Step 11: Configure TLS and Close Migration Wizard

💡Configure and Enable TLS (use HTTPS)

1. Next, in the Nodinite Portal, close the migration wizard and configure TLS if needed. This step is mandatory whether or not you use TLS—you must close the wizard.
2. If you want to use TLS, continue with this guide, otherwise skip to Option B. to enable Pickup Service configuration.

---

Prerequisites

• Step 10 completed – Core functionality verified
• Portal access to your Environment
• If using TLS: Certificate installed in IIS with thumbprint documented

---

Understanding This Step

Regardless of whether you use HTTPS or HTTP, closing the migration wizard is mandatory. Until the Portal Environment modal is closed, the Pickup Service cannot be configured or installed in Step 12.

If you are re-enabling TLS after the upgrade, you must also re-enter your certificate thumbprint before closing — the upgrade process does not carry TLS settings forward automatically.

Choose Your Path

	Option	When to use
	Option A: Re-enable TLS	You are restoring HTTPS — your certificate is installed in IIS and DNS is configured
	Option B: Continue Without TLS	You are running HTTP only (e.g., intranet) and only need to close the wizard

---

Option A: Re-enable TLS (If Using HTTPS)

Critical Shared IIS Certificate Reuse Edge Case

Warning

If this server hosts other IIS web sites and you reuse the same certificate for Nodinite, existing HTTPS bindings on those other sites can be removed during install when they are configured without both a host name and SNI enabled.

In this exact configuration, the risk is effectively 100%: existing HTTPS bindings are typically removed and dependent APIs or applications can stop working.

Example of an IIS HTTPS binding configuration on another site that must be corrected before reusing the same certificate for Nodinite.

Before you continue, use one of these mitigations:

• On every non-Nodinite IIS site using the same certificate, assign a host name and enable the SNI checkbox on the HTTPS binding.
• Use a different certificate for Nodinite.
• Install Nodinite on another machine where this binding pattern does not exist.

If the existing HTTPS bindings already have host name and SNI enabled, Nodinite can co-exist with those sites on the same IIS server.

Steps

1. Go to Portal → your Environment
2. Navigate to TLS tab:
   • Host / Domain: Your DNS name (e.g., nodinite.yourdomain.com)
   • Certificate Thumbprint: Copy from IIS Server Certificates (remove spaces)

Example of the TLS tab showing the Hostname / SNI and Certificate Thumbprint fields.

Important

When migrating from v6, Nodinite runs in Windows authentication mode. The hostname you enter here must be in the browser's Local Intranet Zone — otherwise the browser falls back from Kerberos to NTLM, causing severe performance degradation (4+ second response times per page). Add the hostname to the intranet zone via Group Policy before going live. See NTLM vs Kerberos Authentication for diagnosis and fix instructions.

1. Navigate to Basic tab:

   • Change Web Client Port to 443 (or your SSL port)

2. Click Save

3. (Optional) Navigate to the Agents tab and configure the Pickup Log Events Service (service account, port, Log API endpoint) before downloading — this saves a round trip to the Portal. Full details in Step 12.

4. Close the Environment modal to return to the environment list

5. In the environment list, click Download next to your environment

6. Extract ZIP, unblock files

7. Open PowerShell 7 as Administrator
   Open Start Menu → Search "PowerShell 7" → Right-click → Run as administrator

8. Navigate to extracted folder

9. Run uninstall script:

   .\!UNINSTALL-Nodinite7-DEMO.ps1  # Replace DEMO with environment name
   

   Important

   The uninstall step is required to cleanly remove existing IIS bindings before the new HTTPS bindings can be created. It does not touch your databases or configuration files — all data is preserved.

10. Run install script:

.\INSTALL-Nodinite7-DEMO.ps1  # Replace DEMO with environment name

1. Verify HTTPS: Open https://nodinite.yourdomain.com
2. Check padlock icon and login works

---

Option B: Continue Without TLS (HTTP Only)

Steps

1. Go to Portal → your Environment
2. Verify Basic tab settings are correct
3. Close Environment modal to exit migration wizard

---

Completion Checklist

• If using TLS (Option A):
  • Certificate thumbprint configured
  • Web Client accessible via HTTPS
  • Padlock icon visible, no certificate errors
  • Can log in via HTTPS
• If using HTTP (Option B):
  • Configuration verified
  • Web Client accessible via HTTP
• Migration wizard closed in Portal
• Portal access to Pickup Service now available

---

Troubleshooting

"HTTP Error 500.21" After Install

Problem

Web Client shows handler error.

Solution

• Verify .NET 10.0 Hosting Bundle installed
• Restart IIS: iisreset /restart
• Re-run installation script

Browser Shows "Not Private" Warning

Problem

Certificate warning in browser.

Solution

• For development: Click Advanced → Proceed (expected for self-signed certs)
• For production: Replace with CA-issued certificate

---

Next Step

• Step 12: Install Pickup Service

Related Topics

• TLS Configuration Guide
• Certificate Management
• NTLM vs Kerberos Authentication