|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Multiple SSLs on the same IIs serverI have a wildcard ssl that most of my sites use. I need to add a site that
doesn't fit the wildcard naming scheme. I have read that I need a unique IP address for the site so the users will be given the right ssl cert when they browse the site. I created the site, applied the cert, and assigned it a unique IP address. Users are still given the wildcard cert and the browser tells them something is wrong with it (because the address doesn't match.) Am I missing something to get the right certificate to be sent to the users? Is there another way or would I need a single IP for every single site that has its own ssl? Thanks Do your other sites also have an _assigned_ IP address, or are they
Unassigned? Anthony, http://www.airdesk.co.uk Show quoteHide quote "super1" <superbrownbrown1@nospam.nospam> wrote in message news:e2pR$wEBIHA.3916@TK2MSFTNGP02.phx.gbl... >I have a wildcard ssl that most of my sites use. I need to add a site that >doesn't fit the wildcard naming scheme. I have read that I need a unique >IP address for the site so the users will be given the right ssl cert when >they browse the site. > > I created the site, applied the cert, and assigned it a unique IP address. > Users are still given the wildcard cert and the browser tells them > something is wrong with it (because the address doesn't match.) > > Am I missing something to get the right certificate to be sent to the > users? Is there another way or would I need a single IP for every single > site that has its own ssl? > > Thanks > At first they were still sitting at All Assigned. I have changed them all
to be on the original IP address and this new site is the only one with the new IP. It still sends the wrong ssl to the browser. Show quoteHide quote "Anthony" <anthony.spam@spammedout.com> wrote in message news:eIivLqGBIHA.4584@TK2MSFTNGP03.phx.gbl... > Do your other sites also have an _assigned_ IP address, or are they > Unassigned? > Anthony, http://www.airdesk.co.uk > > > "super1" <superbrownbrown1@nospam.nospam> wrote in message > news:e2pR$wEBIHA.3916@TK2MSFTNGP02.phx.gbl... >>I have a wildcard ssl that most of my sites use. I need to add a site >>that doesn't fit the wildcard naming scheme. I have read that I need a >>unique IP address for the site so the users will be given the right ssl >>cert when they browse the site. >> >> I created the site, applied the cert, and assigned it a unique IP >> address. Users are still given the wildcard cert and the browser tells >> them something is wrong with it (because the address doesn't match.) >> >> Am I missing something to get the right certificate to be sent to the >> users? Is there another way or would I need a single IP for every single >> site that has its own ssl? >> >> Thanks >> > > Hi,
I'd like to suggest you first run the SSLDaig tool to scan the whole IIS server's SSL configuration. Check if the correct certficate is actually assigned to the problematic site and all web sites' SSL bindings are correct. Especially all web sites should use their specific IP addresses instead of 'all unassigned'. Also please test the following cases: 1. Use IP address to access the problematic SSL site, i.e: https://<IP address>/... to ensure this is not an incorrect DNS resolution issue. 2. Temporarily change the site to use a non-default SSL port instead of 443 to make IIS identify the site by port. Will you still get the incorrect wildcard cert in these 2 cases? The Lastest version SSLDiag can be found at: Internet Information Services Diagnostic Tools http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx Note: when SSLDiag is finished scanning the SSL config, please double-click a site's section (e.g [W3SVC/1]), the tool will open a new window to test the SSL handshake. Please send the log and trace to me at: wjzh***@online.microsoft.com (remove online.) and my backup Wen Yuan: v-wyw***@online.microsoft.com (remove online.) We are looking forward to your update. Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. I ran the ssl diag tool and it showed me several errors. It helped me see
that I needed to edit the IP address on the Advanced Web Site Identification section as well. Now the site is getting the correct SSL. Thanks for your help! ""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message Show quoteHide quote news:eisKxOMBIHA.5204@TK2MSFTNGHUB02.phx.gbl... > Hi, > > I'd like to suggest you first run the SSLDaig tool to scan the whole IIS > server's SSL configuration. Check if the correct certficate is actually > assigned to the problematic site and all web sites' SSL bindings are > correct. Especially all web sites should use their specific IP addresses > instead of 'all unassigned'. Also please test the following cases: > > 1. Use IP address to access the problematic SSL site, i.e: https://<IP > address>/... to ensure this is not an incorrect DNS resolution issue. > 2. Temporarily change the site to use a non-default SSL port instead of > 443 > to make IIS identify the site by port. > Will you still get the incorrect wildcard cert in these 2 cases? > > The Lastest version SSLDiag can be found at: > > Internet Information Services Diagnostic Tools > http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx > > Note: when SSLDiag is finished scanning the SSL config, please > double-click > a site's section (e.g [W3SVC/1]), the tool will open a new window to test > the SSL handshake. > > Please send the log and trace to me at: wjzh***@online.microsoft.com > (remove online.) and my backup Wen Yuan: v-wyw***@online.microsoft.com > (remove online.) > > We are looking forward to your update. > Thanks. > > Sincerely, > > WenJun Zhang > > Microsoft Online Community Support > > ================================================== > > Get notification to my posts through email? Please refer to: > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at: > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > 
Other interesting topics
Client certificate beginners help!
IUSR_myserver and deny write Windows Integrated and the domain name Why doesn't ASP.NET 2.0 use the Network Service account Microsoft Update basic auth with url redirection in WINXP IIS 5.1 IIS/Virtual directory/UNC and domain account <add domainName="[clientmachine]" allowed="true" /> Security problems in non domain environment Disabling the SSLv2 protocol |
|||||||||||||||||||||||
