|
Home > Archive > IIS Server Security > August 2004 > HTTPS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| I am attempting to setup my Exchange Server's Default
Website with HTTPS instead of HTTP. I have installed
certificate services, created and installed the
certificate in this format:
servername.publicdomainname.com
I have turned on the "require ssl" in IIS
But, when I try to open the site either internally using
the server's IP address or externally using the public
domain name (i.e. www.publicdomainname.com) I get a page
cannot be displayed error message.
If it type in the old http: then it tells me to try using
https: so I know that it sees the option is turned on.
Running Server 2003 Standard with Exchange Server 2003.
I am trying to get this setup so that I can have RPC or
http and also activesync directly work with the server.
Any help is appreciated,
Thanks,
Steve
| |
| Miha Pihler 2004-08-05, 8:37 am |
| Hi Steve,
if you check Default Site properties is SSL port defined? It should be 443?
Can you telnet to servername.publicdomainname.com on port 443?
telnet servername.publicdomainname.com 443
I hope this helps,
Mike
"Steve" <trmfp@nospam.yahoo.com> wrote in message
news:c32a01c47a31$51ea9210$a401280a@phx.gbl...
> I am attempting to setup my Exchange Server's Default
> Website with HTTPS instead of HTTP. I have installed
> certificate services, created and installed the
> certificate in this format:
>
> servername.publicdomainname.com
>
> I have turned on the "require ssl" in IIS
>
> But, when I try to open the site either internally using
> the server's IP address or externally using the public
> domain name (i.e. www.publicdomainname.com) I get a page
> cannot be displayed error message.
>
> If it type in the old http: then it tells me to try using
> https: so I know that it sees the option is turned on.
>
> Running Server 2003 Standard with Exchange Server 2003.
> I am trying to get this setup so that I can have RPC or
> http and also activesync directly work with the server.
>
> Any help is appreciated,
>
> Thanks,
>
> Steve
| |
|
| Thanks for the quick reply, Mike. I do have the port
defined as 443 in IIS. When I try to telnet, it just
sits there and says connecting to servername.......
Maybe I have done something wrong in the certificate
creation. As I stated before it is
servername.publicdomainname.com
Should it be hostname.publicdomainname.com? By hostname
I mean the header such as email or www or etc.
I do have Port 443 Open to this server in my firewall,
but I also tried telnet to the IP address of the server
and the port number and it still just said connecting.
Or is that normal.
Steve
>-----Original Message-----
>Hi Steve,
>
>if you check Default Site properties is SSL port
defined? It should be 443?
>
>Can you telnet to servername.publicdomainname.com on
port 443?
>
>telnet servername.publicdomainname.com 443
>
>I hope this helps,
>
>Mike
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:c32a01c47a31$51ea9210$a401280a@phx.gbl...
using[vbcol=seagreen]
page[vbcol=seagreen]
using[vbcol=seagreen]
>
>
>.
>
| |
| Miha Pihler 2004-08-05, 8:37 am |
| Hi Steve,
no this is not normal -- either web service is not running or access to this
TCP port if filtered (e.g. on firewall). Try to connect from the server
itself e.g.
telnet localhost 443
and
telnet 10.10.10.10 443
(replace 10.10.10.10 with real server's IP). Does this work? If it does,
check firewall configuration again. If it doesn't check IIS configuration
and restart IIS service...
Mike
"Steve" <trmfp@nospam.yahoo.com> wrote in message
news:c2d601c47a38$8362e430$a301280a@phx.gbl...[vbcol=seagreen]
> Thanks for the quick reply, Mike. I do have the port
> defined as 443 in IIS. When I try to telnet, it just
> sits there and says connecting to servername.......
>
> Maybe I have done something wrong in the certificate
> creation. As I stated before it is
> servername.publicdomainname.com
>
> Should it be hostname.publicdomainname.com? By hostname
> I mean the header such as email or www or etc.
>
> I do have Port 443 Open to this server in my firewall,
> but I also tried telnet to the IP address of the server
> and the port number and it still just said connecting.
> Or is that normal.
>
> Steve
>
>
> defined? It should be 443?
> port 443?
> using
> page
> using
| |
|
| OK, here is what I get when trying to telnet:
I type in either telnet servername 443 or telnet x.x.x.x
443 and press enter, I get a blank black screen.
