IIS Server Security - IIS 5, SSL and multiple sites

Author

IIS 5, SSL and multiple sites

Jeff C Greenville SC

2004-05-30, 11:52 am

I've got a web server running IIS 5 with multiple sites.
I have given the box an IP address for each of two
different sites. We've installed two certificates, one
for each site. I've read the note 187504 in Microsoft's
knowledge base that says multiple certificates can't be
used because the text address is in the headers and it
can't decrypt them without picking a certificate first.

Clearly, when multiple IP addresses are in use, it would
not be necessary to decrypt the header to find out which
site was referenced, yet it appears the same behavior is
in effect. Do I have to go buy a unix server to get this
functionality, or am I missing something?

Ken Schaefer

2004-05-30, 11:52 am

I think you are missing something :-)

If you have two IP addresses
-and-
You have two certificates (one for each site)
-and-
Your DNS points website1 -> 1st IP address, and website2 -> 2nd IP address
-and-
In the IIS Manager, you configured website1 to listen on 1st IP Address only
(not "all unassigned")
-and-
In the IIS Manager, you configured website2 to listen on 2nd IP Address only
(not "all unassigned")

then everything should work just fine.

You'd have to follow the same steps on a *nix box. Something is
misconfigured somewhere (either IIS, or the in the DNS).

Cheers
Ken

"Jeff C Greenville SC" <anonymous@discussions.microsoft.com> wrote in
message news:14a7a01c44581$94beda90$a601280a@phx
.gbl...
: I've got a web server running IIS 5 with multiple sites.
: I have given the box an IP address for each of two
: different sites. We've installed two certificates, one
: for each site. I've read the note 187504 in Microsoft's
: knowledge base that says multiple certificates can't be
: used because the text address is in the headers and it
: can't decrypt them without picking a certificate first.
:
: Clearly, when multiple IP addresses are in use, it would
: not be necessary to decrypt the header to find out which
: site was referenced, yet it appears the same behavior is
: in effect. Do I have to go buy a unix server to get this
: functionality, or am I missing something?
:

Jeff C. Greenville SC USA

2004-05-30, 11:52 am

You were correct. There was still an "all unassigned"
entry for the second website (the one whose certificate
was never being chosen). Once that one was removed, the
lights turned on and the widgets started spinning.

Many thanks.

>-----Original Message-----
>I think you are missing something :-)
>
>If you have two IP addresses
> -and-
>You have two certificates (one for each site)
> -and-
>Your DNS points website1 -> 1st IP address, and website2 -
> 2nd IP address
> -and-
>In the IIS Manager, you configured website1 to listen on
1st IP Address only
>(not "all unassigned")
> -and-
>In the IIS Manager, you configured website2 to listen on
2nd IP Address only
>(not "all unassigned")
>
>then everything should work just fine.
>
>You'd have to follow the same steps on a *nix box.
Something is
>misconfigured somewhere (either IIS, or the in the DNS).
>
>Cheers
>Ken
>
>
>"Jeff C Greenville SC"
<anonymous@discussions.microsoft.com> wrote in
>message news:14a7a01c44581$94beda90$a601280a@phx
.gbl...
>: I've got a web server running IIS 5 with multiple sites.
>: I have given the box an IP address for each of two
>: different sites. We've installed two certificates, one
>: for each site. I've read the note 187504 in Microsoft's
>: knowledge base that says multiple certificates can't be
>: used because the text address is in the headers and it
>: can't decrypt them without picking a certificate first.
>:
>: Clearly, when multiple IP addresses are in use, it would
>: not be necessary to decrypt the header to find out which
>: site was referenced, yet it appears the same behavior is
>: in effect. Do I have to go buy a unix server to get
this
>: functionality, or am I missing something?
>:
>
>
>.
>