Tag Archives: Certificates

Building SharePoint 2016 development environment – Part 13 – Configuring My Sites and User Profiles

Posted on by

A few years ago I wrote “Build your SharePoint 2013 development machine on Windows Server 2012” series, I mainly work in the cloud now, but as the blogs was so popular, I thought I would create a new series for the newer version of SharePoint.

You can access other parts of this post below.

My Sites

We are now going to create a new Web Application for our My Site site. However, we are not going to create a HNSC like we did for the other sites, here we are going to create path-based site collection.

Creating a Web Application for MySites

  1. From the start menu, type SharePoint 2016 Central Administration and open the site.
  2. Select Application Management > Manage Web Applications.
  3. In the ribbon click the New icon
  4. In the Create New Web Application dialog leave Create a new IIS web site selected and set up the following
    1. Name: SharePoint My Site Host – 22222,
    2. Port:22222
    3. Host Header: <Leave Blank>
    4. Path: <Leave as default>
    5. Allow Anonymous: No
    6. Use Secure Sockets Layer (SSL): Yes
    7. Claims authentication Types: Leave as is, enabled, integrated, NTLM
    8. Application Pool: MySites – 22222
    9. Select Security Account: CFCODE2016\SP_Content
    10. Database Name: SP_MySitesDB
  5. Click OK.
  6. After Web Application created, click OK.
  7. After you have created your Web Application, you should be returned to the Manage Web Application page. Select SharePoint My Site Host by clicking on it. This will highlight the line and items in the ribbon will become available to you.
  8. In the ribbon click the button Managed Paths
  9. In the Define Managed Paths dialog, tick Sites. Then click the link Delete Selected Paths.
  10. Now add a new path called personal and make it Wildcard inclusion
  11. Click OK.

IIS Bindings and AAMs.

  • . In Start type IIS and open IIS Manager
  • Navigate to SharePoint My Site Host -22222 and then on the right hand panel, click Bindings…
  • On the Bindings dialog, select the bindings for port 22222 and click Edit
  • Leave the host name blank, but select your certificate. Click Ok
  • Click Add
  • In the Add Site Binding page, select https from the Type dropdown, leave the IP address as All Unassigned, the Port should say 443. Ensure you tick Require Server Name Indication.
    Enter the Host name as my.cfcode2016.com then select your certificate. Click OK
  • Open SharePoint 2016 Central Administration and select Application Management then Configure alternative access mappings.
  • On the right of the screen, change the Alternate Access Mapping Collection to SharePoint My Site Host -22222
  • Click on the only entry https://cfsp2016:22222 and edit it to say https://my.cfcode2016.com, click OK.
  • Click Add Internal URLs enter https://cfsp2016:22222 click Save.
  • Click Add Internal URLs enter https://cfsp2016.cfcode2016.com:22222 click Save.

Create My Site Hub

  1. From Central Administration landing page, select Application Management then select Create site collections
  2. Ensure the Web Application is https://my.cfcode2016.com then enter the following information:
    1. Title: My Site Hub
    2. URL: /
    3. Template Selection: Enterprise > My Site Host
    4. Primary Site Collection Admin: SP_Setup
  3. Click OK.
  4. Once site is created, just click OK.

Configuring SP_UserProfile account Active Directory Access

  1. On the Domain controller, log in as Domain Administrator
  2. Using Run, type adsiedit.msc
  3. Right click ADSI Edit and then select Connect To.
  4. On the Connection Settings dialog just click OK
  5. Expand the Default naming context.
  6. Right click on the folder underneath Default naming context and select Properties
  7. Select the Security tab, and add SP_UserProfile, giving the account “Read” and “Replicating Directory Changes” permissions.
  8. Click OK.