If I press Ctrl + ] then it gives me a microsoft telnet
prompt
I am assuming that I am connected at that point?
Don't know what this extra step is about.
Anyway, it looks like I can see it now, but I still can't
access my web pages via https://
Should I use the host name or servername in my
certificate?
Steve
>-----Original Message-----
>Hi Steve,
>
>no this is not normal -- either web service is not
running or access to this
>TCP port if filtered (e.g. on firewall). Try to connect
from the server
>itself e.g.
>
>telnet localhost 443
>
>and
>
>telnet 10.10.10.10 443
>
>(replace 10.10.10.10 with real server's IP). Does this
work? If it does,
>check firewall configuration again. If it doesn't check
IIS configuration
>and restart IIS service...
>
>Mike
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:c2d601c47a38$8362e430$a301280a@phx.gbl...
hostname[vbcol=seagreen]
Default[vbcol=seagreen]
installed[vbcol=seagreen]
public[vbcol=seagreen]
on.[vbcol=seagreen]
2003.[vbcol=seagreen]
RPC or[vbcol=seagreen]
server.[vbcol=seagreen]
>
>
>.
>
| |
| Miha Pihler 2004-08-05, 8:37 am |
| Hi,
can you check your certificate and see if it has these two properties set.
Compare it to example that I posted here...
http://freeweb.siol.net/mpihler/cert.jpg
You can view your certificate if you open your Default Web Site ->
Properties -> Directory Security -> View Certificate.
Mike
"Steve" <trmfp@yahoo.com> wrote in message
news:c33301c47a3b$21a028e0$a301280a@phx.gbl...[vbcol=seagreen]
> OK, here is what I get when trying to telnet:
>
> I type in either telnet servername 443 or telnet x.x.x.x
> 443 and press enter, I get a blank black screen.
>
> If I press Ctrl + ] then it gives me a microsoft telnet
> prompt
>
> I am assuming that I am connected at that point?
>
> Don't know what this extra step is about.
>
> Anyway, it looks like I can see it now, but I still can't
> access my web pages via https://
>
> Should I use the host name or servername in my
> certificate?
>
> Steve
> running or access to this
> from the server
> work? If it does,
> IIS configuration
> hostname
> Default
> installed
> public
> on.
> 2003.
> RPC or
> server.
| |
|
| Steve,
It's funny because I am having the exact same problem as
you and have been following along with Mike's great
advice, but to no avail as well.
My certificate says the same as yours, so I await a
response as well.
Thanks,
Mark
>-----Original Message-----
>The bottom part is correct, however the top reads as
>follows:
>
>This certificate is inteded for te following purpose
>All Issuance Policies
>All Application Polices
>
>Thanks,
>
>Steve
>two properties set.
>Web Site ->
>x.x.x.x
telnet[vbcol=seagreen]
>can't
>connect
this[vbcol=seagreen]
>check
>port
>just
certificate[vbcol=seagreen]
>firewall,
>server
>connecting.
>on
>internally
>get a
>try
>turned
Server[vbcol=seagreen]
>.
>
| |
| Miha Pihler 2004-08-05, 8:37 am |
| Steve and Mark,
what CA did you use to issue this certificates? Your internal -- Microsoft
CA services that comes with Windows or ... ?
How do you have IP setup? Any unassigned or? Is this only web site on this
server? If not, can you stop any other site and restart IIS. Make sure that
only Default Web Site is running.
Can you go over this Microsoft article?
HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003
http://support.microsoft.com/defaul...4&Product=iis60
Mike
"Steve" <trmfp@nospam.yahoo.com> wrote in message
news:006e01c47a42$19339e60$a401280a@phx.gbl...[vbcol=seagreen]
> The bottom part is correct, however the top reads as
> follows:
>
> This certificate is inteded for te following purpose
> All Issuance Policies
> All Application Polices
>
> Thanks,
>
> Steve
> two properties set.
> Web Site ->
> x.x.x.x
> can't
> connect
> check
> port
> just
> firewall,
> server
> connecting.
> on
> internally
> get a
> try
> turned
| |
|
| Mike,
I used the the Microsoft 2003 one. My IP is assigned port
80 as well as 443 in IIS. It the onlt web server I have.
When I try to access it internally, the certificate box
does not pop up, only the message "You are leaving a non
secure....".
