This is the second in a series of posts on securing mixed SSL sites in SharePoint. This post will cover how to configure a SharePoint forms based web application to allow SSL/HTTPS connections. The process involves setting up an SSL certificate and configuring IIS and SharePoint to allow requests over HTTPS.
The following steps assume that you have a SharePoint web application already set up using forms based authentication. If you need details on how to do this see the article on Technet titled “Forms Authentication in SharePoint Products and Technologies”. We will be using IIS 7 in this example but a similar process can be followed using IIS 6 using the SelfSSL utility. As mentioned in the previous article this will differ if you are using off-box SSL termination and/or already have a registered SSL certificate.
The following diagram shows the logical architecture for the setup that will be covered. The default web application is configured at www.company.com and uses forms based authentication with a SQL database to store membership and role information. This web application allows anonymous access and is exposed to the public over the internet. The default web application has been extended onto a second IIS web site at author.company.com that is configured to use Windows authentication. This is a simple configuration that allows internal users to enter content on a separate site that is not available externally. Other configurations are possible (including using content deployment) but aren’t in the scope of this article.
The first step we will cover is shown on the right of the diagram and involves adding an additional binding to the www.company.com web site in IIS and adding an alternate access mapping to the web application in SharePoint.
Associate an SSL certificate with the IIS website
On a production environment you will obviously need to purchase a SSL certificate for the domain that you wish to secure but on a development environment an easy way to mimic this is to create a self signed certificate.
Create a new Self Signed Certificate for the existing web application
1. Click on the root node in IIS 7 Manager and select the “Server Certificates” icon in the feature pane on the right:
2. Click the “Create Self-Signed Certificate…” link on the right hand side of the page
3. Enter a name (I’m using www.company.com in this example) and click OK. You should see your certificate appear in the list of server certificates.
4. Select the IIS site that is running the SharePoint application and click on the “Bindings…” link on the right hand side of the page
6. Click OK. At this point we have configured IIS to allow connections to this site over SSL but we need to let SharePoint know to map these requests to the correct web application.
Configure SharePoint to accept requests over HTTPS
8. Select the Alternate Access Mapping Collection for the FBA web application and enter the relevant HTTPS address (e.g. My FBA site is located at http://www.company.com as an example so I would enter https://www.company.com). It is up to you which Zone you put the URL in as this doesn’t affect anything and is just there to help you remember what they are each used for.
9. That’s it! You should now be able to browse to your site using SSL. If you are using a self signed certificate you will first be presented with a certificate warning so click on the “Continue to this website (not recommended)” link and your site will be displayed.
Now we can browse to our site over HTTP and HTTPS but will need to do some more work to ensure that the right protocol is used for each page. We need to ensure that pages displaying or sending sensitive information like passwords and/or address details are delivered over HTTPS, but pages such as the homepage are delivered via HTTP to avoid the additional processing encrypting and decrypting these non-sensitive pages.
- MSDN covers the process of setting up a forms authenticated site in their article “Forms Authentication in SharePoint Products and Technologies (Part 1): Introduction”
- The SharePoint Team blog covers Alternate Access Mappings in more detail in their article “What every SharePoint administrator needs to know about Alternate Access Mappings (Part 1 of 3)”
- Scott Guthrie has a more detailed explanation of how to enable self signed certificates using IIS 7.0