Tip: Changing Windows Server 2012 R2 Workfolder Port from SSL (443) to an other Port and still keep SSL encryption

Hello Folks,

currently iam very Microsoft minded because i set up a new “private” Environment at home.

With Windows Server 2012 R2 Microsoft has introduced the Workfolder feature which is a “private” hosted SkyDrive alternative for Windows 8.1, benefit: All files are hosted in your private cloud and not on a NSA Share (or similar 🙂 ).

By default workfolders are using the SSL Port 443 and are not embedded in the IIS Server, this means if you run a secure website thru SSL on your IIS you will not be able to use the workfolder feature at all.

The workfolder management GUI is currently not very useful and it’s not possible to change the port from there, so you have to do it in the manual way.

Important: After this is done you need to manual setup the workfolder configuration on the client devices or thru domain policies, the auto detection feature by email will not work anymore!

1) Change the Workfolder configuration by open the file c:\windows\system32\SyncShareSvc.config with a text editor and search for the entry: :443: . If you found this there should be a “bindingInformation” in front of the “:443″. Change 443 to the port you want to use and save the file, you might be required to get the file ownership in advance to have sufficient rights to save the modified files.

2) Now open the commandline (not powershell!) with administrator permissions and enter: Netsh http add urlacl url=https://*:*yourporthere*/ user=”NT Authority\LOCAL SERVICE”

Replace *yourporthere* with the in 1) configured port number.

3) Open the powershell with administrative permissions and enter: netsh http add sslcert ipport=0.0.0.0:*yourporthere* certhash=*certificatethumbprint* appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

Replace *yourporthere* with the in 1) configured port number and the *certificatethumbprint* with the certificate thumprint (without spaces like 0e78323321Ac3….) and make sure the certificate is available in the computer thrusted store.

4) Restart the SyncShare Service

5) Logon into a Windows 8.1 and go to Systemcontrol->Workfolders and select the setup workfolders options, now don’t use the email account and select that you enter the URL by your own, type in: https://yourserver:yourport and continue with the setup. Workfolders should now sync by using the new port number. For domain computers you can also setup a Policy to force the workfolder setup to the correct URL without user interaction.

Cheers

Michael

P.S.: For Terminal Services running on a windows server, you can create a workfolder SMB share and create a mapping for smb:\\*yourserver*\*workfoldershare*\%USERNAME% to a static drive letter, this will also make the workfolder available in a  terminal server session for the user quite simple.