Configuring WS SP2 for SSL?

[Ray]

I'm running Project Server 2003 SP2 with a self-signed SSL certificate. When
I tried to convert the WSS SP2 links to SSL in Manage SharePoint Services
also using a self-signed certificate, I would get an error about one or more
problems with the SSL certificate even though I had imported the root CA
certificate on to the server.

I bought a real SSL certificate for the SharePoint URL and while I no longer
get the aforementioned SSL error, I now get:

"The server instance specified was not found. Please specify the server
address and port."

Of course, I had done that and the SSL certificate does work. I do not have
SSL on the SharePoint Admin site yet, preferring to work on that second.

If I change the FQDN to the IP address, then it complains about the
certificate, so it's definitely finding the server instance.

When I look in SharePoint Admin, it does reference everything as "http" and
not "https". I don't know if this really means anything or not.

Any hints, even just an acknowledgement that this can be done, would be
appreciated.

Thanks,

Ray

 

[Rolly Perreaux]

I'm running Project Server 2003 SP2 with a self-signed SSL certificate. When
I tried to convert the WSS SP2 links to SSL in Manage SharePoint Services
also using a self-signed certificate, I would get an error about one or more
problems with the SSL certificate even though I had imported the root CA
certificate on to the server.

I bought a real SSL certificate for the SharePoint URL and while I no longer
get the aforementioned SSL error, I now get:

"The server instance specified was not found. Please specify the server
address and port."

Of course, I had done that and the SSL certificate does work. I do not have
SSL on the SharePoint Admin site yet, preferring to work on that second.

If I change the FQDN to the IP address, then it complains about the
certificate, so it's definitely finding the server instance.

When I look in SharePoint Admin, it does reference everything as "http" and
not "https". I don't know if this really means anything or not.

Any hints, even just an acknowledgement that this can be done, would be
appreciated.

Thanks,

Ray

Hi Ray,

Did you load the Certificate using IIS Manager? More specifically using
the Web Server Certificate Wizard?

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[Ray]

Yes, the certificate does work. When you go via HTTPS to the SharePoint site
in a browser, it does display the correct certificate. It's just Project
Server's admin page that can't find it.

Ray

 

[Gary L. Chefetz [MVP]]

Ray:

Did you change the server references to SharePoint in Project Server to
https?

 

[Ray]

Hmm, it certainly sounds like this issue: http://support.microsoft.com/default.aspx?scid=kb;en-us;832816 so I removed the IP addresses and left them as "all unassigned" but that didn't help. I shouldn't have to do this because WSS SP2 is supposed to be able to handle this:
-------------
"Support for IP-bound virtual servers

Previous releases of Windows SharePoint Services did not support assigning static IP addresses to virtual servers extended with Windows SharePoint Services. Instead, it was required that you use host headers and configure all virtual servers with an IP address setting of All Unassigned.
This limitation, as described in Microsoft Knowledge Base article KB 830342: "Soap:Server Exception of Type Microsoft.SharePoint.SoapServer.SoapServerException" Message Appears When You Try to Edit a Portal by Using FrontPage, prevented the ability to host multiple virtual servers on which Secure Sockets Layer (SSL) is enabled on one Web server. In Windows SharePoint Services Service Pack 2, this limitation has been removed, and Windows SharePoint Services now supports assigning a static IP address to a virtual server that has been extended with Windows SharePoint Services."
--------------
This thing will not work without host headers, though, despite the SP2 release notes. Oddly, I can't get this stmadm command to be recognized or show up in the -help:
------------
exclusivlyusentlm

New in Microsoft Windows SharePoint Services Service Pack 2 (SP2). Kerberos is enabled by default in Windows SharePoint Services SP2 using typical installation, eariler versions the default was ntlm.

-exclusivelyusentlm
-------------
Note that it's spelled wrong in the first part (missing an "e"). It also contradicts this statement on the www.microsoft.com/sharepoint page:

"IIS Security modifications - Windows SharePoint Services will disable Kerberos authentication in Internet Information Services on your server during installation. Windows NTLM authentication will be selected by default. For information about running Windows SharePoint Services using Kerberos authentication, refer to Microsoft Knowledge Base Article KB832769. "

Kind of makes me wonder whether I really have WS SP2 even though the file name is correct.

Ray

 

[Ray]

Hi Gary,

Do you mean on the "Manage SharePoint Services" page? Yes, and also changed
the port from :80 to :443. Making those two changes is what makes it give
the "instance not found" error message. I do not have the Admin site running
on https, though. It is a different virtual server.