User Profile Service Application

  1. Back on the SharePoint box. From Central Administration landing page, select Application Management then select Manage Service applications
  2. Click New in the ribbon, and select User Profile Service Application put the following information (leave as, if I haven’t mentioned it).
    1. Name: User Profile Service Application
    2. Application Pool: Create New – SharePoint User Profile Service Application
    3. Account: CFCODE2016\SP_UserProfileWill need to register this account
    4. Profile Database Name: SP_ProfileDB
    5. Social Tagging Database: SP_SocialDB
    6. My Site Host url: https://my.cfcode2016.com
    7. My Site Managed Path: /personal
  3. Click Create, you will get a success message if created correctly.
  4. Back on the Manage Service Application page click the User Profile Service Application. (You might need to refresh the page first)

Configuring User Profile Service

  1. From within the Manage Profile Service screen underneath Synchronization click Configure Synchronization Connections
  2. Click Create New Connection
  3. Enter the following information:
    1. Connection Name: CFCode2016 AD import
    2. Type: Active Directory Import
    3. Connection Settings:
      1. FQDN: cfcode2016.com
      2. Account Name: CFCODE2016\SP_UserProfile
      3. Password: Pa55w0rd
      4. Port: 636 use SSL and filter out disabled user.
  4. Click Populate Containers
  5. Select Managed Service Accounts and Users.
  6. Click OK
  7. Click back on Application Management > Manage Service Applications > SharePoint User Profile Service Application to get back to Manage Profile Service screen.
  8. Click Start Profile Synchronization.
  9. Select Full Synchronization, then click OK.

After this has completed you will see the number of User Profiles gone up from 0 to a higher number (depending on how many accounts you have within your AD, apparently mine is at 12)


If I navigate to https://my.cfcode2012.com, after a bit of processing, I am able to see my One Drive for Business. Or if I navigate to https://my.cfcode2012.com/person.aspx I can see my profile information.

User Profile has changed for SharePoint 2016

The configuration I have set up above was pretty similar to what you would do in SharePoint 2013. However, things like user profile pictures don’t get imported. With SharePoint 2013 this was taken care of with some headbanging against a wall and using the FIM service. This has been removed in SharePoint 2016, and things don’t seem to be any easier. You now need to use the Microsoft Identity Manager Series, I won’t be configuring any of that here, but if you are interesting in learning about this please check out the following links

https://technet.microsoft.com/EN-US/library/mt627723(v=office.16).aspx

https://blogs.msdn.microsoft.com/spses/2016/07/19/overview-setup-of-mim-configuration-as-external-identity-manager-in-sharepoint-2016/

https://thesharepointfarm.com/2016/03/automating-mim-user-profile-synchronization-with-sharepoint-2016/

http://krossfarm.com/?p=145

My next blog post I will talk about setting up SharePoint Search. Time to check point your machines.

Building SharePoint 2016 development environment – Part 12 – Configuring Hosting Apps and HNSC

Posted on by

A few years ago I wrote “Build your SharePoint 2013 development machine on Windows Server 2012” series, I mainly work in the cloud now, but as the blogs was so popular, I thought I would create a new series for the newer version of SharePoint.

You can access other parts of this post below.

Before I create the App Management Service, I’m going to create a separate Domain for the Apps. By creating a separate domain, it helps you write apps that won’t allow cross-site scripting between apps and SharePoint site.

Configuring Hosting Apps

First we need to configure DNS

  1. Go to you Domain Controller and from the Start Menu type DNS, and open the application.
  2. In the Left Hand panel, right click Forward Lookup Zones and select New Zone… Click Next
  3. Keep the Primary zone selected and Store the zone in Active Directory ticked.
    Click Next
  4. Leave the option To all DNS servers running on domain controllers in this domain: cfcode2016.com. Click Next
  5. Here you enter the domain name, type cfapps.com. Click Next
  6. Leave the top option selected and click Next
  7. Click Finish. You will see your new domain showing in the Forward Lookup Zones in DNS.
  8. Now right click on cfapps.com and select New Alias (CNAME) …
  9. Type * for Name
  10. Set the FQDN of the server that hosts the SharePoint sites, CFSP2016.cfcode2016.com in my case. Click OK.

    If you are using more than one server, you should be pointing to the DNS record of the web server in here. This is either the DNS A record for the web server, or the DNS record of the primary cluster address for NLB environments.

    Now if you open a command window and type in nslookup something.cfapps.com it will resolve to your SharePoint server.

Configuring SharePoint 2016 for Hosting Apps

I would recommend to copy the following powershell script and running it as a ps1 file (CreateAppService.ps1 from my one drive). Change the Change any of the variables to match your environments.

