A Practical Guide to SharePoint 2013

A Practical Guide to SharePoint 2013
A Practical Guide to SharePoint 2013 - Book by Saifullah Shafiq

Monday, December 17, 2012

Setup SSL in SharePoint 2013


Setup SSL in SharePoint 2013


In the last article (link below), you learned how to setup SSL in SharePoint 2013 using commercial certificate.
Setup SSL in SharePoint 2013 using commercial certificates
In this article, you will learn how to setup SSL using self-signed certificate. This is useful if you are setting up a development environment or want to test SSL locally. It provides same level of protection as any other commercial certificate and you don’t have to pay for it. Why then people use commercial certificates? It’s a matter of trust. Basically you are asking your site users to trust you. It may work in some scenarios but might not work if your site is public facing (Internet). Why would people search you, they don’t know you. So, you can use self-signed certificate locally for testing but for production you should use a reliable third party certificate issuing authority like Verisign, Thwarte, etc.
Follow the steps below to create a self-signed certificate for your site:


  • Open IIS 7.0.
  • Click on the server name in the navigation tree on the left. 
  • On the right side, Under IIS, double-click Server Certificates.
  • On the extreme right, under Actions click Create Self-Signed Certificate link.
  • Enter a friendly name for the certificate, for example, I entered WS (for Wali Systems).
  • Double-click the newly created certificate.
  • Click on Details tab.
  • Click Copy to File button.
  • Certificate export wizard will start. Click Next.
  • By default second option No, do not export the private key is selected. Keep it selected and click Next.
  • Keep the default option DER encoded binary X.509 (.CER) selected and click Next.
  • Click Browse to go to the folder where you want the file to be saved. Enter file name and click Save.
  • Click Next and then Finish. Click Ok to close the success message box. Click OK to close the Certificate window.

The steps that follow are same as those demonstrated in the previous article. Certificates are issued to a computer, user.  Or service. Administrators can add certificates to the Trusted Root Certification Authorities Store for a local computer or for a domain. Below, we will add certificate to the local computer store.
  • Click Start > Run and type mmc and click OK. MMC console will open.
  • From File, select Add/Remove Snap-in.
  • Select Certificates from available snap-ins and click Add >.
  • Select first option My user account and click Finish.
  • Click OK.
  • Expand Certificates – Current User node.
  • Expand Trusted Root Certification Authorities and click Certificates folder.
  • Right-click Certificates folder and select All Tasks then select Import.
  • Browse to the certificate (.cer) file that you saved earlier. Click Next.
  • Select Place all certificates in the following store and leave default store selected. Click Next.
  • Click Finish.
  • You will get The import was successful message. Click Ok.
If you share this server with others, then it’s better to import the certificate using local computer account. Follow steps 14 – 25 again but this time in step 17, instead of selecting My user account, select Computer account. After you have imported certificate into Trusted Root Certification Authorities, import it into SharePoint Certificates as well. Expand SharePoint node, right-click Certificates node and import the certificate. 

Manage Trust

  • This step is not required if you have a single server farm but if you are setting it up in a medium or large farm, then you should add certificate to the Trust Relationships in central administration site.
  • Open central administration site. Go to Security section (Click Security under Central Administration on the left).
  • In General Security section, click Manage Trust.
  • In the ribbon, click New button.
  • Add a name for this trust relationship.
  • Click Browse to import the certificate. This is mandatory regardless of whether you want to provide to or consume trust from the other farm.
  • Leave Provide Trust Relationship unchecked unless you want to provide trust to another farm. This is optional.
  • Click OK.
You can also add certificate using PowerShell. Open SharePoint 2013 Management Shell and run following command:
  • $trustcert = new-object system.security.cryptography.x509certificates.x509certificate2(“C:\\ws.cer”)
  • New-sptrustedrootauthority –name “SP Cert” –certificate $trustcert
** C:\\ws.cer is the path to the certificate file. Change it to the path on your machine.
** SP Cert is the name that you give to this trust relationship. This is what will appear in the
 Manage Trust interface in SharePoint Central Admin.