Ray

 

[Gary L. Chefetz [MVP]]

Well I guess that was, too obvious. You've got me on this one, the only way
I've ever done this is to set it up on SSL to begin with. I wonder if we've
got a registry issue by changing this after the initial install.

 

[Ray]

This thing is only sort of in production, so I'm thinking about blowing it
away again over the weekend. I am getting quite good at reinstalling it, in
fact!

Ray

 

[Rolly Perreaux]

OK Ray,

I think I have a solution to your problem. But before documenting it, I
have a few more questions which should clear things up...

Do you have the Project, WSS and Central Admin web sites on the same web
server (IIS)? If not, please provide details of your configuration.

Is SSL enabled on all web sites?

Did you want SSL for all web sites?


--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[Gary L. Chefetz [MVP]]

Reminds me of my initial Project Central hazing.<g> It's a right of passage
Ray.

 

[Ray]

Hi Rolly,

Do you have the Project, WSS and Central Admin web sites on the same web
server (IIS)? If not, please provide details of your configuration.

Yes. Only SQL 2000 is on a different server. Both servers are Windows 2003
SP1.

Is SSL enabled on all web sites?

SSL is enabled via a self-signed certificate for Project, and I'm ordering a
Thawte certificate for it today for other reasons. The SharePoint admin site
is not SSL, but I want to make it SSL. WSS is a work in progress.

Did you want SSL for all web sites?

Yes.

Ray

 

[Rolly Perreaux]

Hi Rolly,


Yes. Only SQL 2000 is on a different server. Both servers are Windows 2003
SP1.


SSL is enabled via a self-signed certificate for Project, and I'm ordering a
Thawte certificate for it today for other reasons. The SharePoint admin site
is not SSL, but I want to make it SSL. WSS is a work in progress.


Yes.

Ray

OK Ray
It took a while, but here's the procedure:


Step 1 - Install SSL certificate on Project web site

This procedure will assume that: (1)the previous self-signed certificate
has been removed (2)a new IIS Web Server Certificate request has been
made and (3)Thawte has created and sent you the web server certificate.

1. Open IIS Manager and navigate to the Web Sites folder.
2. Right click on Project web site and select Properties.
3. On the Project Properties page, click Directory Security tab and
click Server Certificate.
4. On the Welcome to the Web Server Certificate Wizard page, click Next.
5. On the Server Certificate page, select Process the pending request
and install the certificate and click Next.
6. On the Process a Pending Request page, in the Path and file name box,
type the location of the certificate (for example, c:\newcert.cer) and
click Next.
7. On the SSL Port page, in the SSL port this web site should use box,
type 443 (Standard port for SSL) and click Next.
8. On the Certificate Summary page, click Next.
9. On the Completing the Web Server Certificate Wizard page, click
Finish.
10. On the Project Properties page, under Secure Communication, click
Edit
11. On the Secure Communication page, select the following options and
click OK.
Require secure channel (SSL)
Require 128-bit encryption
(This forces the web site to use SSL)
12. On the Project Properties page, click OK.


Step 2 - Enable SSL certificate on WSS web site

In this procedure we will use the same Thawte SSL Certificate for the
WSS web site as the certificate is based on the web server name and not
the web site name.

1. Right click on WSS web site and select Properties.
2. On the WSS Properties page, click Directory Security tab and click
Server Certificate.
3. On the Welcome to the Web Server Certificate Wizard page, click Next.
4. On the Server Certificate page, select Assign an existing certificate
and click Next.
5. On the Available Certificates page, select the Thawte certificate and
click Next.
6. On the SSL Port page, in the SSL port this web site should use box,
type 444 (The standard port of 443 is already used for Project web site)
and click Next.
7. On the Certificate Summary page, click Next.
8. On the Completing the Web Server Certificate Wizard page, click
Finish.
9. On the WSS Properties page, under Secure Communication, click Edit.
10. On the Secure Communication page, select the following options and
click OK.
Require secure channel (SSL)
Require 128-bit encryption
11. On the WSS Properties page, click OK.


Step 3 - Enable SSL certificate on SharePoint Central Administration web
site

In this procedure we will use the same Thawte SSL Certificate for the
SharePoint Central Admin web site as the certificate is based on the web
server name and not the web site name.

