Try Now
More in this section

Forums / Set-up & Installation / Comprehensive SSL Configuration Directions

Comprehensive SSL Configuration Directions

2 posts, 0 answered
  1. Jon Kramme
    Jon Kramme avatar
    15 posts
    20 Dec 2009
    19 Jul 2011
    Link to this post

    We are running Sitefinity 3.7 SP4 in a .NET 4.0 app pool on IIS6 / Windows 2003, and I'm having a difficult time getting SSL fully and properly configured.  Our goal is to not only secure certain pages on the public side of the website, but also the Sitefinity login page (and possibly the rest of the Sitefinity administrative pages).

    I am hoping someone at Telerik or another community member has been through this too can share directions on how to set it up.  I've scoured the documentation and forum posts, the latter which got me closer, but not completely, to success.

    Here are the steps I've tried so far:

    1. In IIS6, installed the SSL certificate.
    2. In IIS6, website properties, Website tab, specified port 443 as the SSL port.
    3. In IIS6, on the /Sitefinity/Login.aspx file's properties, File Security tab, "Edit" under Secure Communications, checked "Require secure communication (SSL)".
    4. In Sitefinity > Admin > Pages, select a page to secure, set "Require SSL" to "Yes" and save the page.

    I've also tried messing with the "redirectSSL" attribute in the cms tag of web.config (all possible values).

    The problems I'm left with (depending on specific combinations of the above) are one of:

    1. Infinitely redirecting between http and https.
    2. Getting the infamous IE8 security warning of mixed secure/unsecured content (or the equivalent in Chrome and other browsers).
    3. Losing query string paramaters when going from a non-secure page to the secured login page (i.e. losing the ReturnUrl parameter).

    The third outcome is the best I've gotten, but still inadequate since it kills the ReturnUrl feature of the login page.

    Thank you,

  2. Sharon
    Sharon avatar
    39 posts
    14 Jun 2011
    20 Jul 2011
    Link to this post
    FWIW, when I was getting the mixed secured/unsecured messages, it was because links to graphics on my page were http:// not https://. Fixing that got rid of the messages.
2 posts, 0 answered