  1. On the SharePoint box, logged in as SP_Setup, from the Start Menu, type SharePoint 2016 Management Shell.
  2. Run the Script
    if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null)
    {
    #Add SharePoint PowerShell Commands
    Add-PSSnapin "Microsoft.SharePoint.PowerShell"
    }
    $DatabaseServerName = "SQL2016"
    $AppPoolName = "Default SharePoint Service App Pool"
    $AppPoolUserName = "CFCODE2016\SP_Services"
    $AppDomain = "cfapps.com"
    $SubSettingsName = “Subscription Settings Service”
    $SubSettingsDB = “SP_SubscriptionSettingsDB”
    $AppManagementName = “App Management Service”
    $AppManagementNameProxy = "App Management Service Proxy"
    $AppManagementDB = “SP_AppManagementDB”
    $SubSvc = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $AppPoolName –Name $SubSettingsName –DatabaseName $SubSettingsDB
    $SubSvcProxy = New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $SubSvc
    Get-SPServiceInstance | where-object {$_.TypeName -eq $SubSettingsName} | Start-SPServiceInstance > $null
    $AppManagement = New-SPAppManagementServiceApplication -Name $AppManagementName -DatabaseServer $DatabaseServerName -DatabaseName $AppManagementDB –ApplicationPool $AppPoolName
    $AppManagementProxy = New-SPAppManagementServiceApplicationProxy -ServiceApplication $AppManagement -Name $AppManagementNameProxy
    Get-SPServiceInstance | where-object {$_.TypeName -eq $AppManagementName} | Start-SPServiceInstance > $null
    Set-SPAppDomain $AppDomain
    Set-SPAppSiteSubscriptionName -Name “apps” -Confirm:$false
    view raw CreateAppService.ps1 hosted with ❤ by GitHub
  3. To verify the script configured SharePoint 2016 correctly open Central Administration
    1. Under Application Management click Manage Service Application.
    2. You should now have two new service application created
      1. App Management Service Application
      2. Subscription Settings Service Application
    3. Now Navigate to System Settings by clicking the link on the left menu
    4. Under Servers
      click the link Manage Services on Server.
    5. Check that the following services have started
      1. App Management Service
      2. Microsoft SharePoint Foundation Subscription Setting Service
    6. On the left hand menu, click on Apps
    7. Under App Management, click the link Configure App URLs
    8. Verify that:
      1. App Domain: cfapps.com
      2. App Prefix: app

Configuring SharePoint Server 2013 for Host-Named Site Collection and create Initial Site Collections.

Here we are going to create Host Named Site Collection (HNSC) for testing and hosting our apps. Microsoft recommends this because the Office 365 environment uses host-named site collections, new features are optimized for these site collections and they are expected to be more reliable. More can be found out directly from the technet article: http://technet.microsoft.com/en-us/library/cc424952.aspx . The only sites within your environment you should use Path Based Site Collections (PBSC) are Search Center and MySites. HNSC aren’t really needed for Search Center. The only way you can create HNSC is via powershell. So this is what we are going to do.

Register SP_Content

  1. Open SharePoint Central Administration
  2. Select Security > Configure managed Accounts.
  3. Click Register Managed Account
  4. Type Username as cfcode2016\SP_Content and the password as Pa55w0rd. Then click OK.

Create a new Web Application

Open up a PowerShell window and put the following: (change the port number if you wish) (CreateHNSC.ps1)

$applicationPool = "SharePoint - HNSC - 11111"
$ServiceAcct = "cfcode2016\SP_Content"
$WebApp = "SharePoint HNSC Web Application"
$contentDB = "SP_HNSC_ContentDB"
New-SPWebApplication -ApplicationPool $applicationPool -ApplicationPoolAccount $serviceAcct -Name $WebApp -Port 11111 -AuthenticationProvider (new-spauthenticationprovider) -databaseName $contentDB -secureSocketsLayer
view raw CreateHNSC-1.ps1 hosted with ❤ by GitHub

