Using the Exchange 2010 Mailbox Export features for Mass Exports to PST files

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User AD\Administrator

New-MailboxExportRequest -Mailbox Administrator -FilePath “\\AZUA\Exports\Administrator.pst”

 

Taken from: http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/

 

Rundll32 commands for Windows

Create Desktop Shortcuts : Right click on desktop > New > Shortcut. In the first box of the Create Shortcut Wizard, copy-paste the desired command. Then Click Next. Give the Shortcut a Name.

Add/Remove Programs
RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor
RunDll32.exe msrating.dll,RatingSetupUI

Control Panel
RunDll32.exe shell32.dll,Control_RunDLL

Delete Temporary Internet Files
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Delete Cookies
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

Delete History
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1

Delete Form Data
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16

Delete Passwords
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32

Delete All
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Delete All + files and settings stored by Add-ons:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

Date and Time Properties
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl

Display Settings
RunDll32.exe shell32.dll,Control_RunDLL access.cpl,,3

Device Manager
RunDll32.exe devmgr.dll DeviceManager_Execute

Folder Options – General
RunDll32.exe shell32.dll,Options_RunDLL 0

Folder Options – File Types
RunDll32.exe shell32.dll,Control_Options 2

Folder Options – Search
RunDll32.exe shell32.dll,Options_RunDLL 2

Folder Options – View
RunDll32.exe shell32.dll,Options_RunDLL 7

Forgotten Password Wizard
RunDll32.exe keymgr.dll,PRShowSaveWizardExW

Hibernate
RunDll32.exe powrprof.dll,SetSuspendState

Internet Explorer’s Internet Properties dialog box.
Rundll32 Shell32.dll,ConBring up trol_RunDLL Inetcpl.cpl,,6

Keyboard Properties
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1

Lock Screen
RunDll32.exe user32.dll,LockWorkStation

Mouse Button – Swap left button to function as right
Rundll32 User32.dll,SwapMouseButton

Mouse Properties Dialog Box
Rundll32 Shell32.dll,Control_RunDLL main.cpl @0,0

Map Network Drive Wizard
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect

Network Connections
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl

Organize IE Favourites
RunDll32.exe shdocvw.dll,DoOrganizeFavDlg

Open With Dialog Box
Rundll32 Shell32.dll,OpenAs_RunDLL Any_File-name.ext

Printer User Interface
Rundll32 Printui.dll,PrintUIEntry /?

Printer Management Folder.
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder

Power Options
RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl

Process Idle Tasks
RunDll32.exe advapi32.dll,ProcessIdleTasks

Regional and Language Options
Rundll32 Shell32.dll,Control_RunDLL Intl.cpl,,0

Stored Usernames and Passwords
RunDll32.exe keymgr.dll,KRShowKeyMgr

Safely Remove Hardware Dialog Box
Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll

Sound Properties Dialog Box
Rundll32 Shell32.dll,Control_RunDLL Mmsys.cpl,,0

System Properties Box
Rundll32 Shell32.dll,Control_RunDLL Sysdm.cpl,,3

System Properties – Advanced
RunDll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4

System Properties: Automatic Updates
RunDll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,5

Taskbar Properties
RunDll32.exe shell32.dll,Options_RunDLL 1

User Accounts
RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl

Unplug/Eject Hardware
RunDll32.exe shell32.dll,Control_RunDLL hotplug.dll

Windows Security Center
RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl

Windows – About
RunDll32.exe SHELL32.DLL,ShellAboutW

Windows Fonts Installation Folder
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL FontsFolder

Windows Firewall
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl

Wireless Network Setup
RunDll32.exe shell32.dll,Control_RunDLL NetSetup.cpl,@0,WNSW

How to set time server on PDC

  1. Log in to your PDC Server and open the command prompt as administrator.
  2. Configure the external time sources, type: w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org
  3. Make your PDC a reliable time source for the clients. Type: w32tm /config /reliable:yes
  4. Restart the w32time service: net stop w32time && net start w32time
  5. The windows time service should begin synchronizing the time.
  6. You can check the external NTP servers in the time configuration by typing: w32tm /query /configuration

Change Remote Desktop Gateway Port and Remote Web App Port

 

The default Remote Desktop (RD) Gateway encapsulates RDP in HTTPS packets listens on port 443 (for TCP) and port 3391 (for UDP). Many times you are limited to one public IP address and the port 443 is already occupied by some other service.

