Moving to IIS Express and https

I’ve been asked a few times to help people move from their current use of the Web Development Server to https. This requires one also move to IIS Express as the old Web Development Server (Cassini) doesn’t support https. Here’s a brief tutorial on making the changes. This will allow you to test the sites using a very similar mechanism to a production deployment. We’ll also discuss certificates and Fiddler concerns.

Step 1: Setup

Get your environment setup:

  1. Startup Visual Studio, and load the target project and/or solution

Step 2: Configure IIS Express

For each website you’d like to convert to IIS Express and https:

  1. In the Solution Explorer, right-click on Web project, and choose “Use IIS Express” (just under “Set as Startup Project”)  NOTE: If you don’t have this option, you don’t have Visual Studio 2010 Service Pack 1 installed. Install VS 2010 SP 1 then retry this procedure.
  2. Go to the project properties by right-clicking the project, and choosing properties at the very bottom.
  3. In the Web tab, choose “Use Local IIS Web Server” and check “Use IIS Express”. Set the Project Url as necessary.
  4. Ensure “Apply server settings to all users” is unchecked. If this is checked, these changes will be inflicted on all users of the solution including any user-specific derivations (such as the location of your solution).
  5. Enable SSL by selecting the project in the Solution Explorer, switching to the Properties window, and setting “SSL Enabled: True”. You will be assigned a random port, probably localhost:44300, but you can’t change that here.

Step 3: Change IIS Express SSL Ports

  1. Close Visual Studio so it doesn’t get confused as we change IIS Express files.
  2. Open The IIS Express configuration file in your favorite text editor such as Notepad. It is in a path similar to C:Users{myusername}DocumentsIISExpressconfigapplicationhost.config
  3. Scroll down to the node.
  4. Alter the bindings lines for each of the sites to include your preferred ports.
  5. Save and close the file.

Step 4: Update the Project’s port if necessary

Back inside Visual Studio, we’ll tweak the last few things, and we’ll be ready to roll:

  1. Startup Visual Studio, and load the target project and/or solution
  2. Go into the project’s settings: Solution Explorer -> right-click on project -> Properties at the very bottom -> Web tab
  3. Update the Project Url if necessary to match the details you set in applicationhost.config

Step 5: Update configuration values

If your project uses any configuration values that reference the site url or port, you’ll need to update them to point to the new https url.

Step 6: Try it Out

We’re ready to roll:

  1. Debug the target project / solution
  2. In your browser, go to the https url you specified (example: https://localhost:44300/)

It works, but you’ll quickly discover failures because the cert isn’t trusted.

You’ll also notice that IIS Express binds specifically to “localhost:port#“, and doesn’t listen on “localhost.:port#“. (Note the dot in the second url.) Adding this dot is a great tool for debugging with fiddler as it makes the browser use DNS to resolve the site, which happily makes it use the configured proxy – Fiddler. Without this dot, it’s really easy to make web requests and get absolutely nowhere. Unfortunately, this no longer works with IIS Express. Sadly, you’ll need to remove the dot.

Step 7: Trust IIS Express Certificate in your chosen browser(s)

Unfortunately, Chrome will use the local certificate store, but has no way to alter the local certificate store, so we must use Internet Explorer to configure the certificate trust. These steps are pulled from http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-internet-explorer-8-to-accept-a-self-signed-certific and http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA. The former (quoted here) shows you how to get IE (and thus .NET) to trust the self-signed certificate, the latter, targeted towards Chrome, puts the certificate in “Third-party Certificate Store” instead of “Trusted Root Certification Authorities”.

How to make IE8 trust a self-signed certificate in 20 irritating steps: (source: http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-internet-explorer-8-to-accept-a-self-signed-certific)

  1. Browse to the site whose certificate you want to trust.
  2. When told “There is a problem with this website’s security certificate.”, choose “Continue to this website (not recommended).”
  3. Select Tools->Internet Options.
  4. Select Security->Trusted sites->Sites.
  5. Confirm the URL matches, and click “Add” then “Close”.
  6. Close the “Internet Options” dialog box with either “OK” or “Cancel”.
  7. Refresh the current page.
  8. When told “There is a problem with this website’s security certificate.”, choose “Continue to this website (not recommended).”
  9. Click on “Certificate Error” at the right of the address bar and select “View certificates”.
  10. Click on “Install Certificate…”, then in the wizard, click “Next”.
  11. On the next page select “Place all certificates in the following store”.
  12. Click “Browse”, select “Trusted Root Certification Authorities”, and click “OK”.
  13. Back in the wizard, click “Next”, then “Finish”.
  14. If you get a “Security Warning” message box, click “Yes”.
  15. Dismiss the message box with “OK”.
  16. Select Tools->Internet Options.
  17. Select Security->Trusted sites->Sites.
  18. Select the URL you just added, click “Remove”, then “Close”.
  19. Now shut down all running instances of IE, and start up IE again.
  20. The site’s certificate should now be trusted.

After this procedure is done, Chrome will note that the url is “localhost”, that it isn’t routable across the internet, and thus it is impossible for a trusted certificate store to issue such a certificate. It will also note that the certificate’s domain and page’s domain match, and will no longer prompt you to “proceed anyway”.

Step 8: (Optional, Advanced) Use IIS instead of IIS Express

Getting IIS Express to start when you begin debugging and stop when you end debugging is very, very handy. But there are times when you’ll want to use the site but don’t want to have to launch Visual Studio first – e.g. to demo the project to a potential client. In that case, you can use the full IIS 7.5 installed in Windows instead of IIS Express with these modifications:

Configure the project to use IIS:

  1. Right-click on the project in Visual Studio, choose properties, switch to the Web tab, and uncheck “Use IIS Express”.
  2. Change the Project Url to use your chosen IIS url.

Install IIS 7.5 on Windows 7 (if it isn’t there already):

  1. Start -> Control Panels.
  2. On the left, choose “Turn Windows Features on or off”.
  3. Inside Internet Information Services, inside Web Management Tools, check on IIS Management Console.
  4. Inside Internet Information Services, inside World Wide Web Services, check on at least ASP and ASP.NET.
  5. Troll through the other settings inside Internet Information Services, checking on anything that looks interesting.
  6. Ensure WebDAV is /NOT/ installed: Internet Information Services -> World Wide Web Services -> Common HTTP Features -> WebDAV Publishing to off. You likely don’t need it, and it’s a great security hole.

  7. Ensure FTP is /NOT/ installed: Internet Information Services -> FTP must be off. Same thing, reduce the attack service.

Configure IIS:

  1. Start -> Administrative Tools -> Internet Information Services. NOTE: If you don’t have this option, you need to first install IIS.
  2. Right click on Sites, and choose Add Website.
  3. Add the website details.
  4. Click Application Pools, and ensure the app pool settings are appropriate to your use.
  5. If any of the settings for the App Pool aren’t as specified, choose the app pool, click “Basic Settings…” on the right, and alter as needed.