Why does Microsoft Recommend 2 Separate IIS Sites for HTTP and SSL

Question

Question about this statement:

"We do not recommend reusing the same IIS website for your HTTP and SSL hosting. Instead, extend a dedicated HTTP and a dedicated SSL website, with each assigned to its own alternate access mapping zone and URLs."

--https://learn.microsoft.com/en-us/sharepoint/administration/update-a-web-application-url-and-iis-bindings

I'm working with .NET devs (not SharePoint devs) who advocate for just one IIS site with bindings for both port 80 and 443.

If I do not follow the instructions but instead create the site on 80 and then add the IIS binding for 443 plus cert, and then update AAM myself, what will happen?

Why not re-use same IIS website for HTTP and SSL?

Thanks in advance!

Answer 1

I'm not a SP expert but if you read that article completely I think it stands out why it won't work. Firstly the .NET devs are correct that we generally use a single site for both HTTP and HTTPS. This makes sense as it is literally just a binding. Furthermore we can add multiple host header bindings to the same site. Often we will set up an HTTP redirect rule to bounce anyone using HTTP to HTTPS. This can all be handled in IIS because ultimately our app doesn't care. Hence keep it simple.

But this is SP that you're talking about and it doesn't work that way at all. In the docs you posted it specifically states that the typical approach to changing bindings and whatnot won't work with SP because internally it is managing stuff that relies on that info. Hence you'll get broken behavior if you simply configure things in IIS like you would a normal site. Therefore, while a single site is preferable, it won't work with a site that is tied to SP and hence you should use multiple sites. The reasons are given in the docs you listed and are related to SP's internal configuration data. I believe the gist of it is related to SP generating links. Unlike a traditional site where we can bounce you from HTTP to HTTPS and keep you there SP might bounce you back and then you get the security warning from the browser. That would be confusing to the user.

Of course this is only for sites that actually are hosting SP and not just all sites in general. I don't know why your devs would care about this though as SP would be something I would expect your networking team to set up for a company. The devs might build SP extensions (but they wouldn't care about bindings and whatnot) or perhaps point to SP URLs (also wouldn't care about bindings).

Answer 2

in addition http site is usually considered as less secure and should be accessible only in internal network, while https site may be accessed from outside. It will be much easier to configure and maintain if they will be created in different authentication zones of the same SP web app with own urls.

Answer 3

Hi @Kim Ryan ,

Agree with cooldadtx, and each HTTPS binding requires a unique IP/port combination because the Host Header cannot be used to differentiate sites using SSL which the host header is not visible during the SSL handshake.

For Reference:
https://stackoverflow.com/questions/66640636/iis10-ssl-configuration-for-multiple-sites-and-more-than-one-ssl-cert
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

---

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.