Enabling SSL/TLS encrypts all traffic between the browser and your AD Group Manager Web server. This is especially important because users submit Active Directory credentials through the login form (in Basic authentication mode).
This guide covers setting up SSL using an internal Certificate Authority (CA), which is the most common scenario for an on-premises intranet application.
Step 1: Create a Certificate Signing Request (CSR)
Open IIS Manager (Start → Administrative Tools → Internet Information Services (IIS) Manager).
In the left pane, click on your server name, then double-click Server Certificates in the center pane.
Click Create Certificate Request in the Actions pane on the right.
Fill in the requested information:
Common name — the hostname users will type in the browser (for example, groups.example.com).
Organization, Organizational unit, City, State, Country — your organization’s details.
Choose a Cryptographic Service Provider and set the bit length to 2048 (or higher).
Specify a filename and location to save the CSR file, then click Finish.
Step 2: Submit the CSR to your internal CA
Submit the CSR file to your internal Certificate Authority. The process varies depending on your CA setup:
If your CA has a web enrollment interface (typically at https://your-ca-server/certsrv), you can paste the CSR content there and request a Web Server certificate.
Alternatively, submit the CSR via email or your organization’s certificate request process.
Your CA will issue an SSL certificate file (typically .cer or .crt format).
Step 3: Install the certificate on IIS
In IIS Manager, click on your server name and open Server Certificates.
Click Complete Certificate Request in the Actions pane.
Browse to the certificate file you received from your CA.
Enter a friendly name to identify the certificate (for example, AD Group Manager Web 2026).
Select Web Hosting as the certificate store and click OK.
Step 4: Add the HTTPS binding
In IIS Manager, expand the server name and click on your AD Group Manager Web website.
Click Bindings in the Actions pane on the right.
In the Site Bindings window, click Add.
Configure the binding:
Type: https
IP address: select your server’s IP or leave as All Unassigned
Port: 443
SSL certificate: select the certificate you just installed from the dropdown
Click OK to save the binding.
Step 5: Test the SSL installation
Navigate to https://your-server-name from a browser within your internal network. Verify that:
The site loads with a secure connection (lock icon in the address bar).
The browser does not show any certificate warnings.
If you see a certificate warning, the internal CA’s root certificate may not be trusted on the client machine. You can distribute the CA’s root certificate via Group Policy to all domain-joined computers.
Optional: Remove the HTTP binding
For maximum security, consider removing the HTTP (port 80) binding so the site is only accessible over HTTPS. In the Site Bindings window, select the http binding and click Remove.
Alternatively, you can keep the HTTP binding and configure URL Rewrite in IIS to redirect HTTP requests to HTTPS automatically.
Optional: Configure SSL/TLS protocols and cipher suites
For enhanced security, you can restrict which TLS protocol versions and cipher suites IIS accepts. You can configure this using:
At minimum, consider disabling TLS 1.0 and TLS 1.1, keeping only TLS 1.2 and TLS 1.3 enabled.
Update internal DNS if necessary
If your internal DNS does not already resolve the hostname in your certificate to the correct server IP address, add or update the appropriate DNS A record.