Configuring the Alternative Access Mapping

  • From the Start Menu
    open SharePoint 2016 Central Administration, this ensures it runs as Administrator.
  • Click Application Management, then under Web applications,
    click Configure alternative mappings.
  • On the right hand side of the screen, Change the Alternate Access Mapping Collection to point to SharePoint HNSC Web Application.
  • Click the internal URL for https://cfsp2016:11111 so that you can edit it. Change the URL protocol, host to https://hnsc.cfcode2016.com
  • Click OK.
  • Back on the Alternate Access Mapping Screen, click Add Internal URLs and add a new Internal URL for each of the following listed below. Screenshot below

Add certificates to IIS

  • In Start type IIS and open IIS Manager
  • Navigate to SharePoint HNSC Web Application and then on the right hand panel, click Bindings…
  • On the Bindings dialog, click Add…
  • In the Add Site Binding page, select https from the Type dropdown, leave the IP address as All Unassigned, the Port should say 443. Enter the Host name as hnsc.cfcode2016.com,
    and tick Require Server Name Indication then select your certificate you created earlier. Click OK
  • Add the binding for host names dev.cfcode2016.com and intranet.cfcode2016.com, ensure the Type is https, you have ticked Require Server Name Indication and you have selected your certificate.

Creating the Top level Site

Because the top-level site is an HNSC is not going to be used by anyone in the site. Therefore, this PowerShell script will create a blank site. (CreateHNSC.ps1)

  1. In PowerShell run the following script:

    New-SPSite -Url "https://hnsc.cfcode2016.com:11111&quot; -OwnerAlias "cfcode2016\SP_Setup" -Template STS#1
    view raw CreateHNSC-2.ps1 hosted with ❤ by GitHub

Site Collections

Here we are going to create a TeamSite called Intranet.cfcode2016.com and a developer site called dev.cfcode2016.com. Please note you can only create, debug and test apps using a developer site. You could type the PowerShell into notepad, save the file as PS1 and run it from SharePoint 2016 Management Shell, instead of typing each row directly. We are first going to create 2 databases, one for each Site collection. This is good practice for backups and restore purposes.

  1. From the Start Menu, type SharePoint 2016 Management Shell, and open the application. (CreateHNSC.ps1)
  2. Type
    $devdb = “SP_DEVDB”
    $intranetdb = “SP_IntranetDB”
    $webApp = “SharePoint HNSC Web Application”
    #Build Databases
    new-SPContentDatabase -Name $devdb -WebApplication $WebApp -WarningSiteCount 0 -MaxSiteCount 1
    new-SPContentDatabase -Name $intranetdb -WebApplication $WebApp -WarningSiteCount 0 -MaxSiteCount 1
    $hnsc = Get-SPWebApplication | Where-Object {$_.DisplayName -eq $webApp}
    New-SPSite -Name “CF Development” -Url https://dev.cfcode2016.com –HostHeaderWebApplication $hnsc -OwnerAlias “cfcode2016\SP_Setup” -Template “DEV#0” -contentDatabase $devdb
    New-SPSite -Name “CF Intranet” -Url https://intranet.cfcode2016.com –HostHeaderWebApplication $hnsc -OwnerAlias “cfcode2016\SP_Setup” -Template “STS#0” -contentDatabase $intranetdb
    view raw CreateHNSC-3.ps1 hosted with ❤ by GitHub

To verify that the host-name site collections are created:

  1. Open up SharePoint 2016 Central Administration
  2. Under Application Management click View all Site Collections
  3. Ensure the Web Application is pointing to the HNSC web and you should see the two site collections plus the root site.
  4. By clicking on the different site collections, you will also see that the Database Name is assigned correctly to the correct database as set up in our PowerShell script.
  5. You can also navigate in a browser to https://dev.cfcode2016.com or https://intranet.cfcode2016.com. Notice that the SSL certificate is valid.

Configuring SSL for Apps

As our App domain is on a different domain to our SharePoint domain, we should create a different SSL certificate for it.

