Currently my application is under a load balancer (NetScaler) and it does SSL Offload, so my application run in http, but externally is on https. In IIS is bound only http:80. The load balancer use a certificate called *.mycert.com
Now I have to require for a client certificate for a specific folder of my application /Services, but the certificate is myPeskyCert so different from *.mycert.com. This is necessary because I have to respect how the client will call me.
Currenlty I'm following the following answers:
Can IIS require SSL client certificates without mapping them to a windows user?
What is the difference between requiring an SSL cert and accepting an SSL cert?
,but in this way my application:
I have to do ssl bridging, so I have to bind 443 on the web app
in this way ALL my application is presented as myPeskyCert
How do I have to handle IIS in order to present my application as *.mycert.com, but ask for myPeskyCert when the folder /Services is requested?
It's non possible, a certificate must refer to the entire site bound.
The solution is the following:
bound the application to two different url binding
on the balancer set one certificate or the other with ssloffload on the two different url
I am facing the following issue.
1 - I have deployed WCF service with SSL enabled on remote IIS machine and trying to use it from my web client.The problem is my browser is not allowing this service to be called.Before using my web client i have to hit the service url from my browser directly and then allow the certificate.
2- Got suggestion from somewhere to export the certificate on the machine where WCF is deployed and include that certificate file in Trusted certificates group on my machine.After I did that I got same problem when tried to access web service from web client.So I hit the service url from browser and got the same page which needs me to trust the certificate with a different message that "You attempted to reach 111.121.196.226(ip address of the WCF machine), but instead you actually reached a server identifying itself as "WMSvc-domain" where "WMSvc-domain" is the value of "Issued To" field in the certificate.
I hope I have made myself clear.Waiting for suggestions.Thank you.
WMSvc-machinename is the IIS Windows Management Service which runs by default on 8172/tcp and is used for remotely managing iis. When installed the default is to create a self-signed certificate. That wouldn't trusted. It could be replaced with a "proper" CA signed cert through the Management Service icon in IIS Manager.
i have hosted the one website "www.example1.com" in port 443(https) in IIS 7. now i bought a new domain for "www.example2.com" for same IP. i would like to host the another website in this domain(www.example2.com) in port 443(i already used port 443 for "www.example1.com").
How can i do this? Is this possible to host two domains in port 443 in same IP? If yes could anyone please let me know the right way to do this? I am using IIS 7.
It CAN be done.
SSL Host Headers in IIS 7 allow you to use one SSL certificate for multiple IIS websites on the same IP address. Through the IIS Manager interface, IIS only allows you to bind one site on each IP address to port 443 using an SSL certificate. If you try to bind a second site on the IP address to the same certificate, IIS 7 will give you an error when starting the site up stating that there is a port conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address, you will need to set up SSL Host Headers by following the instructions below.
What Type of SSL Certificate Do You Need?
Because you can only use one certificate, that certificate needs to work with all the hostnames of the websites that you use it with (otherwise you will receive a name mismatch error). For example, if each of your IIS 7 websites uses a subdomain of a single common domain name (like in the example below), you can get a Wildcard Certificate for *.mydomain.com and it will secure site1.mydomain.com, site2.mydomain.com, etc.
If, on the other hand, your IIS 7 sites all use different domain names (mail.mydomain1.com, mail.mydomain2.com, etc.), you will need to get a Unified Communications Certificate (also called a SAN certificate).
Setting up SSL Host Headers on IIS 7
Obtain an SSL certificate and install it into IIS 7. For step-by-step instructions on how to do this, see Installing an SSL Certificate in Windows Server 2008 (IIS 7.0).
Once the certificate is installed into IIS, bind it to the first site on the IP address.
Open the command prompt by clicking the start menu and typing “cmd” and hitting enter.
Navigate to C:\Windows\System32\Inetsrv\ by typing “cd C:\Windows\System32\Inetsrv\” on the command line.
In the Inetsrv folder, run the following command for each of the other websites on the IP address that need to use the certificate (copy both lines):
appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>']
Replace <IISSiteName> with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)
Test each website in a browser. It should bring up the correct page and show the lock icon without any errors. If it brings up the web page of the first IIS site, then SSL Host Headers haven’t been set up correctly.
in iis 7.5 or newer versions
- Sites > Add Website
- Site Name: example2.com
- Physical Path: select directory
- Binding: same ip as example.com
- Host name: example2.com
then in binding check this for both websites
You can't in IIS7 - each HTTPS binding requires a unique IP/port combination because the Host Header cannot be used to differentiate sites using SSL. This is because the host header is not visible during the SSL handshake.
Your workaround is to differentiate the sites by binding to a different external IP, or by binding to a port other than 443. Both options are less than ideal I know.
There's a great MSDN blog on this.
Fortunately IIS8 appears to have a solution in the form of Server Name Indication (SNI).
Interestingly this is not an IIS quirk, Apache has the same issue, as would any web server before the introduction of SNI.
I currently use IIS 6.0.
I have managed to set up multiple web sites using port 443 and different certificates.
From the IIS manager, go to the web site and edit site bindings.
Simply make sure that the Require Server Name Indication box is ticked and leave the IP address: as All Unassigned.
You now use the same port (443) for multiple sites by selecting the appropriate certificate for the site from the dropdown list of certificates.
We also host multiple sites in port 443 but we need UNIQUE IP addresses for each site.
You cannot bind multiple sites to port 443 using only one IP address.
Unless there is a work-around, but I'm not aware of any.
This article may help:
http://www.harbar.net/articles/ssl.aspx
If you are using a wildcard certificate, just use the format *.domainname.com in the friendly name and the IIS GUI will enable the hostname control for you when you are editing the binding.
Source
In our production environment a website runs under HTTPS with SSL terminating on a load balancer and passing traffic to the IIS servers as HTTP.
There are various in-house and 3rd party components and controls within the site and some of them use mechanisms similar to the .NET System.Web.HttpRequest.IsSecureConnection property which simply queries the HTTPS server variable to return its result. As the connection into the web server from the load balancer is HTTP, these methods return the incorrect value and cause some components to fail. For example, a component might direct the user to a HTTP URL instead of HTTPS for a JavaScript file and cause the browser not to load the mixed content.
In order to debug these components and to develop a workaround, I need to recreate this scenario on my development machine. My question is Is there an easy way to simulate an externally terminated SSL connection for the Visual Studio / IIS Express development environment?
I've found a way using Port Forwarding Wizard.
Create a single TCP mapping with Listen Port set to a spare port (e.g. 443), destination as localhost with web server port (e.g. 80). Leave everything else as default, but go into SSL Encryption and generate a Root Key and Certificate in CA Center. Once done, select Enable SSL Encryption and select Server. Generate a Private Key file, Cert Req file and a Certificate and then bob's your uncle, you get terminated SSL forwarding to your local IIS Express server: Simply Start your port mapping and then connect to https://localhost with your web browser (specifying the port if it's not 443).
I have a 3-node web farm being managed by IIS7 and Application Request Routing. I have a folder hierarchy in my web app that needs to be secured via SSL. What is the best practice for getting ARR to correctly route these SSL requests? I have installed the same certificate on all web farm servers and the server running ARR. I have tried enabling and disabling the SSL Off-loading feature
Thanks,
Matthew
I'm an idiot. I forgot to open SSL through our firewall.