Shopping website

There are a number of items that need to be configured to enable the Shopping website to be browsed by your users.

Shopping Server certificate

From Shopping 6.1 the Shopping Central installer defaults to configuring an HTTPS site, this means that a Shopping Server certificate is required.

Only one Web Server certificate is required. This certificate must be provided on the server prior to installation of Shopping.

The Web Server certificate requires the minimum of the following:

  1. Issued by a trusted Certificate Authority (CA)

    • The certificate for the Root CA in the Certification Path must exist in the Trusted Root CA store of the server.

    • The above CA certificate must exist on Shopping Client devices.

  2. Has at least the following Key Usage:

    • Digital signature

    • Key encipherment

  3. Has at least the following Enhanced Key Usages:

    • Server Authentication

The default template Web Server available with a Microsoft PKI is suitable for requesting a Shopping Web Server certificate.

DNS Alias

The Shopping Web Portal and API are created under the Shopping website, they are not created under the Default Web Site. The website has an HTTPS binding, using a host header - normally specified as the FQDN of the Shopping DNS Alias, which all users and computers accessing the Web Portal and Shopping API must use. Therefore, choosing a suitable name for the DNS Alias is perhaps the most important design decision you will make.

Ensure that all clients using the Shopping system are able to correctly resolve the DNS Alias using their DNS lookup methods. This is typically why the FQDN of the DNS Alias is used.

In DNS, you can create a CNAME or Host (A) record. The example below uses a CNAME alias of SHOPPING for the host server ACME-SRV6.ACME.LOCAL which results in a host header FQDN of SHOPPING.ACME.LOCAL. In this case, the server's FQDN suffix is the same as the Alias FQDN's suffix, but they do not need to be the same.

When installing Shopping Central, the installer setting IISHOSTHEADER (see Shopping Central installer properties) is used to configure the HTTPS binding on the Shopping website, and the Console settings for the Web URL and API URL. The Web URL setting is used in Shopping emails.

It is possible to manually add additional HTTP/S bindings to the Shopping Website. Any HTTPS bindings you add must also exist in the Shopping server certificate. For example, if you are adding an HTTP binding you can install using the server's DNS Alias FQDN, and then manually add a second HTTPS binding for the DNS Alias without the suffix. This would allow users to access the Shopping Portal using either name.

Service Principal Names

Service Principal Names (SPN) are attributes of AD accounts. Servers and service accounts are able to automatically create and update their own SPNs if they have AD permissions. Normally server accounts have these permissions by default, therefore if a service is using Network Service built-in account, there is no need to create any SPN. However, user accounts typically do not have permission and you need to create or update the SPN manually using an account that does have the rights, such as a domain administrator account. You can create an SPN by editing the attribute directly in the AD service account object, or use the SetSPN utility. More information about SPNs can be found in this Microsoft article.

SPNs must exist for the HTTPS host header for the following accounts:

  • The account used for the Shopping application pool, which is normally the Network Service. (Optionally, the Shopping Central service account.)

The following is an example of how to create SPNs for the Shopping Central service account, assuming that the IIS application pools for Shopping have been configured to run as the Shopping Central service account. This is considered a non-typical configuration.

Copy 
setspn -s HTTPS/shopping ACME\svc_ShoppingCtrl
setspn -s HTTPS/shopping.acme.local ACME\svc_ShoppingCtrl

The following is a example of how to create SPNs for the Shopping Central application pools. If the IIS application pools for Shopping use Network Service, then specify the server's machine account. This would be the most common configuration.

Copy 
setspn -s HTTPS/shopping ACME-SRV6
setspn -s HTTPS/shopping.acme.local ACME-SRV6

To determine if SPNs exist for the Shopping Central service account and Network Service on the server itself:

Copy 
setspn -l svc_ShoppingCtrl
setspn -l ACME-SRV6

More complex scenarios can be configured that require in-depth knowledge of IIS, SPN, and DNS configuration, which is beyond the scope of this documentation.

You can use -a or -s with setspn. -s checks for an existing SPN before assigning a new one.