  • Ensure you are on the SharePoint box with a Domain Admin Account. (cfcode2016\Administrator)
  • We have already configured the Certificate Authority earlier on the Domain Controller. Here we are going to request the certificate using Internet Information Services on the SharePoint Server. From the Start Menu, type IIS and open Internet Information Services (IIS) Manager
  • Once IIS opens, click on the Server Name. (CFSP2016) You will be prompted with a dialog asking to get started with Microsoft Web Platform, click do not show this message and then click No.
  • From the IIS section, double click Server Certificates

  • From the right hand side of the screen, click Create Domain Certificate

  • Complete the form for the Domain Certificate as follows (Change to match your environment if not following exactly along)
    • Common Name : *.cfapps.com
    • Organisation: CF Code
    • Organizational Unit: Computers
    • City/Locality: London
    • State/Province: London
    • Country/Region: GB


  • Click Next
  • On the Online Certification Authority enter the common name you gave your Authority Name\Server Name. (For example mine is MY-CA\CFAD.cfcode2016.com), You can also use the select button if you have configured everything correctly. You can put anything in the friendly name box, ensure it is different from your other certificate friendly name, and easy identifiable as the Apps certificate. Click Finish.

  • You should now see the certificate in the Server certificates window.

  • If there were other servers in your farm, you would need to export the .pfx file so that it can be imported into the other servers.

Configure SharePoint for Apps

We need to configure our SharePoint and IIS to use a different certificate for Apps, and also our Web Application needs to know to use our App Domain.

  1. Sign back into the SharePoint machine as SP_Setup.
  2. Run as administrator, SharePoint 2016 Management Shell

  3. Run the following PowerShell Script

    New-SPWebApplicationAppDomain -AppDomain "cfapps.com" -WebApplication "https://intranet.cfcode2016.com&quot; -Zone Default -Port 11111 -SecureSocketsLayer
    view raw CreateAppWebDomain.ps1 hosted with ❤ by GitHub
  4. Next we need run the following command:
    $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
    $contentService.SupportMultipleAppDomains = $true
    $contentService.Update();
    IIsreset
    view raw AppMultiDomains.ps1 hosted with ❤ by GitHub
  5. In Start type IIS and open IIS Manager
  • Navigate to SharePoint HNSC Web Application and then on the right hand panel, click Bindings…
  • On the Bindings dialog, select the one without the Host Name on Port 11111 and click Edit
  • Change the Port to 443, and select the SSL Certificate as your App Certificate.
  • Click OK.


Add Apps to your Intranet Zone.

To prevent getting prompted for your login, configure the intranet zone in IE.

  • Open up Internet explorer
  • Click on the cog symbol, and select Intranet Options
  • Select the Security tab, and then click on Local Intranet. Then click on the Sites button.
  • On the Local intranet dialog, click the Advanced button.
  • Type *.cfapps.com and click Add. (You might need to untick Require server verification (https) for all sites in this zone )
  • Then click Close, OK, and OK

Checking that Apps are new set up for your farm

  1. Open up your intranet site https://intranet.cfcode2016.com
  2. At the top right of the screen click the cog icon.
  3. From the drop down, click Add an app
  4. On the App page, in the quick launch menu area, click on SharePoint Store
  5. If you have connected up correctly you will now see Apps that you can download from the SharePoint store.
  6. Pick a free one to install. I’m selecting Bright Banner. (Have no idea if it’s any good, so not endorsing, just using for testing purposes)
  7. Click Add it.
  8. Confirm that you wish to add the app. Click Continue
  9. A page will state that you have just go this app for everyone in your organization. Click Return to Site
  10. A prompt will appear, asking if you trust the application. Click Trust It.
  11. After a moment you will be returned to your Site Contents. You will also note that your app that you downloaded is currently being added to your site. Once complete the adding text will disappear.

  12. Click on the App. It will load. Take note of the URL. It is being called from the domain you created earlier cfapps.com. Congratulations you have got Apps working!

So glad I finally got Apps certificates to work. Took me a couple of attempts. Thank you to Anupam Shrivastava and his blog post http://akforsharepoint.blogspot.co.uk/2015/05/sharepoint-hosted-apps-in-aam-or-host.html for helping finally cracking it.

I recommend shutting down and taking checkpoints again.

Building SharePoint 2016 development environment – Part 10 – Configuring Central Administration for SSL

Posted on by

A few years ago I wrote “Build You SharePoint 2013 development machine on Windows Server 2012” series, I mainly work in the cloud now, but as the blogs was so popular, I thought I would create a new series for the newer version of SharePoint.

