Monday 7 July 2014

Changing SharePoint Host Named Site Collection Default URL

After changing a site from http to https I was unable to change the default zone URL for the SharePoint site which was hosting host named site collections.

Having the default zone as http was causing multiple issues (Workflows, OWA, Search) as lots of requests were still using http and our load balancer was forcing all traffic to https.

You have some PowerShell available to aid the administration of URLs for host named site collections.

Get-SPSiteURL
Set-SPSiteURL

Firstly I edited by default AAM in Central admin to be https://test.matt.com.

Now using PowerShell I'll show how my site looks currently.

Get-SPSiteURL -Identity http://test.matt.com




Using Set-SPSiteURL you can add new URLs to host named site collection for different zones.

Set-SPSiteUrl (Get-SPSite 'http://test.matt.com') -Url 'https://test.matt.com' -Zone Intranet





Get-SPSiteURL -Identity http://test.matt.com

You will see your additional URL in separate zone.



You can see I have set multiple zone URLs for the host named site collection.

You will not however be able to change the default zone URL with PowerShell SPSite command.

Set-SPSiteUrl (Get-SPSite 'http://test.matt.com') -Url 'https://test.matt.com' -Zone Default



I needed the default zone for the root site to change so that all my host named site collections within the web application would also inherit https by default.

So I removed the Intranet zone URL I added as I do not need this I need to change the default zone URL.

Remove-SPSiteURL -URL http://test.matt.com



Get-SPSiteUrl -Identity http://test.matt.com

Back to just a single URL.



So we have to go back in time and break out stsadm.exe

Open command prompt and run CD C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN


Then run the following command:

stsadm -o renamesite -oldurl http://test.matt.com -newurl https://test.matt.com



And finally lets now check our default URL

Get-SPSiteUrl -Identity https://test.matt.com (Use your new URL here)

Its now changed the default URL!






Something to bare in mind is that this has changed the default URL for the host named site collection. The web application will still have the original default URL in the configuration database and you cannot change this without recreating the web application.

This was a pain for me so hope it can be of help!


Installing SSL Certificate and Configuring a SharePoint Site to Use https - One Stop Shop Guide

I am not a security or SSL expert, but as a SharePoint specialist by trade I do bump into SSL and the requirement for https:// sites regularly especially in the financial sector.

What I am hoping to achieve in this post is a friendly guide for SharePoint admins to install their certificates and set their sites to https.

I found that all of the content required to do this is covered in various blogs but no where could I find a friendly guide covering the end to end process, so here is my attempt.

Firstly you need to install the certificate.

I have tried installing the certificate file straight into the MMC console, but the certificate file never shows up in IIS. I think this is to do with the way the certificate is created and I have the below way of getting it to work.

In this example I will use http://test.matt.com as my fictional pre existing web application.

You can specify to create a Web Application as SSL from the off and you should install the certificates before creating the Web Application if you are starting off with SSL rather than configuring an existing SharePoint site.

With most of the clients I have worked with they have their certificates issued for them by a dedicated team or person. So I am assuming you have the below files for your sites certificate.

1. test.matt.com.csr (Certificate signing request)
2. test.matt.com.key (Key file)
3. test.matt.com.cer (Certificate file)
4. group.cer (Root Certificate file)

On a machine with openssl installed browse to  C:\Program Files (x86)\GnuWin32\bin
Copy the certificate attributes to bin location (.cer/.csr/.key).
Copy the Group.cer into  C:\Program Files (x86)\GnuWin32\bin from this location
Firstly we need to generate a .pem file.

If you do not have a certificate file you can generate a delf signed one:
x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

You can then create the .pem from that cert:
x509  -in plexus/plexus.dev.echonet.crt -out plexus/plexus.dev.echonet.pem


Open the openssl application and run: x509 -inform der -in test.matt.com.cer -out test.matt.com.pem





A .pem file should appear in the bin directory.

Open the openssl application and run: pkcs12 -export -out test.matt.com.pfx -inkey test.matt.com.key -in test.matt.com.pem -certfile Group.cer


Once prompted set the password (keep this safe you will need this to install the certificate).


Open the certificate console by typing MMC in to the search.


Import the .pfx file within the Personal certificates store


Enter your password.

NOTE: Be sure to tick the box




Your certificate should now be visible in the personal certificate store.

Now to the IIS configuration.

Within the IIS settings for the server, click on 'server certificates'.

Your installed certificate should be visible.





Open the bindings for your SharePoint site.



NOTE: If you require to have http and https configured so you could in theory use both then add a new binding. Alternatively if you only require to use https then just edit the current binding and change the settings as detailed below.

Type = https
Host Name = Use the same as the http binding (e.g matt.test.com)
IP address = Use the same as the http binding
Port = 443
Certificate = Select your newly installed certificate

OK your changes.

That is all the required configuration for the IIS site, perform this on every SharePoint server that hosts the SharePoint IIS sites.

You will now need to edit the SharePoint alternate access mapping for the web application.


Click on the default URL and change it from http:// to https://


NOTE: If you require to browse the site by http or https or even just wish to leave both configured as an option then add a new AAM for http by following the next step. If you only want to use https then skip the next step.

Save and then click on 'Add Internal URLs'


Add a new http:// address exactly the same as the original before we changed to https://

The original default address must be changed to https:// you cannot just add a new https:// address as you want the default URL to be using https://





Now do an IIS reset

You should now be able to browse your https site!

If you configured both http and https alternate access mappings you can access your site in both http and https. You may wish to leave this configured for future but you can force all traffic over https if you require.

Open the SSL settings for the site.



Select require SSL and set client certificates to require.

 Apply settings.



Do another IIS reset for this to be applied properly or you will receive errors.

You will now get a 404 forbidden if you try to use http.

Https will work!