Your site should have correct host headers if you want this certificate to work correctly. For example, if you look at the figure above, you will notice that the certificate was issued to “sp2013.walisystems.com” so if your site does not have this host header, you will get an error. For example, when you try to open your site in the browser, you get this error:


























Figure: There is a problem with this website’s security certificate

Again, notice that I tried to open ” https://www.walisystems.com” but the certificate was issued to “sp2013.walisystems.com”. If you click Continue to this website, site will open but you will still get an error message.





















Figure: Mismatched Address

Error: The security certificate presented by this website was issued for a different website’s address. This problem might indicate an attempt to fool you or intercept any data you send to the server.

To resolve the issue, create a new web application or extend an existing one. If you want to add https to your main site at port 80, then create a new web application with new host headers. Here are the steps:

Create New Web Application For SSL


  • Go to central administration. Click Manage web applications.
  • Click New button in the ribbon.
  • Select Create a new IIS web site. Change Port to 80. 
  • In the Host Header, enter the URL that want to use for this web application. For example, I wanted to use “sp2013.walisystems.com” because that was the URL for which the certificate was issued therefore I entered ”sp2013.walisystems.com”. Note: Do not add HTTP in the URL.
  • In Security Configuration section, select Yes in Use Secure Sockets Layer (SSL).
  • Keep all other default options selected and click OK.
  • After web application is created, create a site collection at the root level.

Change Alternate Access Mappings

  • In Central Administration Site, go to Application Management section and click Configure alternate access mappings.
  • Change site collection in the drop down. Select the one that you just created. Click Add Internal URLs.
  • Enter complete URL that starts with HTTPS. For example, “https://sp2013.walisystems.com”.
  • Change Zone to Custom or Extranet.
  • Click Save.

Bind Certificate To Your Site

  • Finally, bind certificate to your site. Open IIS.
  • Click server name. Expand Sites node.
  • Click site name that you will bind to the SSL certificate.
  • On the right, under Actions, click Bindings.
  • Click Add.
  • In Type, select https.
  • Keep 443 in the Port. This is default port used for SSL.
  • In SSL Certificate, select the certificate you just installed. Click OK. That’s it.
To test SSL setup, open the site in browser. In the address bar, click the lock sign to check validity of the certificate. If you want to see the certificate, click View Certificates link at the bottom of the notification.








Setup SSL in SharePoint 2013 Using Domain Certificate


Setup SSL in SharePoint 2013 Using Domain Certificate

In the previous articles, you learned how to setup SSL in SharePoint using a third party SSL certificate and a self-signed SSL certificate.
Setup SSL In SharePoint 2013 Using Commercial Certificate
Setup SSL In SharePoint 2013 Using Self-Signed Certificate
In this article, you will learn how to setup SSL using a domain certificate. All steps are same as explained in the previous articles with the exception of creating domain certificate. I will repeat the steps again for your convenience.

  • To generate a domain certificate, you must have Active Directory Certificate Services running.
  • Open Server Manager (All Programs > Administrative Tools > Server Manager).
  • Expand Roles node and see if certificate services role is installed. If not, then install it first using the steps below.
  • Click Roles. Under Roles Summary header, you will see Add Roles link on the right, click it.
  • Click Next.
  • Check Active Directory Certificate Services role and click Next.
  • Click Next again.
  • Certification Authority will already be selected. Select the following services:
    • Certification Authority Web Enrollment
    • Online Responder
    • Certificate Enrollment Policy Web Service
  • Click Next.
  • Keep Enterprise selected and click Next.
  • Keep Root CA selected and click Next.
  • Keep Create a new private key selected and click Next.
  • Select RSA#Microsoft Software Key Storage Provider in the cryptographic service provider (CSP). Change key character length from 2048 to 1024 unless this is production environment and you want to use strong keys. By default, SHA1 is selected in hash algorithm, keep it selected and click Next.
  • Keep the default values selected and click Next. Common name for CA is the name that you will see in certification authority while generating domain certificate.























