How to Secure SharePoint 2016 Central Administration Site from HTTP to HTTPS using SSL Certificate?
Central Administration site is a web application where administration activities are performed for the farm. By default, Central Administration runs on non-secure HTTP. Enabling encryption ensures that the communications between users and the central admin website remain secure.
Overall Steps to Change Central Administration from HTTP to HTTPS:
The steps to secure Central Administration are as follows:
- Set SharePoint Central Administration site to use SSL Port 443
- Assign SSL certificate binding to the Central Admin Web application through IIS.
- Verify the Alternate Access Mappings to accommodate the port change
Why should we Enable SSL for the Central Administration site?
To protect sensitive information, such as credentials, it’s essential to enable SSL on the SharePoint Central Administration site. While it’s a general best practice to safeguard external-facing web applications, it’s also mandatory to encrypt internal communications between the Central Admin site. Otherwise, you will see the following message:
Also, If you don’t encrypt the SharePoint Central Admin site, you risk passing credentials in the clear text.
Step 1: Set SharePoint Central Administration site to use SSL Port 443
Log on to your SharePoint server hosting the SharePoint Central Administration site. By default, the first server you install SharePoint configures Central Administration automatically.
- Open the SharePoint 2016 Management Shell (run as Administrator if UAC is not disabled)
- Enter the following cmdlets and run
Set-SPCentralAdministration -SecureSocketsLayer -Port 443
This will reconfigure the SharePoint Central Administration site to use that port with an SSL binding.
Step 2: Assign SSL certificate binding to the Central Admin Web application
Import your SSL certificate to IIS: After getting the certificate from either your internal CA or public CA authority, Import the certificate through >> IIS >> Server Certifications >> Import.
Bind the SSL Certificate with Central Admin Site:
As a next step, You’ll assign the SSL certificate to the SharePoint Central Administration site. Please note, if you do run Central Admin on more than one server, you’ll need to assign the SSL certificate to the web site on each machine.
- Open IIS Manager (Start >> Run >> Type “InetMgr”)
- Navigate to SharePoint Central Administration v4 >> Click on “Bindings…” from the right-hand panel.
- On the Bindings dialog, click on Edit…
- In the Edit Site Binding dialog, select HTTPS from the Type dropdown, and leave the IP address as All Unassigned, and the Port should say 443. Enter the Hostname as ca.crescent.com, and select the certificate you imported earlier. Click OK.
Visit the site, and ensure that it renders on port 443.
Step 3: Verify the Alternate Access Mappings
When you set the SharePoint central admin to use SSL, SharePoint 2016 automatically modifies the default AAM to point to the new HTTPS URL. E.g., from https://ca.crescent.com to https://ca.crescent.com. You can verify it once:
- Go to: SharePoint 2016 Central Administration >> Click On Application Management
- Click on “Configure alternate access mappings”
- Click on “Edit Public URLs” >> Pick the SharePoint Central Administration web application >> The default URL should be: https://ca.crescent.com
In case Central Admin is not accessible, You can add a new URL to the AAM binding. Run this PowerShell cmd.
New-SPAlternateUrl -WebApplication https://ca-old-url:port -Url https://your-ca-new-url:port -Zone Default