1. Setup Https<\/h2>\n
I’m assuming that you already have your SharePoint web application setup and operating over Http. The first step is to enable it to operate over https as well.<\/p>\n
- \n
- Open IIS and select your SharePoint Web Application from the list of sites.<\/li>\n
- From the right-hand Actions menu, select ‘Bindings…’.<\/li>\n
- From the Site Bindings dialog that opens, click ‘Add…’<\/li>\n
- From the Add Site Binding dialog that opens, choose a type of ‘https’. \u00a0This will default to a port of 443. \u00a0You also have to select the SSL Certificate to secure the site with (You have to have already purchased an SSL certificate, or generated a private one). Click OK and close the Site Bindings dialog.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/blogs.visigo.com\/chriscoulson\/wp-content\/uploads\/2011\/10\/httphttps1orig-500x373.png\" "\\"httphttps1orig\\"")
<\/a><\/div>\n2. Configure SharePoint to use Https<\/h2>\n
In addition to configuring https in IIS, SharePoint also has to be configured to recognize the https address.<\/p>\n
- \n
- Open SharePoint Central Admin and select ‘Application Management’, ‘Configure Alternate Access Mappings’<\/li>\n
- Select your Web Application from the ‘Alternate Access Mapping Collection’.<\/li>\n
- Click ‘Add Internal URLs’<\/li>\n
- Enter the https URL for your site. \u00a0Make sure that the same zone is selected that you access the http version of your site from.<\/li>\n
- Click OK.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/blogs.visigo.com\/chriscoulson\/wp-content\/uploads\/2011\/10\/httphttps2orig-500x355.png\" "\\"httphttps2orig\\"")
<\/a><\/div>\n![\"\"](\"https:\/\/blogs.visigo.com\/chriscoulson\/wp-content\/uploads\/2011\/10\/httphttps3orig-500x355.png\" "\\"httphttps3orig\\"")
<\/a><\/div>\nIf you try to browse the site, you’ll notice that you can now browse the site from both the http and the https addresses. There are still a couple of issues though. While browsing the https version of the site, some actions (such as signing out) will bring you back to the http version of your site. \u00a0Also, if you login using https and then browse an http page, you’ll notice that you’re no longer logged in. We’re going to fix these issues in the next couple of steps.<\/p>\n
Note: If you want ALL of your site content to be delivered via https, and don’t care about mixed content: instead of adding an internal URL, simply edit the public URLs and change the address to https and YOU’RE DONE! No need to continue with the rest of this tutorial.<\/em><\/p>\n
This is also the step that caused me the most grief when initially configuring my SharePoint site for mixed http and https. \u00a0I had initially placed my https URL under the Custom zone of Edit Public URL’s. Since I only had one actual zone (the default zone, as I hadn’t extended the web application into multiple zones), the URL in the custom zone would point to it, which I thought would be OK. \u00a0However with this configuration I was always asked to authenticate when switching between http and https. \u00a0The problem was that even though there is only one REAL zone, SharePoint was interpreting the address change as switching between the default and custom zone and was forcing the user to re-authenticate. \u00a0 This is why we add an internal URL for SharePoint to recognize, instead of editing the public URL’s.<\/em><\/p>\n
3. Configuring SharePoint’s Authentication Cookie<\/h2>\n
Notice that even if you authenticate via https, your authentication isn’t recognized when you switch over to http. The reason for this is because SharePoint has hard-coded logic that says if it’s generating an authentication token for an https connection, then turn on the SSL Only flag on the cookie. An SSL Only flag means that the cookie can only be accessed via https. So as soon as you change the address to http, your authentication cookie is no longer recognized and you have to login again.<\/p>\n
