0

We have two sites/applications in IIS:

  1. www.corpsite.com
  2. accounts.corpsite.com

As you can see the accounts app has the same TLD and is the only application/site on the server that makes use of an SSL.

Problem:

Browsing to https://www.corpsite.com redirects us to https://accounts.corpsite.com, which it shouldn't. We don't make use of SSL on the www.corpsite.com site, only on the accounts site.

Screenshots:

If you look at the screentshot named www.corpsite.com.gif you'll see that there's no certificate configured on the site.

enter image description here

The accounts.corpsite.com site on the other hand has the certificate installed.

enter image description here

Anyone able to help?

Thanks, Jacques

Jacques
  • 195
  • 1
  • 2
  • 15
  • What is the cn on the certificate? – Greg Askew Jul 04 '13 at 14:54
  • Hi Greg, thanks for the response. A bit clueless here, what is a CN? – Jacques Jul 05 '13 at 08:07
  • Sorry Greg, one of my team here mentioned that it refers to Common Name, we'll check it. I've got a feeling I know where you're going with this. – Jacques Jul 05 '13 at 08:28
  • We've confirmed the CN is AccountApp.CorpSite.com, so that would seem correct wouldn't it? – Jacques Jul 05 '13 at 08:48
  • It is not correct if you are attempting to establish a secure session to www.corpsite.com. You may want to amend your question and specify the server response you are expecting, i. e. an error. – Greg Askew Jul 05 '13 at 11:54
  • not sure the question needs changing. The www.corpsite.com does not require an SSL connection. The accountapp.corpsite.com does. If there were no certificates added to the server, what would one expect the response to be if a user entered http"s"://www.corpsite.com? – Jacques Jul 08 '13 at 07:43
  • Hi Greg, I've edited the post and added some screenshots and changed the wording a bit. Would you mind having another look? – Jacques Jul 09 '13 at 09:35
  • Hey Greg, any chance you've looked at this again? Actually quite desperate – Jacques Jul 16 '13 at 14:49
  • Do these sites (`www.corpsite.com` ; `accounts.corpsite.com`) share an IP address? (Better yet, can you give us an actual domain name? Troubleshooting in the dark is next to impossible.) – voretaq7 Jul 19 '13 at 15:32

2 Answers2

3

Remove the https binding (443) from the site www.corpsite.com.

As a best practice, use a catch-all binding on your main site (as in port 80 without any host header), and specify the host header on your secondary sites.

Note that host headers on SSL is extremely limited in terms of support out there, so even if IIS on 2003 supports it I wouldn't bother to set it up. If you need SSL on more than one site in the future you should add another IP, or move the application to a virtual directory under your main site.

EDIT: I was wrong, very wrong

http://en.wikipedia.org/wiki/Server_Name_Indication

Seems like every major browser out there supports this now, so I guess the world has moved on since I last checked a few years ago! According to Microsoft, IIS Windows 2003 SP1 and later supports host headers on SSL binding, by using certain command-line tools. Note that you need a wilcard certificate to make it work.

pauska
  • 19,532
  • 4
  • 55
  • 75
  • Pauska's answer sounds best. Fortunately for me, the client I'm at doesn't have any Win2k3 servers for me to look at :-) (That I know of, anyway.) – mfinni Jul 19 '13 at 17:24
  • Thanks Pauska I appreciate the time. It seems though that Wikipedia is reporting that IE6, or any version of Internet Explorer, on Windows XP won't work due to this being a component of the operating system. After reading some more it looks like this issue is by design in Windows Server 2003 and was only fixed in SP1. – Jacques Jul 22 '13 at 09:03
1

It sounds like you have the sites on the same IP? Use Host Headers on both sites with the correct name on each.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I am pretty sure IIS on 2003 server does not support host headers on SSL - it's barely supported by browsers out there. – pauska Jul 19 '13 at 17:18
  • Ick. Double ick, in fact. – mfinni Jul 19 '13 at 17:22
  • Turns out there IS a way to do it with IIS 6, but not through the GUI: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true – pauska Jul 19 '13 at 17:25
  • Turns out I was completely wrong on this, most browsers supports it now. See my updated answer. I've voted on yours as well, since you were correct all along! Sorry about the confusion. – pauska Jul 19 '13 at 17:32