      • Keep default value selected and click Next. Default validity period is 5 years.
      • Keep default values selected and click Next. These are certificate database and log locations.
      • Keep default option Windows Integrated Authentication selected and click Next.
      • Click Install.
      • Now you have it installed, next step is to create a domain certificate but wait a minute. If your domain controller is on a separate machine then there is one step left. You have to import certificate to the SharePoint machine. The certificate is located in the following folder and has a .crt extension.
      1. C:\Windows\System32\CertSrv\CertEnroll
      2. If you ever renamed  your server, you will see multiple .crt files. Make sure you pick the one that is current. For example, if your server’s FQDN is walisystems.com and server name is SP2013 then the certificate file name will be sp2013.walisystems.com_walisystems-SP2013-CA.
      3. Copy the file to the SharePoint machine and import it into Trusted Root Certification Authorities.
        • Click Start > Run and type mmc and click OK. MMC console will open.
        • From File, select Add/Remove Snap-in.
        • Select Certificates from available snap-ins and click Add >.
        • Select third option Computer account and click Next.
        • Choose Local Computer and click Finish.
        • Click Ok.
        • Expand Certificates  (Local Computer) node.
        • Expand Trusted Root Certification Authorities and click Certificates folder.
        • Right-click Certificates folder and select All Tasks then select Import.
        • Browse to the certificate (.crt) file that you copied from the DNS machine. Click Next.
        • Select Automatically select the certificate store based on the type of certificate and leave default store selected. Click Next.
        • Click Finish.
        • You will get The import was successful message. Click Ok.

      • Now, let’s move to the next part which is creating a domain certificate. Open IIS.
      • Click on server name and under Actions on the right, click Create Domain Certificate.
      • Enter a friendly Common name for the certificate, for example, your server’s FQDN. Organization should contain your organization’s name or your server name. Organization Unit can be an abbreviation of your organization name or machine name. Enter City, State and select Country. Enter full state name, not the abbreviation. Click Next.


























      • Click Select button to select Certificate Authority. Select the one that you created above. If you are doing this first time then there will be only one authority listed there. Select it and click OK. Give a friendly name to the Online Certificate Authority, for example, WS_SP2013 and click Finish.
      That’s it. Next you will bind the certificate to your site.  

      Bind Certificate To Your Site


      • Open IIS.
      • Click server name. Expand Sites node.
      • Click site name that you will bind to the SSL certificate.
      • On the right, under Actions, click Bindings.
      • Click Add.
      • In Type, select https.
      • Keep 443 in the Port. This is default port used for SSL.
      • In SSL Certificate, select the certificate you just created. Look for the common name, for example, WS_SP2013. Click OK. That’s it.

      To test SSL setup, open the site in browser. In the address bar, click the lock sign to check validity of the certificate. If you want to see the certificate, click View Certificates link at the bottom of the notification. In case you see error message, click Certificate Error (that appears instead of a golden lock). Click View Certificates. Click Install Certificate button to install the certificate. Click Ok to close the certificate window. Refresh your browser and now you will see a lock.




      Saturday, December 1, 2012

      Setup SSL in SharePoint 2013 using commercial certificates

      
       
       
       Setup SSL in SharePoint 2013
      In this article you will learn how to setup SSL in SharePoint 2013. In my next article I will show you how to setup an Extranet in SharePoint 2013. Corporations usually setup SSL for Extranet sites. There are three ways to setup SSL.
      1.       One way is to use a commercial SSL certificate. There are many sites that sell SSL certificates. For learning purposes you can sign up for a trial version (30 days). This is what this article will focus on today.

