePoint site.
<%@ Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{Response.Redirect("https://workgroups.devsharepoint:10530/default.aspx"); }
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
</div>
</form>
</body>
</html>
2. On the Web site (the Workgroups site in this example), click the Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
3. Right click on the Default website and choose New -> Website then click next
4. Type your description AAM_[sitename] e.g. AAM_workgroups, click next
5. Keep the IP unassigned, keep the default port 80, Place your DNS entry as the host header. Eg workgroups.devsharepoint
6. Browse to the path where you created the new folders with the default.aspx file click next
7. Ensure you check off `Run Scripts' then click next and finish.
8. Right click on the new website and choose properties, ensure authentication mode is Integrated windows authentication.
Now when you browse to the DNS entry you will be redirected to the SSL url internally.