In that case you should change the port 443 to something else. Bellow is the procedure of doing it:

Open  Remote Desktop Gateway Manager (Start > Administrative Tools > Remote Desktop Services):

  1. Right-click the Remote Desktop Gateway server name and select Properties.
  2. Select the Transport Settings tab.
  3. Modify the HTTP and/or UDP port number and click OK.

 

2016_04_20_15_45_27_MAIL.MATJAZ.SI_2014_Remote_Desktop_Connection

Now, when accessing with the RDP client you have to specify the RD Gateway server name with the custom port  you have to specified before.

2016_04_20_15_59_13_

 

In case you are using also published Remote Web Apps you have to use a powershell trick to change the TCP port to your custom.  Remote Desktop Gateway Port. On your RD Connection Broker use powershell commands below to change the published gateway to include your custom port:

Import-Module RemoteDesktop

Set-RDSessionCollectionConfiguration -CollectionName “MySessionCollection” -CustomRdpProperty “gatewayhostname:s:my.gateway.server:4343”

 

SQL Server 2012/2014: Enabling and disabling trace flags

You can use the DBCC TRACEON command to turn on the specified trace flag. This is the syntax:

DBCC TRACEON (trace# [,…n][, -1]) [WITH NO_INFOMSGS]

If you want to turn off the specified trace flag(s), you can use the DBCC TRACEOFF command.
This is the syntax:

DBCC TRACEOFF (trace# [,…n] [,-1]) [WITH NO_INFOMSGS]

You can use the DBCC TRACESTATUS command to get the status information for the particular trace
flag(s) currently turned on. This is the syntax:

DBCC TRACESTATUS ([ [trace# [,…n] ] [,] [-1] ]) [WITH NO_INFOMSGS]

To get the status information for all trace flags currently turned on, you can use -1 for trace#.

This is the example:

DBCC TRACESTATUS (-1)

 

Useful trace flags

1. Trace flag 1204.

This trace flag returns the type of locks participating in the deadlock and the current command
affected. This trace flag is documented in SQL Server 2012 Books Online. This is global trace flag.

2. Trace flag 1205 (undocumented).

This trace flag returns more detailed information about the command being executed at the time
of a deadlock. This trace flag was documented in SQL Server 7.0 Books Online, but is not
documented in SQL Server 2012.

3. Trace flag 1211.

This trace flag disables lock escalation based on memory pressure, or based on number of locks.
If turns on, then SQL Server 2012 will not escalate row or page locks to table locks.
Note. When the trace flag 1211 is turned on then excessive numbers of locks can be generated.

4. Trace flag 1224.

This trace flag disables lock escalation based on the number of locks. If both trace flag 1211
and 1224 are set, 1211 takes precedence over 1224.

5. Trace flag 1807 (undocumented).

You cannot create a database file on a mapped or UNC network location. This opportunity is
generally unsupported under SQL Server 2012. However, You can bypass this by turn on trace
flag 1807.

6. Trace flag 2508 (undocumented).

This trace flag disables parallel non-clustered index checking for DBCC CHECKTABLE.

7. Trace flag 2528.

This trace flag disables parallel checking of objects by DBCC CHECKDB, DBCC CHECKFILEGROUP,
and DBCC CHECKTABLE. Usually trace flags 2508 and 2528 should not be used because checking in
parallel provides better performance, but sometimes when another process requires CPU resources
during checking, you can disable parallel checking to free some CPU resources for another process.

8. Trace flag 3205.

This trace flag disables hardware compression for tape drivers. You can use this trace flag
if your tape drives do not support compression.

9. Trace flag 3608.

This trace flag skips automatic recovery (at startup) for all databases except the master
database. To turn on this trace flag, you must use -T startup option. For example, you should
start SQL Server 2012 with the following parameter: -T 3608
To make it, run Services from the Control Panel, double click on MS SQL Server service, click
Stop button, then specify parameter value (-T 3608) and click the Start button.

10. Trace flag 3609 (undocumented).

This trace flag skips the creation of the tempdb database at startup. To turn on this trace
flag, you must use -T startup option.

11. Trace flag 4616.

This trace flag makes server-level metadata visible to application roles. By default, an
application role cannot access metadata outside its own database. This is global only trace flag.