1. Right click on SharePoint Central Admin web site and select
Properties.
2. On the SharePoint Central Administration Properties page, click
Directory Security tab and click Server Certificate.
3. On the Welcome to the Web Server Certificate Wizard page, click Next.
4. On the Server Certificate page, select Assign an existing certificate
and click Next.
5. On the Available Certificates page, select the Thawte certificate and
click Next.
6. On the SSL Port page, in the SSL port this web site should use box,
type 443 (This will cause an error upon refreshing the Web Sites folder,
but we will fix this later using a different technique) and click Next.
7. On the Certificate Summary page, click Next.
8. On the Completing the Web Server Certificate Wizard page, click
Finish.
9. On the SharePoint Central Administration Properties page, under
Secure Communication, click Edit.
10. On the Secure Communication page, select the following options and
click OK.
Require secure channel (SSL)
Require 128-bit encryption
11. On the SharePoint Central Administration Properties page, click Web
Site tab, at the SSL port field, remove 443 and leave blank. (Also write
down the number of the TCP port [mine is 14009], we will need this
number later) and then click OK
12. On the SharePoint Central Administration Properties page, click OK.


Step 4 - Restart SharePoint Central Administration web site

1. At the IIS Manager window, right click the SharePoint Central
Administration and click Stop.
2. At the IIS Manager window, right click the SharePoint Central
Administration and click Start.


Step 5 - Enable SSL for the SharePoint Central Administration

In this procedure we will use the STSADM command-line utility in WSS to
convert to SSL communication for WSS Administration

1. Click Start --> Run, type CMD and click OK.
2. At the Command Line window, type the following and press Enter:
CD\Program Files\Common Files\Microsoft Shared\
web server extensions\60\BIN (all one line)
3. Retrieve the TCP port for the SharePoint Central Administration.
Mine is 14009. The SSL port number will be the TCP Port + 1. So for
example, 14009 + 1 = 14010
3. Type the following command and press Enter:
stsadm.exe –o setadminport -p 14010 –ssl
You should receive an "Operation completed successfully" message.
4. Close the Command Line window.


Step 6 - Changing the Project Server URL

In this procedure we change Project Server URL to use SSL.

1. Launch Internet Explorer
2. Type the following URL: http://<servername>/projectserver
For example, prjsvr is the name of my server so my URL will be:
http://prjsvr/projectserver.
3. You should receive the following error:
The page must be viewed over a secure channel
This tests the Secure Communication configuration change we did in IIS
Manager. If you do not receive the message then there is an error in the
configuration
4. Type the following URL: https://<servername>/projectserver
For example, prjsvr is the name of my server so my URL will be:
https://prjsvr/projectserver.
5. On the Project Web Access home page, click Admin.
6. On the Administration Overview page, click Server Configuration.
7. On the Server Configuration page, at the Enter the intranet and/or
extranet.... section, change Server intranet address to following:
https://<servername>/projectserver and click Save Changes.


Step 7 - Changing the WSS URL in Project Web Access

In this procedure we change the WSS URL used in PWA to use SSL.

1. On the Administration Overview page, click Manage Windows SharePoint
Services.
2. On the Connect to SharePoint server page, type the following URLs in
the corresponding fields and click Save Changes.

SharePoint Central Admin URL:
https://<servername>:<SSL Port Number>
For example, https://prjsvr:14010

Create a site under this SharePoint URL:
https://<servername>:<SSL Port Number>/sites
For example, https://prjsvr:444/sites

You should see a Success message


Step 8 - Verifying the changes to previously created Project Sites (WSS)
in Project Web Access

1. On the Connect to SharePoint server page, click Manage SharePoint
sites.
2. On the Manage Windows SharePoint Services sites page, a listing of
previously created project sites are shown. The Site Address for each
project site should be changed to show:
https://<servername>:<SSL Port Number>/sites/projectserver_###
(### is the project ID)
4. Click on Project Site links to verify
3. Close Internet Explorer


Procedure Recap

A. Installed SSL certificate on Project, WSS and SharePoint Central
Administration web sites

B. Forced using SSL for all web sites

C. Used STSADM command-line utility to enable SSL for the SharePoint
Central Administration

D. Changed the Project Server URL within Project Web Access

E. Changed the SharePoint Central Administration URL within Project Web
Access

F. Changed the Project Site URL within Project Web Access

G. Verified and tested all Web connections

Copyright © 2005 Entecorp Inc. All rights reserved


--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

Entecorp Inc.
http://www.entecorp.com

 

[Ray]

Thanks, Rolly. I won't be able to try this until tomorrow since the Thawte
certificate hasn't been received yet.

