Using Host Headers on IIS 6-7.5

Understanding of Host Headers

It is known that until IIS 7.5, the weak point of IIS server is that it allows binding only one site to one IP: Port combination using an SSL certificate. It appears as an issue when it is required to install multiple SSL certificates on one shared IP address. If multiple SSL certificates are used, a server usually has a problem with providing the correct SSL certificate when HTTPS connection is established, causing a Common Name mismatch error. There has to be a one-to-one relationship between an SSL certificate, a domain and an IP. For other web servers, installation of multiple certificates on shared IPs is possible with the Server Name Indication (SNI) technology. For IIS servers 6-7.5, we need to use a Multi-Domain or a Wildcard certificate that covers several domains (subdomains) simultaneously and a special mechanism called Host Header. Only starting with IIS 8, there is a way to bind multiple certificates to the same IP/Port combination by using the SNI TLS extension.

Configuring Host Headers for a website in IIS 6 using IIS Manager

  1. Install the SSL Certificate for the site where you will use secure bindings.
  2. In IIS, right-click on the site you are securing and select Properties.
  3. hh1

  4. On the website tab, click Advanced next to the IP address field.
  5. hh2

  6. Click your Default identity on TCP port 80. Then click Edit and enter your domain name in the Host header field. Do this for any sites that will be sharing secure connections on the same IP.
  7. hh3

    hh4

  8. Open the command line by clicking Start >> Run. Type cmd and click OK.
  9. hh5

  10. Type cd C:\Inetpub\AdminScripts or your system's IIS scripts directory and click Enter.
  11. Type the following command:
  12. cscript.exe adsutil.vbs set /w3svc/site identifier/SecureBindings ":443:host header"

    You can find your site identifier and host header in IIS when viewing the list of all websites from IIS Manager. The site identifier is in the Identifier column, and the host header is in the Host header value column. The host header value is the value that is assigned to the website (e.g., example.com). Please refer to the below picture:

    hh6

    If you enter an invalid number as the site identifier, you will get the following error: "The path requested could not be found."

  13. Repeat the previous step as many times as necessary to enable your SSL Certificate for usage on all of the appropriate websites.

You may need to restart the IIS sites for the changes to take effect.

Configuring SSL Host Headers in IIS 7

SSL Host headers in IIS 7 allow you to use one SSL certificate for multiple IIS websites on the same IP address. Through the IIS Manager interface, IIS only allows you to bind one site to each IP address to port 443 using an SSL certificate. If you try to bind a second site to the IP address to the same certificate, IIS 7 will give you an error when starting the site up, stating that there is a port conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address, you will need to set up SSL Host Headers.

Host headers can be configured in IIS 7 by adding site bindings via IIS Manager or using the command line.

How to set Host Headers via IIS Manager:

  1. Open IIS Manager. In the Connections pane, expand the Sites node in the tree, and then select the site for which you want to configure a host header.
  2. hh7

  3. In the Actions panel, click Bindings. In the Site Bindings dialog box, select the binding for which you want to add a host header and then click Edit Bindings.
  4. hh8

  5. In the Site Bindings window, click Add.
  6. hh9

  7. In the Add Site Binding window, set the following options, and then click OK:
  8. Type: In the drop-down list, select https.
    IP address: In the drop-down list, select All Unassigned.
    Port: Enter 443. The port for SSL traffic is usually port 443.
    Host name: Enter your website’s DNS name (e.g., website1.yourdomain.com).
    SSL certificate: In the drop-down list, select the SSL certificate by its friendly name (*.yourdomain.com).

    hh10

  9. To add an additional host header, create a new binding with the same IP address and port and the new host header. Repeat for each host header that you want to use this IP address and port.

    Command Line

    To add a host header to a website's binding, use the following command on one line:

    appcmd set site /site.name: string /bindings.[protocol=' string ',bindingInformation=' string '].bindingInformation: string

    The variable site.name string is the name of the site to which you want to add a host header. The variable [protocol='string',bindingInformation='string'] is the existing binding to which you want to add a host header, and bindingInformation string is the new binding with the host header.

    For example, to configure a site named mydesign with an existing HTTPS binding for all IP addresses on port 443 without a host header to have a host header named marketing, type the following in the command prompt, and then press ENTER:

    appcmd set site /site.name: mydesign /bindings.[protocol='https',bindingInformation='*:443:'].bindingInformation:*:443: marketing

    You may need to restart the IIS sites for the changes to take effect.

    Note: The above steps are applicable for setting up Host Headers in IIS 7.5 server as well.

Updated
Viewed
35087 times

Need help? We're always here for you.

notmyip