Open with Explorer via SSL with SNI

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/94344

  •  10-12-2019
  •  | 
  •  

Question

I am trying to get a developer site up and running that uses SSL only with 3 web applications that use SNI. Everything except "openwith explorer"

The error I get is:

We're having a problem opening this location in File Explorer. Add this web site to your Trusted Sites list and try again.

Doing what was suggested in the error message had no effect on the symptoms.

UPDATE:
A production system that had the Web Applications created using HTTP and later had HTTPS with SNI added, work perfectly over SSL. The original Farm mentioned in my question was a development environment where we created the Web Applications/root sites using SSL only. That's the only important distinction between the two systems.

Was it helpful?

Solution

I've been doing a great deal of research into this the past couple days as I'm in a similar situation. The evidence looks pretty strong that WebClient, the Windows service that is used by software to connect to a WebDAV resource does not support SNI. A SharePoint MVP echoed my suspicions that this is the case on another thread on the MSDN forums.

At this point, I see a couple options, listed below. Please humor if the descriptions are a little overly complete, I'm hoping that this post can serve as documentation for the next person to come along with the same issue.

  1. Configure each of the sites on a different IP/Port combination. This is the most obvious solution and would then allow for each Web Application to take its own cert w/o SNI. Obvious downside, either consuming multiple IPs or using nonstandard ports.

  2. Use a UC Cert. Much like a star cert, a UC cert is valid for multiple hostnames (foo.example.com, bar.example.com, etc.) but for a specific, finite set of hostnames. These tend to be cheaper than star certs and potentially more secure, as a stolen UC cert couldn't then impersonate mail.example.com unless it was on the cert. Disadvantages include much higher cost of a UC cert compared to a single name cert and a finite number of hostnames that must be set up in advance.

Neither are terribly perfect solutions, but they are both options. Hopefully, Microsoft will update WebClient at some point to support SNI, but in the mean time, I think we're stuck with workarounds.

Edit to add Eric Law's comment to answer.

I tested this today and found that Windows 8.1 does not send the SNI extension but Windows 10.10240 does. twitter.com/ericlaw/status/624281014685319171 -EricLaw

OTHER TIPS

I have the same issue, one site collection built from http and https added after - Open with Explorer works fine in Https. The second site collection (separate web app and database) built on port 443 from the start - Open with Explorer does not work.

The only solution I can see is backing up the content, creating the site collection again from scratch but on http, then adding https after as on the other site collections, then restoring the content. Not too bad to do but a pain in the a for something so trivial!

HMMMMPF!

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top