Applying SSL to a SharePoint Central Admin site

By default, SharePoint will install the Central Administration web application to run over ordinary unsecured HTTP but on a random IP port. It is generally a Good Idea ™ to run using SSL/HTTPS instead. To do so, there are two things you need to do: install an SSL certificate in IIS, and change the IP port used by SharePoint for the Central Administration site.

Open IIS Manager and get properties on the site labeled SharePoint Central Administration v3. Open the Directory Security tab and click on Server Certificate. What happens next depends on whether you need to create a new certificate or already have one you can use. There is plenty of information you can google for the process of obtaining or installing existing certificates if you don’t know already know how. Complete the wizard as appropriate to your situation, specifiying port 443 if prompted.

With the certificate installed, IIS is able to use HTTPS via port 443, but SharePoint knows nothing about the changes you made in IIS and is still only expecting to communicate over whatever random port was in place. There is a quick stsadm command to fix that:

stsadm -o setadminport -ssl -port 443

Don’t be alarmed if it appears to take a moment. When finished, it should tell you Operation completed successfully. After that, I have found it pays to wait a couple more minutes for SharePoint to finish the changes internally. Then try opening Central Administration, e.g. https://host.example.com/. Your Central Administration page should appear momentarily. Once you have successfully opened Central Administration, return to the site properties, and on the Directory Security tab click Edit… just a little below the Server Certificate button you clicked earlier. Then check Rquire secure channel (SSL), and I recommend you also check Require 128-bit encryption. Click OK, then OK again to close the site properties. You will now only be able to open the Central Administration over SSL.

Vista essentials for admins

On the job, I take care of mostly Windows servers, and had grown quite accustomed to a stable set of tools on my XP desktop. But they recently gave me a laptop at work, and being a curious geeky kind of guy, of course the first thing I did was install Vista (Ubuntu too but that’s another story). It was rather aggravating to find a lot of things commonly used by those who do what I do no longer work in Vista (more about Vista later). Here are some things I eventually figured out that helped.

• Install Vista SP1 (the latest as I write this). It took care of some really annoying problems for me. It will probably take 45 minutes or more, so be patient. Once it is installing, you can go do something in the real world for a while.
• Like under XP, you will benefit if you customize the Start menu. Right-click the Taskbar and pick Properties, select the Start Menu tab, and click Customize on the right. At the very least enable System Administrative Tools near the bottom of the list. Personally I also prefer to display Control Panel as a menu rather than a link. Click OK.
• I found the “new and improved” Windows Explorer particularly annoying. Here are a few things I did; use at your discretion.
  • Open Windows Explorer (Winkey+E), then click the Organize button and pick Folder and Search options. Select the View tab and check Always show menus, select Show hidden files and folders, and uncheck Hide extensions for known file types. Click OK.
  • Under the View menu, enable the Status bar.
  • Under the Organize button is a Layout menu item. The Navigation Pane will show the list of folders on the left. I rather like the Details Pane at the bottom of the window, and you may or may not find the Preview Pane useful. I don’t use the Search Pane myself. I also just realized there is an option here to always enable the Menu Bar. :)
  • Click the Organize button and pick Folder and Search options again. Select the View tab and click Reset Folders then click Apply to Folders to apply your choices everywhere.
• Vista allows you to right-click a shortcut and run as a local Administrator, but not with the credentials of your choice like shift+right-click used to in XP. Fortunately, sysinternals-turned-Microsoftie Mark Russinovich came up with ShellRunas. This little gem adds a context menu (right-click) option to Run as different user… to Windows Explorer. A huge shout out to Mr. Russinovich; I don’t know what I’d have done without you over the years. As an admin, there are some other sysinternals utilities you should look into if you have not already done so.
• The networking GUI has really been altered and I found it quite frustrating when setting up a wireless connection at home. Go to Control Panel, Network and Sharing Center. See what I mean? Anyway, the Connect to a network link on the left is where you’ll need to go to set up a new connection, whether wireless or VPN or whatever. In that initial dialog, the Set up a connection or network link near the bottom will get you to something a little more familiar-looking. Also, back at Network and Sharing Center, try Manage network connections for a more traditional XP-like view of your connections, where you can also examine properties in a more XP-like fashion for such things as IP configuration.
• Here’s a biggie: for access to AD tools like Active Directory Users and Computers, you really must download the Remote Server Administration Tools for Windows Vista SP1. This tool set should have been available as a download for Vista long, long ago. I might have dumped Vista without it. Anyway, note that after you run the installer (32- or 64-bit), you need to go in to Control Panel, Programs and Features, and select Turn WIndows features on or off on the left side and enable the interesting stuff under Remote Server Administration Tools. There might be some other things you want to turn on/off while you are here. Notably, if you enable the Table PC Optional Components, you’ll get a screenshot utility under All Programs, Accessories.
• One more somewhat controversial thing – User Account Control or UAC. I generally want to “do the right thing” and tried living with this for a while. A short while. You know Microsoft has even said they made this annoying on purpose, in the name of educating users and developers? Well, to disable it, go to Control Panel, User Accounts. Click on Turn User Account Control on or off. Uncheck Use User Account Control (UAC) to help protect your computer. Click OK.

Of course there is a lot of other stuff about Vista, and I may write more later. In the meantime, I hope this helps you get some basic things out of the way so you can get down to business.