 

Taken from: http://www.sswug.org/alexanderchigrik/sql-server/useful-sql-server-2012-trace-flags/

Windows Server Remote Desktop Services grace period expoired

Remove the RDS licensing time-bomb registry entry with the help of Sysinternals PSExec (Regedit alone couldn’t do it because it had to be run under highest privileges):

psexec -s -i regedit.exe:

Locate the registry key: HKLM\system\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

 

Remove the registry key GracePeriod and reboot the computer.

Bind multiple sites on same IP address and Port in SSL

Until IIS 7.5, the major limitation of IIS is that IIS will allow you to bind only one site for one IP: Port combination using an SSL certificate.  If you try to bind a second site on the IP address to the same certificate, IIS will give you an error when starting the site up stating that there is a conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address and port, we need to use a special mechanism. Before we go there let’s understand why it is not possible for IIS to allow the binding of multiple sites on same IP: Port combination using an SSL certificate.

Classic Chicken and Egg Problem

We know that IIS identifies a site using three piece of data:

1. IP-Address

2. Port

3. Host Header

You can have multiple HTTP site configured with different combination of above. The binding, for example 192.168.1.0:80 can be configured to site “MyServer1.com”. That means if I browse to IP-address 192.168.1.0 over port 80 then I will hit the site “MyServer1.com”. I can have the binding as 192.168.1.0:80:myserver2.com configured for site “MyServer2.com”. That means when I browse the site over IP-address 192.168.1.0 over port 80 with a host header as “myserver2.com” then I will hit the site MyServer2.com. This allows multiple DNS hostnames on a single server at the same IP address.

However this doesn’t work in HTTPS. To know why it doesn’t work in HTTPS lets understand the SSL handshake briefly.

1. Client – > (SSL Handshake) – > “ Hello, I support XYZ algorithm for encryption”

2. Server -> (SSL Handshake) -> “Hi there, Okay so here is my public certificate. Let’s use algorithm X”

3. Client -> (SSL Handshake)-> “Great we can use that”

4. Client -> (In Encrypted format)-> “HTTP Request”

5. Server -> (In Encrypted format)-> “HTTP Response”

<And now cycle continues>

Now let’s say hypothetically, you have set two sites on same IP-address and port and different host headers and you set two different certificates on both of them.

Look at the steps in SSL Handshake, Client sends the HTTP Request only in Step 4. That means Server doesn’t know what host header HTTP request is referring to until step 4. So at Step 2, Server has only IP-Address and Port information with it, so how can server figure out which certificate it needs to send to the Client as you have bind two certificates to same IP-Address and port.

When a request comes to HTTP.SYS layer, the HTTP.SYS reads the site configuration, including the certificate used to encrypt/decrypt the data. The host name is encrypted in SSL Blob that the client sends. However, IIS needs to know the host name in order to get the right certificate. Without the host name IIS cannot get to the correct site. As IIS is not able to get to the correct site so it cannot get the right certificate to decrypt the SSL blob to get the host name. This is the classic Chicken and Egg problem. We are turning into circles with no way out.

This is the precise reason; HTTP server can only allow one site per IP-Address: Port combination for HTTPS browsing. If you need to bind another site over HTTPS then you need to get either a different IP-Address or bind the site to a different port.

Sometimes getting a new IP-Address or port for each website becomes costly affair. So how we can attach two website to HTTPS over same IP: Port. There are two ways to do it in IIS7.

Wild Card Certificate.

A wildcard certificate can secure an unlimited number of first level sub domains on a single domain name. For example, you can get a certificate which is issued to *.mydomain.com. This certificate will secure www.mydomain.com, secure.mydomain.com, welcome.mydomain.com etc. Basically it will work on any subdomain that replaces the wildcard character (*).

Setting up the Wild Card Certificate

Step 1: Install the wildcard certificate.

Verify if the certificate is properly installed.

1. Select Start –> Run

2. Type in “MMC” and hit enter

3. From the console, select File –> Add / Remove Snap-in

4. Select Certificates from the Add / Remove dialog

5. Select Computer Account when prompt for which certificates the snap-in will manager.

6. Select Local Computer when prompted

7. Click OK to add the Snap-in to the MMC

8. Locate your SSL certificate

9. Right click on the certificate and select properties

10. You should see the * in the friendly name.

clip_image002

Once you have installed the certificate then the issued to should be the *.mydomain.com

clip_image004

Step 2: Setup the wildcard certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.myserver.com              10.0.1.1              80                  443
Test2                        test2.myserver.com               10.0.1.1              80                  443

Test3                        test3.myserver.com                10.0.1.1             80                  443

IIS6

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

To know how to bind the certificates in IIS6 please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https://test1.myserver.com, https://test2.myserver.com or https://test3.myserver.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:test1.myserver.com”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:test2.myserver.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:test3.myserver.com”

clip_image007

You can also change this by changing the metabase.xml for that particular site.

