Re: IIS 6.0, Host Headers and SSL

From: Bernard Cheah [MVP] (qbernard_at_hotmail.com.discuss)
Date: 10/31/05 

Date: Mon, 31 Oct 2005 18:02:50 +0800

Well, the cert is bind to all interfaces rather than the site ip.
Can you go to the website property - tcpip advanced and bind it to the ip.

also try adsutil.vbs to get the securebindings for both sites agian. 

-- 
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Tymbow" <Tymbow@discussions.microsoft.com> wrote in message 
news:8B13810C-D430-46CE-9F92-E9C98EA43D9E@microsoft.com...
> No both sites work fine - I just get the error message as follows:
>
> "One of the IP/Port combinations for site '1974292190' has already be
> configured to be used by another site.  The other site's SSL configuration
> will be used."
>
> I also have a third SSL which is for internal use only, uses a different
> certificate and is bound to a different port. I though that it may be 
> causing
> issues so I removed it but the error still occured. To summarise, I have
> three SSL sites - two which share a wildcard certificate and use SSL host
> headers (sites 1 and 1974292190), and a third one which has its own
> certificate and is bound to a differnt port (site 432752131). All sites 
> work,
> but there is an error logged at every IIS restart for site 1974292190 
> which
> shares the SSL wilcard certificate with site 1.
>
> The query output was as follows:
>
> C:\Documents and Settings\Administrator>httpcfg query ssl
>
>    IP                      : 0.0.0.0:443
>    Hash                    : 7fe3ca6a2d8988b5d87b b1028429e116710ede6
>    Guid                    : {4dc3e181-e14b-4a21-b022-59fc669b0914}
>    CertStoreName           : MY
>    CertCheckMode           : 0
>    RevocationFreshnessTime : 0
>    UrlRetrievalTimeout     : 0
>    SslCtlIdentifier        :
>    SslCtlStoreName         :
>    Flags                   : 0
> ------------------------------------------------------------------------------
>    IP                      : 0.0.0.0:8001
>    Hash                    : dc63ff3095457ad7 bfb90 4cb3a7090ed2c b88
>    Guid                    : {4dc3e181-e14b-4a21-b022-59fc669b0914}
>    CertStoreName           : MY
>    CertCheckMode           : 0
>    RevocationFreshnessTime : 0
>    UrlRetrievalTimeout     : 0
>    SslCtlIdentifier        :
>    SslCtlStoreName         :
>    Flags                   : 0
> ------------------------------------------------------------------------------
>
> "Bernard Cheah [MVP]" wrote:
>
>> So both site can't be start at all?
>> Sounds like something thing is binding to port 443. Can you remove all
>> settings and start 1 site with port 443?
>>
>> next, if it's working, then reconfigure host header for the two ssl site,
>> then try
>> httpcfg query ssl
>>
>> post the result here.
>>
>> -- 
>> Regards,
>> Bernard Cheah
>> http://www.iis-resources.com/
>> http://www.iiswebcastseries.com/
>> http://www.msmvps.com/bernard/
>>
>>
>> "Tymbow" <Tymbow@discussions.microsoft.com> wrote in message
>> news:24A4563E-739A-4AF0-9DC3-3012ABA225E5@microsoft.com...
>> >I have tried it with an IP address as we;; as the port and host header. 
>> >The
>> > sites both still work however the error event is still logged.
>> >
>> > Regrads,
>> > Tim.
>> >
>> > "Bernard Cheah [MVP]" wrote:
>> >
>> >> I would specify the binding IP as well.
>> >> "ip,ip.ip.ip:443:mail.company.com"
>> >>
>> >>
>> >> -- 
>> >> Regards,
>> >> Bernard Cheah
>> >> http://www.iis-resources.com/
>> >> http://www.iiswebcastseries.com/
>> >> http://www.msmvps.com/bernard/
>> >>
>> >>
>> >> "Tymbow" <Tymbow@discussions.microsoft.com> wrote in message
>> >> news:95374434-449F-447C-AEF5-F7167F19AA23@microsoft.com...
>> >> > The certificate is allocated to *.company.com, and the host headers 