Thanks,
Mark
>-----Original Message-----
>Steve and Mark,
>
>what CA did you use to issue this certificates? Your
internal -- Microsoft
>CA services that comes with Windows or ... ?
>
>How do you have IP setup? Any unassigned or? Is this
only web site on this
>server? If not, can you stop any other site and restart
IIS. Make sure that
>only Default Web Site is running.
>
>Can you go over this Microsoft article?
>
>HOW TO: Install Imported Certificates on a Web Server in
Windows Server 2003
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;816794&Product=iis60
>
>Mike
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:006e01c47a42$19339e60$a401280a@phx.gbl...
telnet[vbcol=seagreen]
this[vbcol=seagreen]
servername.......[vbcol=seagreen]
certificate[vbcol=seagreen]
servername.publicdomainname.com[vbcol=seagreen]
message[vbcol=seagreen]
the[vbcol=seagreen]
the[vbcol=seagreen]
to[vbcol=seagreen]
Server[vbcol=seagreen]
have[vbcol=seagreen]
the[vbcol=seagreen]
>
>
>.
>
| |
|
| I used the Microsoft Certificate Services.
I have only one website on this server.
I will look at the article provided.
Thanks,
Steve
>-----Original Message-----
>Steve and Mark,
>
>what CA did you use to issue this certificates? Your
internal -- Microsoft
>CA services that comes with Windows or ... ?
>
>How do you have IP setup? Any unassigned or? Is this
only web site on this
>server? If not, can you stop any other site and restart
IIS. Make sure that
>only Default Web Site is running.
>
>Can you go over this Microsoft article?
>
>HOW TO: Install Imported Certificates on a Web Server in
Windows Server 2003
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;816794&Product=iis60
>
>Mike
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:006e01c47a42$19339e60$a401280a@phx.gbl...
telnet[vbcol=seagreen]
this[vbcol=seagreen]
servername.......[vbcol=seagreen]
certificate[vbcol=seagreen]
servername.publicdomainname.com[vbcol=seagreen]
message[vbcol=seagreen]
the[vbcol=seagreen]
the[vbcol=seagreen]
to[vbcol=seagreen]
Server[vbcol=seagreen]
have[vbcol=seagreen]
the[vbcol=seagreen]
>
>
>.
>
| |
|
| OK, I have imported the certificate into the local store
and am still having the problem even after resetting the
IIS Services. I read several articles on how to setup
SSL and none of them had anything on the Local
Certificate Store, only the IIS Wizard method. Is that
normally necessary?
Why is my certificate different than yours? Is it
because you purchased one from a Certificate Authority
and I have published my own?
Thx,
Steve
>-----Original Message-----
>Steve and Mark,
>
>what CA did you use to issue this certificates? Your
internal -- Microsoft
>CA services that comes with Windows or ... ?
>
>How do you have IP setup? Any unassigned or? Is this
only web site on this
>server? If not, can you stop any other site and restart
IIS. Make sure that
>only Default Web Site is running.
>
>Can you go over this Microsoft article?
>
>HOW TO: Install Imported Certificates on a Web Server in
Windows Server 2003
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;816794&Product=iis60
>
>Mike
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:006e01c47a42$19339e60$a401280a@phx.gbl...
telnet[vbcol=seagreen]
this[vbcol=seagreen]
servername.......[vbcol=seagreen]
certificate[vbcol=seagreen]
servername.publicdomainname.com[vbcol=seagreen]
message[vbcol=seagreen]
the[vbcol=seagreen]
the[vbcol=seagreen]
to[vbcol=seagreen]
Server[vbcol=seagreen]
have[vbcol=seagreen]
the[vbcol=seagreen]
>
>
>.
>
| |
| Miha Pihler 2004-08-05, 8:37 am |
| Hi Steve,
if you use IIS Wizard it will place certificate in Local Store instead of
you. If the certificate wasn't there you couldn't assign it...
I also used certificate from my own CA server...
Can you try this on IIS server itself.
open IE and in URL enter https://localhost/ ... Do you get the error or?
Mike
"Steve" <trmfp@yahoo.com> wrote in message
news:022f01c47a56$968f5b10$a401280a@phx.gbl...[vbcol=seagreen]
> OK, I have imported the certificate into the local store
> and am still having the problem even after resetting the
> IIS Services. I read several articles on how to setup
> SSL and none of them had anything on the Local
> Certificate Store, only the IIS Wizard method. Is that
> normally necessary?