This looks like you're going to use the same URL for both WSS and Project
,which is different from what I'm doing now. I'm using
"project.ourcompany.com" for Project and "servername.ourcompany.com" for the
WSS site. They both are using 80 & 443 but on different IP addresses bound
to the same server.

I also need fully qualified names because employees in a different country
will be accessing the system via a site-to-site VPN and since they were an
acquisition, they are on a different domain and namespace. My SSL
certificates are set for the FQDN as well.

I'll give it a shot!

Thanks for all of your efforts,

Ray

 

[Ray]

Hi Rolly and Gary,

Well, here's the answer. Rolly's detailed instructions didn't work.

I did get it to work, though, by uninstalling Project Server in its
entirety, leaving the SQL stuff alone. I forced the WSS Project virtual
server to SSL as Rolly suggested and also forced the WSS Admin site to SSL
as he suggested. When I did that, the WSS admin pages showed the site was
extended with HTTPS and the SSL port. Pretty cool, actually.

I then re-installed Project Server, specifying the HTTPS URLs and SSL ports.
The reinstall went fine. When I look at the Home page in PWA, it says I have
no new risks or issues. I manually recreated the SharePoint Issues, Risks
and Documents site and synched the accounts fine. WSS is now working fine
under SSL.

Now, here's the only issue: Even though the SharePoint-Project WSS stuff
looks like it's working fine and is definitely using HTTPS:// and the
associated SSL port and even though the "Connect to SharePoint Server" page
has HTTPS:// and the correct SSL ports, I cannot Save Changes on that page.
Even just going to the page, not making any changes and just clicking the
"Save Changes" button, it says, you guessed it, "The server instance was not
found."

If it walks like a bug, and talks like a bug...

Thanks for to both of you for all of your efforts. Gary, your comment that
it worked when installed initially as SSL was what lead me to try a
uninstall and a reinstall.

BTW, I also had an issue with Risks and Issues that is now gone. If I used a
Windows 2000 Pro SP4 computer, they both worked fine. If I used an
identically configured XP SP1 computer with the same credentials, I could
not link a Risk or an Issue to a Task. When I clicked the link on the New
Item page to link it, the XP boxes always displayed a dialog box that said
Project could not talk to SharePoint and to add both URLs to Trusted Sites.
I'm guessing this was resolved by moving the WSS site from a self-signed
certificate to a real SSL certificate.

Thanks again to everyone,

Ray

 

[Ray]

Well, heck. Everything is not OK.

We deleted the project today and re-imported it to the server to get a clean
start. The WSS site was not created and when I try to create it manually, it
says "Error when creating site. Site does not seem to exist". The email
addresses are in place. I could always create it manually before.

I removed the "Require SSL" from the WSS virtual server and changed the
provisioning links back to http & the http port. It now saves and I can
create the WSS site manually.

I'm going to open a case with Microsoft.

Ray

 

[Ray]

Another well-spent $245 with Microsoft Support Services, and no, I am not
kidding! Those folks are good.

1. Leave the "Create a site under this SharePoint URL:" link using HTTP and
using the non-SSL port

2. Add in a "SharePoint Extranet" address using HTTPS and the SSL port
ending in /sites, not /projects as the example on the PWA Admin page shows.

3. On Project Server 2003, navigate to the registry key
HKLM\Software\Microsoft\Office\11.0\MS Project\WebClient
Server\ProjectServer\Datasets\STS and change the IsExtranet REG_DWORD from a
zero to a one.

Presto! All of the Project SharePoint sites will suddenly be changed to SSL
without having to force the SharePoint virtual server to require SSL.!

Thanks again to all, especially to Rolly and Gary. You can add this to your
bag of tricks.

Ray


The

 

[Rolly Perreaux]

Another well-spent $245 with Microsoft Support Services, and no, I am not
kidding! Those folks are good.

1. Leave the "Create a site under this SharePoint URL:" link using HTTP and
using the non-SSL port

2. Add in a "SharePoint Extranet" address using HTTPS and the SSL port
ending in /sites, not /projects as the example on the PWA Admin page shows.

3. On Project Server 2003, navigate to the registry key
HKLM\Software\Microsoft\Office\11.0\MS Project\WebClient
Server\ProjectServer\Datasets\STS and change the IsExtranet REG_DWORD from a
zero to a one.

Presto! All of the Project SharePoint sites will suddenly be changed to SSL
without having to force the SharePoint virtual server to require SSL.!

Thanks again to all, especially to Rolly and Gary. You can add this to your
bag of tricks.

Ray

Very Cool!
Thanks for sharing with us Ray

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com