Monday, October 21, 2013

How To Create an HTTPS Friendly URL for Your Active Directory Certificate Services (ADCS)

After adding the Active Directory Certificate Services (ADCS) role to your server, you will be able to open up your browser and request a certificate. The problem is that the URL is based off the server name and you have to remember the site name. For example to get to the Certificate Authority (CA) on my backup domain controller, I would have to go to http://dc02/certsrv/default.asp. There are a couple of problems with this URL; one is that it is over HTTP and the other is that I will not remember the URL. Granted, I can always save the URL to my Favorites, but that is not how I roll, and I prefer to keep things simple so that I can remember URLs.
Objective 
The objective of this demonstration is to show how to create a safer, and easier way to get to the Welcome page of the Active Directory Certificate Services web site.
Let's Get Started
As with all things new, it is best to start off this exercise and validate that you can get to your ADCS site on port 80. Once you have your port 80 site up and running, it will be time to create a friendly named URL, such as ca.pcDemo.net. You will want to make sure that the URL meets your naming scheme for internal (inside the firewall) URLs as you do not want to expose your ADCS server to the outside world. After you have come up with a good name, and your boss has OK'd his URL, have a New Host(A) name created. Once the new host name has been added to DNS, validate...
To get the CA on port 443 without error, a certificate will need to be created for the Name entered into DNS. On the ADSI server, open up IIS Manager (Windows Key + R --> inetmgr), select server name and double click on Server Certificates under the IIS Module.
From the Server Certificates page, select the Create Domain Certificate...
Once the Distinguished Name Properties window opens, fill it out correctly.
Click the Next button to continue, which will bring up Online Certification Authority winds. Click the Select button and find the CA that you wish to use to supply the certificate. Then put in your friendly name for the certificate.
Click the Finish button to complete the certificate request. If you have the appropriate permissions, the certificate should have been created and added to the list of available server certificates.
The next step is to create the binding to the Default Web Site.
Start by selecting the Default Web Site, then select Binding from the Edit Site Actions section.
From the Site Bindings window, click the Add... button. From the Add Site Binding window, change the type of connection to HTTPS, and select the appropriate certificate from the SSL certificate drop-down.
Depending on your version of IIS, either the Host name will be grayed out or not. This is running on IIS 8.5 on Server 2012 R2.
At this point your should be able to open up your browser to https://<friendlyname>/certsrv 
IMPORTANT: You will not be able to log-in to the site from your ADCS server. You will want to test from another machine on the domain.
Create the Redirect
Now there is the final step to make life easier for you and your clients, and that is to have a friendly URL name that will be redirected to the CA page on port 443.
Again, select the Default Web Site, and double click on the HTTP Redirect module.
This will bring up the HTTP Redirect window. Enable the redirect to the appropriate location and select the appropriate behavior, and status code.
After you click the Apply link, IIS will create a web.config file for you. IIS has added the following into your web.config file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpRedirect enabled="true" destination="https://ca.pcdemo.net/certsrv" childOnly="true" />
    </system.webServer>
</configuration>
And now, from a browser not located on the certificate server, you should be able to go to http://<friendlyname> and automatically get redirected to https://<friendlyname>/certsrv

Saturday, October 19, 2013

How to Redirect from HTTP to HTTPS with URL Rewrite

I ran into an issue with trying to trick IIS into redirecting using the method that I described in my previous blog post HTTP to HTTPS Redirect in IIS7. I tried to get my rewrite configured manually using the out of the box HTTP Redirect in IIS, but was not having much luck.
I did not have all day, so after looking around for a bit, I found a GUI that works with the HTTP Redirect module to make creating the redirect easier. This demonstration will be using Microsoft URL Rewrite Module 2.0 for IIS 7 (x64) with the update Update for URL Rewrite Module 2.0 (KB2749660) (x64). You will need to be an Administrator on the machine where you install the module. There are not any parameters to set during the installation, they are both Next-Next-Finish installations. However, the Update runs a repair installation module, which is still just an N-N-F install. You also have the option to use the Web Platform Installer to install the URL Rewrite module.
If you do not stop IIS before installing, a server reboot will be required.
After installation is complete, you should see the new module added to the sites in IIS
Objective
Our goal is going to take a standard HTTP request for http://sp2010.contoso.com and redirect it to https://sp2010.contoso.com.
Let's Get Started
Please remember that this is a GUI for writing information into your web.config file. It is always best to make a copy of your web.config file before making any changes (GUI based or manually).

To get started, double click on the URL Rewrite module, and select Add Rule(s)... 
which will open a window to select the type of rule template to use.
Start by naming your rule...  Be descriptive as you never know what else you might add at a later date... Then update the Match URL section to match the image below.
If you press the Test pattern... button, and enter a URL such as http://sp2010.contoso.com/sites/sales, take notice of the Capture groups, as you will see the Back Reference used in an upcoming setting. The important take away is that the values of the Back References are for the exact URL that you entered, meaning that the entire URL is ready for the next step in the Redirect.

After closing out the Test Pattern window, in the Conditions section, click the Add... button to create a condition for the redirect rule and set the parameters as seen in the image below.
The Test Pattern for this condition will always fail as it does not test the URI scheme (HTTP or HTTPS).
There are not any changes or additions required for the Server Variables section.
In the Action section, set the parameters based off the image below.
When you are done entering the parameters, click the Apply link and then click the Back to Rules link.
If you have more questions about URL Rewrite and how it works, the Online Help link is very useful.
After pressing Apply, and Back, your URL Rewrite rule should look something like this:
Let's Clean Things Up
You now have the ability to redirect, but have you set your bindings in IIS? And if you are using SharePoint, have you set your Alternate Access Mappings? Don't forget that you will also need an SSL Certificate (preferably a SAN certificate) so that you can create your port 443 binding. Remember that out of the box, IIS 7 will only allow one (1) port 443 binding per server. Please read my other post on how to host more than one URL with port 443 bindings on the same IP address (coming soon).
Troubleshooting
There are a couple of things that you need to keep in mind when using a redirect. 

  • You will still need to have the port 80 binding enabled.
  • Under the site's SSL Settings, the Require SSL check box should NOT be selected.

Behind the Scenes
The URL Rewrite module is a nice tool that keeps you physically out of your web.config file. As a second reminder, URL Rewrite is a GUI for writing information into your web.config file. It is always best to make a copy of your web.config file before making any changes (GUI based or manually). 
After you hit the Apply link, this is what has been added to the IIS site's web.config file:
If you wish to add the redirect manually, copy/paste below to your web.config file (after backing it up first).
</handlers>
  <rewrite>
    <rules>
      <rule name="HTTP to HTTPS Redirect" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
          <add input="{HTTPS}" pattern="off" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

Update 10/20/2013: Added the web.config information for copy/paste
Update 01/05/2015: Added the link to reference information to download via Web Platform Installer