My most recent project was an SSL / AD authenticated Windows SharePoint Services (WSS) extranet site. The challenge was not in the WSS site, but instead in its deployment. The site itself runs on W2K3 Server (Standard I believe), and it was my intention to run our office portal on SharePoint Portal 2003... and then configure this very important WSS site under it with SSL for external users. Easy right? Well I had it all up and running a week before the deadline... but then everything went wrong.
After deployment of the server I was told by an MCS consultant that our org had a DMZ... (why none of the systems folks had mentioned this before is beyond me). So I immediately moved the server into it (changing IP/subnet/gateway, running new cables, etc). This took about a day.
But the problems didn't end there, because the SSL authentication was working erratically. Authentication appeared to worked for everyone on my machine (despite the site log showing access denied aka 403/18s)... but not on other machines for the same people. After about an hour of troubleshooting, I was off to premier. I explained the situation, and then attempted to understand the support person's English (which was in a very thick Indian accent). Somewhere in the process of understanding this guy, I found something out:
Windows 2003 / IIS6 does not support SSL sites which use a host header. What?!?!?! It's all true though... and according to Microsoft this is by design!
This just can't be true, I told myself. Microsoft wouldn't release their web server so crippled as to prevent multiple virtuals with host headers from supporting SSL - that would just be plain stupid! How could they possibly compete with Apache?! It would be like taking stored procedures away from SQL Server and then expecting it to compete with Oracle (eg. mySQL attempting to compete with SQL2K ;). Stupid.
And yet, it's true. Read "HTTP 1.1 host headers are not supported when you use SSL" (MSKB 187504) for yourself. I dare you. At least Microsoft figured out what a bone-headed maneuver this was and fixed it with SP1. Sheesh.
posted @ Saturday, June 18, 2005 12:37 AM