>
> Why is my certificate different than yours? Is it
> because you purchased one from a Certificate Authority
> and I have published my own?
>
> Thx,
>
> Steve
> internal -- Microsoft
> only web site on this
> IIS. Make sure that
> Windows Server 2003
> us;816794&Product=iis60
> telnet
> this
> servername.......
> certificate
> servername.publicdomainname.com
> message
> the
> the
> to
> Server
> have
> the
| |
|
| Have Tried that many times before and still get the Page
cannot be displayed error. I am connecting to the port
via Telnet, but something is screwed up with IIS now that
is not allowing the SSL Traffic through.
Is there a diagnostics tool that I can run that will tell
me more about my configuration and maybe where it is
screwed up? I don't even have a website running on this
server, just for OWA and was trying to get ActiveSync
working. I wanted to go over SSL so it was more secure.
BTW, all others are working fine when SSL is not
enabled. I can access OWA and OMA just fine and login,
etc.
Thanks for your continual help with this.
Steve
| |
| Miha Pihler 2004-08-05, 8:37 am |
| Steve,
can you issue new certificate for IIS. Since you have your own CA server
make sure you select that you are issuing certificate for web server...
SSL Diagnostic tool
http://www.microsoft.com/downloads/...&DisplayLang=en
Mike
"Steve" <trmfp@nospam.yahoo.com> wrote in message
news:02a001c47a5d$8e446250$a401280a@phx.gbl...
> Have Tried that many times before and still get the Page
> cannot be displayed error. I am connecting to the port
> via Telnet, but something is screwed up with IIS now that
> is not allowing the SSL Traffic through.
>
> Is there a diagnostics tool that I can run that will tell
> me more about my configuration and maybe where it is
> screwed up? I don't even have a website running on this
> server, just for OWA and was trying to get ActiveSync
> working. I wanted to go over SSL so it was more secure.
>
> BTW, all others are working fine when SSL is not
> enabled. I can access OWA and OMA just fine and login,
> etc.
>
> Thanks for your continual help with this.
>
> Steve
| |
|
| OK, I can do that. I will remove and revoke the current
certificate.
Now, I have seen this done several ways so I would like
to check and make sure I am doing this correctly.
IN IIS, I will create a new request and save it to the HDD
I will them import that into my Certificate Services and
Issue it.
Then back to IIS, I will open the acceptance to install it
Is that right?
Steve
>-----Original Message-----
>Steve,
>
>
>
>can you issue new certificate for IIS. Since you have
your own CA server
>make sure you select that you are issuing certificate
for web server...
>
>
>
>SSL Diagnostic tool
>
>http://www.microsoft.com/downloads/details.aspx?
FamilyID=cabea1d0-5a10-41bc-83d4-
06c814265282&DisplayLang=en
>
>
>
>Mike
>
>
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:02a001c47a5d$8e446250$a401280a@phx.gbl...
Page[vbcol=seagreen]
that[vbcol=seagreen]
tell[vbcol=seagreen]
this[vbcol=seagreen]
secure.[vbcol=seagreen]
>
>
>.
>
| |
| Miha Pihler 2004-08-05, 8:38 am |
| That sound OK. When issuing new certificate, make sure you select the right
template...
If this won't work, I will try and e-mail you one of mine certificates to
see if that will help...
Mike
"Steve" <trmfp@nospam.yahoo.com> wrote in message
news:009e01c47a5f$ed0b5080$a301280a@phx.gbl...[vbcol=seagreen]
> OK, I can do that. I will remove and revoke the current
> certificate.
>
> Now, I have seen this done several ways so I would like
> to check and make sure I am doing this correctly.
>
> IN IIS, I will create a new request and save it to the HDD
>
> I will them import that into my Certificate Services and
> Issue it.
>
> Then back to IIS, I will open the acceptance to install it
>
> Is that right?
>
> Steve
> your own CA server
> for web server...
> FamilyID=cabea1d0-5a10-41bc-83d4-
> 06c814265282&DisplayLang=en
> Page
> that
> tell
> this
> secure.
| |
|
| OK, got it working now. I followed the step by step
instructions at http://support.microsoft.com/default.aspx?
scid=kb;en-us;299875
I can now access via http with no problem.
