https://community.esri.com/t5/arcgis-enterprise-questions/setting-up-ssl-with-a-signed-certificate-in-a/m-p/678342#M25843 <HTML><HEAD></HEAD><BODY><SPAN>As the subject implies, I recently tried to setup SSL in a multi-tier environment where the IIS Web Server/ESRI WebAdaptor and the GIS Server ran in differenct Virtual Machines.&nbsp; I'm using ArcGIS Server 10.1, here's how I did it.</SPAN><BR /><BR /><SPAN>1)&nbsp; I acquired a Signed Certificate directly from the CA, I did NOT use the ESRI CSR-generation steps.</SPAN><BR /><SPAN>2)&nbsp; I installed the Signed Certificate and CA Root Certificates on the IIS server and followed Microsoft's cryptic instructions for enabling SSL for a particular website.</SPAN><BR /><SPAN>3)&nbsp; Most importantly, the WebAdaptor dojo.js and init.js scripts MUST use the domain name (not IP Address) that matches the domain name in the certificate.&nbsp; (I'll explain why later)</SPAN><BR /><SPAN>4)&nbsp; The GIS Server was configured to use the SelfSignedCertificate (default) and I left it that way because the IIS Server handles authentication.</SPAN><BR /><BR /><SPAN>Lessons-Learned</SPAN><BR /><SPAN>1)&nbsp; If you access the website using an IP instead of a domain name (and it's PKI-controlled), it's not uncommon to receive certificate errors upfront becuse the URL you accessed doesn't match the URL of the certificate.&nbsp; In a multi-tiered architecture, everything still behaves ok because the user acknowledges the URL mismatch and certificate errors are ingnored for the remainder of the session.</SPAN><BR /><SPAN>2)&nbsp; However, If you access the website using a domain name, and there are no top-level certificate errors, your IE browser may crash when trying to access the dojo scripts (if the dojo scripts were setup with IP addresses instead of a domain name).&nbsp; This is because IE thinks you are trying to access a different site to download the dojo scripts, which would break the security architecture.&nbsp; Normally, this is reported to you innocently and the user has to acknowledge it, but with ArcGIS Server, it just crashes the browser.</SPAN><BR /><SPAN>3)&nbsp; At some point, while trying various things, loading/unloading certificates into ArcGIS server, my services became locked (not open to the public).&nbsp; This was reported conspicuously in the browser's developer tools console as a </SPAN><STRONG>dojo.io.script errorError: Token Required</STRONG><SPAN> error.&nbsp; I had to unlock them through the Manager website.</SPAN></BODY></HTML> Tue, 24 Jun 2014 17:05:29 GMT MichaelMurphy8 2014-06-24T17:05:29Z https://community.esri.com/t5/arcgis-enterprise-questions/setting-up-ssl-with-a-signed-certificate-in-a/m-p/678342#M25843 <HTML><HEAD></HEAD><BODY><SPAN>As the subject implies, I recently tried to setup SSL in a multi-tier environment where the IIS Web Server/ESRI WebAdaptor and the GIS Server ran in differenct Virtual Machines.&nbsp; I'm using ArcGIS Server 10.1, here's how I did it.</SPAN><BR /><BR /><SPAN>1)&nbsp; I acquired a Signed Certificate directly from the CA, I did NOT use the ESRI CSR-generation steps.</SPAN><BR /><SPAN>2)&nbsp; I installed the Signed Certificate and CA Root Certificates on the IIS server and followed Microsoft's cryptic instructions for enabling SSL for a particular website.</SPAN><BR /><SPAN>3)&nbsp; Most importantly, the WebAdaptor dojo.js and init.js scripts MUST use the domain name (not IP Address) that matches the domain name in the certificate.&nbsp; (I'll explain why later)</SPAN><BR /><SPAN>4)&nbsp; The GIS Server was configured to use the SelfSignedCertificate (default) and I left it that way because the IIS Server handles authentication.</SPAN><BR /><BR /><SPAN>Lessons-Learned</SPAN><BR /><SPAN>1)&nbsp; If you access the website using an IP instead of a domain name (and it's PKI-controlled), it's not uncommon to receive certificate errors upfront becuse the URL you accessed doesn't match the URL of the certificate.&nbsp; In a multi-tiered architecture, everything still behaves ok because the user acknowledges the URL mismatch and certificate errors are ingnored for the remainder of the session.</SPAN><BR /><SPAN>2)&nbsp; However, If you access the website using a domain name, and there are no top-level certificate errors, your IE browser may crash when trying to access the dojo scripts (if the dojo scripts were setup with IP addresses instead of a domain name).&nbsp; This is because IE thinks you are trying to access a different site to download the dojo scripts, which would break the security architecture.&nbsp; Normally, this is reported to you innocently and the user has to acknowledge it, but with ArcGIS Server, it just crashes the browser.</SPAN><BR /><SPAN>3)&nbsp; At some point, while trying various things, loading/unloading certificates into ArcGIS server, my services became locked (not open to the public).&nbsp; This was reported conspicuously in the browser's developer tools console as a </SPAN><STRONG>dojo.io.script errorError: Token Required</STRONG><SPAN> error.&nbsp; I had to unlock them through the Manager website.</SPAN></BODY></HTML> Tue, 24 Jun 2014 17:05:29 GMT https://community.esri.com/t5/arcgis-enterprise-questions/setting-up-ssl-with-a-signed-certificate-in-a/m-p/678342#M25843 MichaelMurphy8 2014-06-24T17:05:29Z