Lesson: ALL Microsoft SharePoint sites should be encrypted. It is easy to do.
In a large number of Microsoft SharePoint farms that I have reviewed over the past few year, most lack encryption. In discussions, most people feel that since the site is not exposed to the outside world, SSL isn’t that important. As I start my argument, I would like to point out that inside Microsoft SharePoint, any page that accepts users credentials over non-SSL shows the following:
“Warning: this page is not encrypted for secure communication. User names, passwords, and any other information will be sent in clear text. For more information, contact your administrator.”
Note: Clear text in this case doesn’t necessary mean that it is easily read, it just means that it isn’t encrypted. Credentials that are hashed are still considered clear text.
To counter the point that since CA is not exposed outside, I would like to state that because of this, it is easier to resolve that an external site. I have often found that some of the servers that hosted Central Administration were actually exposed externally. Here are the steps to correct the issue.
- Ensure you have a server that that has the Active Directory Certificate Services role added.
- Once the role is added, you will be able to create a new domain certificate from with IIS (if you have adequate permissions).
- Open IIS > Server Certificates
- Create Domain Certificate > Fill out the wizard
- The Common Name and the Host-A record will be the same.
- Add a Host-A record in DNS that points to the web server or load balancer IP address.
- Create / Convert Central Administration on port 443
Open up PowerShell ISE as an administrator and then type the following:
Add-PSSnapin Microsoft.SharePoint.Powershell -EA 0
Set-SPCentralAdministration -Port 443
Now go to IIS (on every server hosting the site) and modify the bindings.
Once the bindings are set, flush the DNS and test the URL from a server not hosting Central Administration. Remember that https://ca.secsp.us won’t come up on the server hosting it due to the Loopback Check being enabled (or at least it should be).
Finally, you will need to modify your Alternate Access Mappings (AAM) so that the internal URL is using the new one.