Thanks for all your help and patience, I am really quite
good at most things in admin, but for some reason I was
having a tough time with this. I think because there are
so many different articles out there on how to accomplish
this.
Anyway, thanks again.
Steve
>-----Original Message-----
>That sound OK. When issuing new certificate, make sure
you select the right
>template...
>
>If this won't work, I will try and e-mail you one of
mine certificates to
>see if that will help...
>
>Mike
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:009e01c47a5f$ed0b5080$a301280a@phx.gbl...
current[vbcol=seagreen]
HDD[vbcol=seagreen]
and[vbcol=seagreen]
install it[vbcol=seagreen]
port[vbcol=seagreen]
ActiveSync[vbcol=seagreen]
login,[vbcol=seagreen]
>
>
>.
>
| |
| Miha Pihler 2004-08-05, 8:38 am |
| You are welcome :-). We all need help time to time :-)
Mike
"Steve" <trmfp@nospam-yahoo.com> wrote in message
news:025401c47a66$6516c360$a501280a@phx.gbl...[vbcol=seagreen]
> OK, got it working now. I followed the step by step
> instructions at http://support.microsoft.com/default.aspx?
> scid=kb;en-us;299875
>
> I can now access via http with no problem.
>
> Thanks for all your help and patience, I am really quite
> good at most things in admin, but for some reason I was
> having a tough time with this. I think because there are
> so many different articles out there on how to accomplish
> this.
>
> Anyway, thanks again.
>
> Steve
> you select the right
> mine certificates to
> current
> HDD
> and
> install it
> port
> ActiveSync
> login,
| |
|
| Steve/Mike,
I have been following along with the document as well,
but unfortunately I reach the part where it mentions
Certificate Template check box, which I don't have, why
is that?
Thanks again,
Mark
>-----Original Message-----
>You are welcome :-). We all need help time to time :-)
>
>Mike
>
>"Steve" <trmfp@nospam-yahoo.com> wrote in message
>news:025401c47a66$6516c360$a501280a@phx.gbl...
http://support.microsoft.com/default.aspx?[vbcol=seagreen]
quite[vbcol=seagreen]
are[vbcol=seagreen]
accomplish[vbcol=seagreen]
like[vbcol=seagreen]
the[vbcol=seagreen]
have[vbcol=seagreen]
certificate[vbcol=seagreen]
the[vbcol=seagreen]
the[vbcol=seagreen]
now[vbcol=seagreen]
will[vbcol=seagreen]
it is[vbcol=seagreen]
on[vbcol=seagreen]
>
>
>.
>
| |
| Miha Pihler 2004-08-05, 8:38 am |
| Mark,
what CA server do you have setup? Is it on Windows 2000 or Windows 2003? Is
it stand alone or enterprise CA setup?
Mike
"Mark" <anonymous@discussions.microsoft.com> wrote in message
news:01f901c47a76$24c24ea0$a301280a@phx.gbl...[vbcol=seagreen]
> Steve/Mike,
>
> I have been following along with the document as well,
> but unfortunately I reach the part where it mentions
> Certificate Template check box, which I don't have, why
> is that?
>
> Thanks again,
>
> Mark
> http://support.microsoft.com/default.aspx?
> quite
> are
> accomplish
> like
> the
> have
> certificate
> the
> the
> now
> will
> it is
> on
| |
|
| I did fail to mention that the article is for Windows
2000 Server instead of 2003. My Server is 2003 and some
of the wording and options differed slightly, but I was
able to get there. I have not yet found and article for
Server 2003 that details the procedure as in the article
I posted.
Hope this helps, if not, let me know and I can write a
procedure for 2003 server and post them to this forum.
Steve
>-----Original Message-----
>Steve/Mike,
>
>I have been following along with the document as well,
>but unfortunately I reach the part where it mentions
>Certificate Template check box, which I don't have, why
>is that?
>
>Thanks again,
>
>Mark
>http://support.microsoft.com/default.aspx?
>quite
was[vbcol=seagreen]
>are
>accomplish
sure[vbcol=seagreen]
>like
>the
Services[vbcol=seagreen]
>have
>certificate
>the
>the
IIS[vbcol=seagreen]
>now
>will
>it is
running[vbcol=seagreen]
>on
>.
>
|
|
|
|
|