For Example your site id is 1 then you would see following in the Metabase.xml

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

IIS7

In IIS7, attaching a wild card certificate is much easier. You can attach the certificate to the website you need to attach to. The moment you select the wildcard certificate the hostname field in the UI will be enabled. You can type the host header in it. You can do the same procedure for multiple sites.

clip_image009

How Wild Card Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (wildcard certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that wildcard certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of Wild Card Certificate.

There are certain limitations of wild card certificate.

1) It can only be applicable to single level of subdomain. For example you got a wild cart certificate for *.mydomain.com then you can bind this certificate to sites such as site1.mydomain.com or site2.mydomain.com. However, you cannot bind the wildcard certificate to Site1.myexample.mydomain.com or Site1.example2.mydomain.com or xyz.abc.mydomain.com etc.

That means the wild cart certificate will work only till first level of subdomain.

2) The wild card certificate will work only if the site has same domain name. That means if you have certificate for *.mydomain.com then you cannot bind this certificate to sites such as www.example.com or www.mydomain2.com etc. Wild card certificate will work only for sites which have same domain name.

3) You can set the wildcard certificate only for one top level domain. For example you can bind a wild card certificate forwww.test1.myserver.com or www.test2.myserver.com, but you cannot bind the same certificate for hostheader www.test2.myserver.org orwww.test2.myserver.net etc.

SAN Certificate (Subject Alternative Name Certificate)

You can setup the wildcard certificate if the domain name for all the sites are same and first level subdomain changes. What if you want to set up the sites which should work on two different domain names, for example, a site with host header as www.testserver1.com and another site with hostheader as www.testserver2.com. In this case Wildcard certificate won’t help you. To resolve this issue we have SAN Certificate.

A SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for myserver.com, and then add more SAN values to have the same certificate protect myserver.org, myserver.net and even myserver2.com orwww.example.com.

You can see the domain names in the Subject Alternative Name option in the Certificate

clip_image011

clip_image012

Setup the SAN certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.test.edu               10.0.1.1              80                  443
Test2                        http://www.test.com               10.0.1.1              80                  443

Test3                    www.test.testing.com 10.0.1.1             80                  443

IIS 6

You need to select the SAN certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https:// http://www.test.edu, https://www.test.com or https://www.test.testing.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005[1]

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:www.test.edu”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:www.test.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:www.test.testing.com”

clip_image013

You can also change this by changing the metabase.xml for that particular site

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

clip_image015

IIS7

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates in IIS7 please follow the following link

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

To configure the SAN certificate you need to run the below command after changing the website name, ip-address and port and the host header value.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Go to the location “C:\Windows\System32\inetsrv”

Type the following command at the command prompt:

appcmd set site /site.name:”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

For example

appcmd set site /site.name:”Test1” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.edu’]

appcmd set site /site.name:”Test2” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.com’]

appcmd set site /site.name:”Test3” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.testing.com’]

clip_image017

Alternatively you can go to the applicationhost.config and modify the binding part of the website to add the host header. Do this for all the three sites. For example

<site name=”TestSite” id=”2″ >

<application path=”/” applicationPool=”TestSite”>

<virtualDirectory path=”/” physicalPath=”C:\Publish” />

</application>

<bindings>

<binding protocol=”http” bindingInformation=”*:8089:TestSite” />

<binding protocol=”https” bindingInformation=”*:443:TestSite” />

</bindings>

</site>

clip_image019

How SAN Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (SAN certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that SAN certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of SAN Certificate.

There are certain limitations of SAN certificate.

1) One major limitation of SAN certificate is if you have issued the SAN certificate for say two host-headers http://www.test1.com andwww.test2.edu but you need to setup a site for www.test3.net using the same certificate then you can’t use it. You need to get another SAN certificate from the CA with all the three host-headers. In short, for every addition of a host-header you need to get another SAN certificate.

2) There are certain limitations which are defined by the CA on the number of host-header you can add to the Certificate. That means, after a certain number of host-header you cannot add further host-header into it.

 

Taken from: https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/