You can access other parts of this post below.

At this point Central Administration is still running on non-secure HTTP. Let’s make central admin accessible from a vanity URL over SSL.

  • Ensure you are on the SharePoint box with a Domain Admin Account. (cfcode2016\Administrator)
  • We have already configured the Certificate Authority earlier on the Domain Controller. Here we are going to request the certificate using Internet Information Services on the SharePoint Server. From the Start Menu, type IIS and open Internet Information Services (IIS) Manager
  • Once IIS opens, click on the Server Name. (CFSP2016) You will be prompted with a dialog asking to get started with Microsoft Web Platform, click do not show this message and then click No.
  • From the IIS section, double click Server Certificates

  • From the right hand side of the screen, click Create Domain Certificate

  • Complete the form for the Domain Certificate as follows (Change to match your environment if not following exactly along)
    • Common Name : *.cfcode2016.com
    • Organisation: CFCode
    • Organizational Unit: Computers
    • City/Locality: London
    • State/Province: London
    • Country/Region: GB


  • Click Next
  • On the Online Certification Authority enter the common name you gave your Authority Name\Server Name. (For example mine is MY-CA\CFAD.cfcode2016.com), You can also use the select button if you have configured everything correctly. You can put anything in the friendly name box. Click Finish.

  • You should now see the certificate in the Server certificates window.

  • If there were other servers in your farm, you would need to export the .pfx file so that it can be imported into the other servers.

Set Central Admin to Run on SSL with Vanity URL

  • Log into your domain controller. In Start type DNS and open the DNS Manager.
  • In the left hand pane, expand Forward Lookup Zones and click on cfcode2016.com
  • Right click on cfcode2016.com and select New Host (A or AAAA)…
  • Put in the name you wish to call your Central Administration as an Alias. For example CAdmin, put the IP address point to the SharePoint Server. 192.168.137.200. Click Add Host

  • Log back into the SharePoint server as the SP_Setup account. In Start type IIS and open IIS Manager
  • Navigate to SharePoint Central Administration v4 and then on the right hand panel, click Bindings…
  • On the Bindings dialog, click Add…
  • In the Add Site Binding page, select https from the Type dropdown, leave the IP address as All Unassigned, the Port should say 443. Enter the Host name as cadmin.cfcode2016.com (or whatever your alias is), tick Require Server Name Indication,
    then select your certificate you created earlier. Click OK
  • From the Start Menu
    open SharePoint 2016 Central Administration, this ensures it runs as Administrator.
  • Click Application Management, then under Web applications,
    click Configure alternative mappings.
  • Take note of the internal URL shown in the default zone for central admin. Click the internal URL for http://cfsp2016:2016 so that you can edit it. Change the URL protocol, host and port to https://cadmin.cfcode2016.com
  • Click OK.
  • Back on the Alternate Access Mapping Screen, click Add Internal URLs and add a new Internal URL for each of the following listed below. Screenshot below

  • Open the SharePoint Management Shell
    run as administrator. Type the following and run. Press A when prompted.

    Set-SPCentralAdministration -SecureSocketsLayer -Port 443

Add Central Administration to your Intranet Zone.

To prevent getting prompted for your login, configure the intranet zone in IE.

  • Open up Internet explorer
  • Click on the cog symbol, and select Intranet Options
  • Select the Security tab, and then click on Local Intranet. Then click on the Sites button.
  • On the Local intranet dialog, click the Advanced button.
  • Add your Central Administration to the Local Intranet Zone. (e.g., https://cadmin.cfcode2016.com)
  • Close Central Administration and then re-open it from the Start Menu SharePoint 2016 Central Administration.
  • Say Yes to any warnings if the site already exists in Trusted sites zone.
  • While here also add *.cfcode2016.com and https://cfsp2016:2016.
  • Tick Require server verification (https:) for all sites in this zone.
  • Then click Close, OK, and OK

Now if you go to Start Menu and open SharePoint 2016 Central Administration, it will open using the https://cadmin.cfcode2016.com URL and the certificate will be valid.