Tim Nugiel found the solution to this problem. He wrote his own cookie handler that override’s SharePoint’s behaviour. See his post for directions on configuring this:<\/p>\n
Mixing it up w\/ Mixed SSL & SP 2010<\/del>\u00a0<\/a>\u00a0(The original link appears to have gone offline)<\/em><\/p>\nMixing it up w\/ Mixed SSL & SP 2010<\/a><\/p>\n
You should now be able to authenticate via https, and stay authenticated while browsing content either via http or https – we’re almost there!<\/p>\n
4. Redirecting users to Http or Https<\/h2>\n
The only issue remaining is forcing certain content to be viewed via http or https. Right now users can access your login page via https, but there’s nothing forcing them to. \u00a0They could also access it via http. \u00a0The same goes for any other content you want to secure. \u00a0To solve this problem we’re going to set up some redirect rules using the IIS 7 URL Rewrite module.<\/p>\n
- \n
- Install the IIS7 URL Rewrite module. You can download it from here:\u00a0http:\/\/www.iis.net\/download\/urlrewrite<\/a><\/li>\n
- Open IIS and select your SharePoint Web Application from the list of sites.<\/li>\n
- Open the Url Rewrite module from the Features View.<\/li>\n<\/ul>\n
First we’ll add a rule to redirect secure content to https. For this example our secure pages will be the login page and the pages in our ‘User’ site:<\/div>\n- \n
- Click Add Rules…<\/li>\n
- Select ‘Blank Rule’ under ‘Inbound Rules’ and click OK.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/blogs.visigo.com\/chriscoulson\/wp-content\/uploads\/2011\/10\/httphttps4orig-500x373.png\" "\\"httphttps4orig\\"")
<\/a><\/div>\n- \n
- Fill in the name with ‘HTTP to HTTPS Redirect’.<\/li>\n
- Set the Pattern to:\u00a0^(_forms\/default.aspx|user\/pages\/.*aspx)<\/li>\n
- Add the condition: Input: {HTTPS} Check if input string: ‘Matches the Pattern’ Pattern: off<\/li>\n
- Set the Action Type to ‘Redirect’<\/li>\n
- Set the Redirect Rule to: https:\/\/demo2010a\/{R:0} (Substitute for your own url)<\/li>\n
- Set the Redirect Type to ‘Permanent (301)’<\/li>\n
- Click ‘Apply’ and click ‘Back to Rules’.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/blogs.visigo.com\/chriscoulson\/wp-content\/uploads\/2011\/10\/httphttps5-500x425.png\" "\\"httphttps5\\"")
<\/a><\/div>\nWhat the rule we created says is:<\/p>\n
If the url starts with \/_login\/Default.aspx (The default FBA login page) or \/User\/Pages\/anypage.aspx (any page in the Pages library of our User site) AND if https is not being used THEN send back a Permanent Redirect to the https URL, using the original URL after the server address.<\/p>\n
Now we’ll create a second rule that says all of the pages on the main site should be accessed via http. \u00a0The reason we need this rule is because once we’re browsing over https, any relative URLs in the page will also be accessed over https. \u00a0So if we want certain pages to be consistently delivered over http, we need a rule to force this:<\/p>\n
- \n
- From the IIS Rewrite module, add another blank inbound rule.<\/li>\n
- Fill in the name with ‘HTTPS to HTTP Redirect’.<\/li>\n
- Set the Pattern to:\u00a0^pages\/.*aspx<\/li>\n
- Add the condition: Input: {HTTPS} Check if input string: ‘Matches the Pattern’ Pattern: on<\/li>\n
- Set the Action Type to ‘Redirect’<\/li>\n
- Set the Redirect Rule to: http:\/\/demo2010a\/{R:0} (Substitute for your own url)<\/li>\n
- Set the Redirect Type to ‘Permanent (301)’<\/li>\n
- Click ‘Apply’ and click ‘Back to Rules’.<\/li>\n<\/ul>\n
- Install the IIS7 URL Rewrite module. You can download it from here:\u00a0http:\/\/www.iis.net\/download\/urlrewrite<\/a><\/li>\n
![\"\"](\"https:\/\/blogs.visigo.com\/chriscoulson\/wp-content\/uploads\/2011\/10\/httphttps6-500x425.png\" "\\"httphttps6\\"")
<\/a><\/div>\n