>> >> > in
>> >> > use
>> >> > are www.company.com and mail.company.com. From the metabase the
>> >> > SecureBindings are as follows:
>> >> >
>> >> > SecureBindings=":443:mail.company.com" and
>> >> > SecureBindings=":443:www.company.com"
>> >> >
>> >> > I have added the name company in place of the real name to protect 
>> >> > the
>> >> > innocent but the settings are otherwise exactly as they really are.
>> >> >
>> >> > Regards,
>> >> > Tim.
>> >> >
>> >> > "Bernard Cheah [MVP]" wrote:
>> >> >
>> >> >> 1) What are the url for the two sites?
>> >> >> 2) What's the secure binding info for two sites ?
>> >> >>
>> >> >>
>> >> >> -- 
>> >> >> Regards,
>> >> >> Bernard Cheah
>> >> >> http://www.iis-resources.com/
>> >> >> http://www.iiswebcastseries.com/
>> >> >> http://www.msmvps.com/bernard/
>> >> >>
>> >> >>
>> >> >> "Tymbow" <Tymbow@discussions.microsoft.com> wrote in message
>> >> >> news:884CBFA2-50DA-4DFE-BB49-1AFD0B578708@microsoft.com...
>> >> >> >I have a client that for various reasons can only have one IP
>> >> >> >address,
>> >> >> > however they need to seperate SSL enabled web sites. I followed 
>> >> >> > the
>> >> >> > Technet
>> >> >> > Article at
>> >> >> > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx.
>> >> >> >
>> >> >> > The wilcard certificate has been assigned to both web sitesand 
>> >> >> > the
>> >> >> > IIS
>> >> >> > Metabase SecureBindings set with the correct SSL host header for
>> >> >> > each
>> >> >> > site.
>> >> >> > All apppears to work correctly - requests go to the right site 
>> >> >> > based
>> >> >> > on
>> >> >> > the
>> >> >> > URL, and all are being encrypted correctly.
>> >> >> >
>> >> >> > The issue I have is that when IIS is restarted I get the 
>> >> >> > following
>> >> >> > error
>> >> >> > in
>> >> >> > the System event log:
>> >> >> >
>> >> >> > Source: W3SVC
>> >> >> > EventID: 1113
>> >> >> >
>> >> >> > One of the IP/Port combinations for site 'xxxxxxxxx' has already 
>> >> >> > be
>> >> >> > configured to be used by another site.  The other site's SSL
>> >> >> > configuration
>> >> >> > will be used.
>> >> >> >
>> >> >> > Is this an indication of a problem (everything seems to work), or 
>> >> >> > is
>> >> >> > it
>> >> >> > just
>> >> >> > a hangover from the way SSL Host Headers were implemented in 
>> >> >> > Windows
>> >> >> > Server
>> >> >> > 2003 SP1?
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>

Relevant Pages

  • Re: Switching from http to https
    ... the default website with SSL not enabled (using port 443) in the IIS. ... a certificate to the program. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Should install the certificate on my External Clients?
    ... or blocking of port 443 TCP used for ssl. ... Then make sure your firewall device is allowing port 443 tcp through to your ... certificate in their local computer certificate store. ...
    (microsoft.public.win2000.security)
  • RE: Multiple sites using SSL on same IIS server
    ... and put the SSL port back on 443. ... IIS only supports one certificate per IP. ... when we browse to the second site (port ...
    (microsoft.public.inetserver.iis.security)
  • Re: SSL Host Headers IIS 6.0
    ... You have two SSL sites with different certificates/identities. ... www.CompanyA.com website has its own SSL Certificate ... much like standard http on port 80 where it allows you to share the same IP ...
    (microsoft.public.inetserver.iis.security)
  • Re: Installing ISA Server for first time
    ... Please note that though correct for HTTP SSL on non standard ports I'm not ... the ISA 2004 can only allow SSL 443 port go through it. ... Microsoft is providing this information as aconvenience to you. ...
    (microsoft.public.windows.server.sbs)