Next step will be getting the bulk of SharePoint working. This will be creating sites, getting services up and running, and ensure you can do SharePoint app development. Recommend shutting down and taking checkpoints again. (Don’t worry when you are happy with your build, you can go back and delete all the checkpoints.)

Building SharePoint 2016 development environment – Part 5 – Creating Certificate Authority.

Posted on by

A few years ago I wrote “Build your SharePoint 2013 development machine on Windows Server 2012” series, I mainly work in the cloud now, but as the blogs was so popular, I thought I would create a new series for the newer version of SharePoint.

You can access other parts of this post below.

Installing Certificate Authority

To allow our SharePoint sites to use SSL, these certificates come from a trusted certificate authority. This is what we are going to create

  • On your domain controller, open up Server Manager
  • On the right, click Manage > Add Roles and Features
  • Click Next
  • On Select installation type ensure that Role-based or feature based installation is selected. Click Next
  • On Select destination server screen, keep default choice of your domain controller, and click Next.
  • Select Active Directory Certificate Services and click Add Features when dialog pops up. Click Next.
  • On Select features click Next.
  • On Active Directory Certificate Services screen, it informs you how you cannot change the name or domain settings of this computer. Click Next.
  • On Select role services, select the following
    • Certification Authority
    • Certificate Enrollment Policy Web Service
    • Certificate Enrollment Web Service

    Click Add Features when prompted.

  • On Web Server Role (IIS) click Next.
  • On the Select role services click Next
  • Tick the Restart the destination server automatically if required, say yes to the dialog prompt. Then click Install.
  • Once the installation completes, you need to configure the Certification Services, click the link Configure Active Directory Certificate Services on the destination server
  • On the Credentials screen, ensure you are using domain admin account. Click Next
  • On Role Services tick Certification Authority, then click Next
  • On Setup Type, leave the default of Enterprise CA, click Next
  • Since this is the first CA in the domain, on CA Type leave the default of Root CA. Click Next
  • On Private Key leave it as Create a new private key and click Next
  • On Cryptography for CA select SHA256. Click Next
  • On CA Name, for development environment, I recommend to rename it to something simple like MY-CA or you can leave as is (You’ll need to remember this much later). Click Next.
  • On Validity Period, you can change the number of years if you wish. I would imagine in 5 years SharePoint 2016 will be old hat, and be using SharePoint 2020. Click Next.
  • Accept the default locations of the CA Database. Click Next.
  • On the final screen, Confirmation, click Configure. You will be presented with a succeeded screen. Click Close. You will be prompted with a Do you want to configure additional role services? Dialog. Click Yes.
  • After clicking yes, you will be presented back with the Credentials screen. Click Next
  • On the Role Services screen, now select both Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service. Click Next.
  • On the CA for CES screen, leave as is and click Next. This will allow your target CA to issue web certificates to SharePoint and other web servers. Click Next.
  • The Authentication Type for CES keep as the default Windows integrated authentication click Next.
  • On Service Account for CES switch the radio button to use Use the built-in application pool identity. Click Next
  • The Authentication Type for CEP leave as Windows integrated authentication. Click Next.
  • On the Server Certificate screen, select your existing self-signed certificate. Click Next
  • On the last screen, click Configure.
  • Finally, you are presented with success messages. Click Close.

Your Certificate Authority is now complete and read to give our certs to your SharePoint farm. This will be configured later after we have at least installed SharePoint.

Setting up a Global Policy for Certificate Enrollment.

Here we are going to change a global policy for all machines added to the domain. This is so Auto enrollment of certificate policies is allowed.

  1. Open up the Group Policy Management console, by typing gpmc.msc in a run window.
  2. Expand the Forest down to our domain.
  3. Right click the domain and select Create a GPO in this domain, and Link it here…
  4. In the New GPO dialog, give it the name of Cert Enrollment Policy, and click OK.
  5. In the left pane of Group Policy Management expand your domain and at the top you should see Cert Enrollment Policy, right click it and select edit.
  6. Navigate down to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and double click Certificate Services Client – Auto Enrollment
  7. In the dialog, set the Configuration Model to Enabled. Click OK.

We have reached the end of this blog post. It again could be a good idea, to shut the machine down and create a new checkpoint.