      2.       Second way is to use a self-signed certificate that  you create in IIS.

      3.       Third way is to set up your server to issue a certificate. This is what you need if you have custom DNS entries. Of course, you can also use first option (using commercial certificate) if you have DNS entries. If you use self-signed certificate and you have DNS entries, you get an error. More on this in another article!
      So, let’s start. In this article, I will show you how to use Verisign certificate. Verisign is one the most popular companies that issue SSL certificates. We will sign up for a trial version.
      1.       Before you sign up on Verisign site, we first need to create a certificate request. This will be needed when  you sign up at Verisign.

      2.       Open IIS 7.0 (Start > Administrative Tools > Internet Information Services (IIS) Manager).

      3.       Click on the server name.

      4.       In IIS section, double-click Server Certificates.

      5.       On the right side, under Actions, click Create Certificate Request… link.

      6.       Request Certificate form will open. Fill out the fields. Enter your site name or URL in the  Common Name field. Enter your company name or abbreviation in Organization and Organizational Unit fields. Enter City and State. Enter full state name, abbreviation is not accepted. Select Country/region and click Next.
       
      7.       Keep the default values selected. Cryptographic service provider should have Microsoft RSA SChannel Cryptographic Provider selected. If it’s a test or development environment, you can keep Bit length set to 1024. If it’s a production environment and you are using a purchased SSL key, then select Bit length according to your needs. What kind of security is needed depends on what kind of site you have created and what kind of content it has. For confidential content or for government sites, you may want to select at least 2048 in Bit length. Remember, the greater the bit length, the stronger the security. However, a greater bit length may decrease performance.

      8.       Browse to a folder that will store the request and give a name to the file, for example, sslrequest. Click Finish.

      9.       Go to Verisign site and sign up for a trial version. Here is the direct link for the signup page:
       
       
      Enter technical contact details and click Continue. On the next screen, you will be asked to enter CSR. Open the request file that you had created, copy it and paste it into the box on the site. Once you have signed up, you will get an email with the key.

      10.   There will be three links in the email. Click the first link to download  and install the Test Root CA Certificate. On the download page, there are different browsers listed. Select the browser that you will use for your site testing. Remember if you know you audience will use different browsers then you need to perform this step for every browser that your audience will be using. Steps for Internet Explorer are listed next.

      11.   Click the link Download Secure Site Trial Root Certificate link. From the box, copy the certificate and save it in a text file with a .cer extension.

      12.   Open Internet Explorer.

      13.   Go to Tools > Internet Options > Content > Certificates.

      14.   Click Import…. A wizard will open. Click Next.

      15.   Browse to the location of the recently stored .cer file (step 11 above).

      16.   Select the certificate and click Open.

      17.   Click Next.

      18.   Select Automatically select the certificate store based on the type of the certificate. Click Ok.

      19.   Click Next then Finish.

      20.   When prompted and asked if you wish to add the following certificate to the root store, click Yes.

      21.   Second step listed in the email confuses many people. Basically this step is not required for latest IIS server. Users using IIS 5.0 or Higher servers do not need to download the intermediate CA as it is included with the SSL certificate upon issuance if they selected in the purchase as server vendor: Microsoft IIS 5.0 or higher. If you are not sure about the selection you made when requesting SSL certificate, go ahead and install it. It will not harm anything. To install it, perform same steps as listed above (Steps 11 – 19). Be sure to click second link in your email instead of first when performing step 11.

      22.   Just like the second step, third step in the email is equally confusing. Don’t follow those steps, follow the ones listed below to install the certificate without hassles.
      23.   Copy the certificate from your email. It will be at the bottom of the email. Be careful when copying. Copy whole text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste it into Notepad. There should be no white spaces or extra line breaks.  Save the file with .p7b extension. You can name the file as sslcert.p7b or whatever you prefer.

      24.   Click Start > Run and type mmc and click OK. MMC console will open.

      25.   From File, select Add/Remove Snap-in.
       

       
      26.   Select Certificates from available snap-ins and click Add >.

      27.   Select first option My user account and click Finish.

      28.   Click OK.

      29.   Expand Certificates – Current User node.

      30.   Expand the Trusted Root Certification Authorities folder on the left and select the Certificates subfolder.

      31.   Locate the following certificate:
      a.       Issued To: VeriSign Class 3 Public Primary Certification Authority - G5

      32.   Right-click the certificate and select Properties.
      33.   In the Certificate purposes section, select Disable all purposes for this certificate. This is a pre-installed certificate and must be disabled before using new certificate from SSL.


       
      34.   Click Apply then OK.
       

      Install Certificate

       
      35.   Finally, install the certificate. There are two ways to do it. One is through the IIS and the other is the MMC certificates console. I prefer the second way because you have to come to the MMC certificates console anyway to fix a problem if you opt to install the certificate through IIS. If you install the certificate through IIS, at the time of binding the certificate to your site, certificate will not show up in IIS and then you will have to come to the MMC certificates console to perform an additional step. So it’s better to go with the MMC route from the beginning.  There is another problem with the IIS method. You get the following error when you install the certificate through IIS.
       



       
      Error Text: Cannot find the certificate request that is associated with this certificate file. A certificate request must be completed on the computer where the request was created.
       
      36.   Open MMC console (Start > Run > Type MMC > Click OK).

      37.   Certificates console will still be available because you added it in step 24 but if for some reason  you had to restart your machine or log out of it then you will have to add the console again. Follow steps 24 – 28 to add Certificates console. Expand Certificates – Current User node on the left.

      38.   Expand Trusted Root Certification Authorities and click Certificates folder.

      39.   Right-click Certificates folder and select All Tasks then select Import.

      40.   Browse to the certificate (.p7b) file. Click Next.

      41.   Select Place all certificates in the following store and leave default store selected. Click Next.

      42.   Click Finish.

      43.   You will get The import was successful message. Click Ok. You may also get following security warning.












       


      Error Description: You are about to install a certificate from a certification authority (CA) claiming to represent: Verisign Trial Secure Server Root CA – G2.
      If you get this security warning, click Yes to install the certificate.
      44.   With MMC Certificates console still open, expand Personal folder on the left and right-click Certificates subfolder. Select All Tasks then select Import.

      45.   Browse to certificate file (.p7b) and Click Next.

      46.   Keep second option Place all certificates in the following store selected and keep Personal certificate selected as the default option. Click Next.

      47.   Click Finish. You will get The import was successful message. Click Ok.

      Bind Certificate to your site

       
      48.   Finally, bind certificate to your site. Open IIS.

      49.   Click server name. Expand Sites node.

      50.   Click site name that you will bind to the SSL certificate.
      51.   On the right, under Actions, click Bindings.

      52.   Click Add.

      53.   In Type, select https.

      54.   Keep 443 in the Port. This is default port used for SSL.

      55.   In SSL Certificate, select the certificate you just installed. Please note that if you don’t see new certificate in this drop down, then you probably missed steps 44 – 47 above. Click OK. That’s it.

      Alternate Access Mappings

       
      56.   Assuming you have a web application setup to work with SSL, configure Alternate Access Mappings to use site with SSL. Open Central Admin Site and click Application Management.

      57.    Under Web Applications, click Configure alternate access mappings.

      58.    You will notice you already have default site listed in the Default zone. To add new URL in the Intranet zone, click Add Internet URLs.

      59.    From the Alternate Access Mapping Collection drop down, select correct application that you want to use for the AAM setting and then add URL in the text box labeled URL protocol, host and port, for example, https://www.walisystems.com. From the Zone dropdown, select Intranet.

      60.    Click Save.
      Now open site with https to test that everything works fine.

       
      In the address bar, click the lock sign to check validity of the certificate. If you want to see the certificate, click View Certificates link at the bottom of the notification.