quote:

---

> Hi,
>
> our WinNT4 SP6a, IIS4 server has suddenly stopped requesting/accepting
> client certificates issued by our CA.
> The only things that have changed since I last saw it work (pre Christmas)
> are:
>
> A bunch of patches:
> Root Certificates Update
> Enabling the PIP_CREATE_INSTANCE flag for non-admin users (823492)
> Cumulative Security Update for Internet Explorer 6 SP1 (KB824145)
> Security update for Microsoft Windows (KB823182)
>
> and we've gone from 2003 to 2004
>
> The CA's public key is valid until 2005 and appears to be still installed
> (CA is on same server) correctly, though I followed
>

---

quote:

---

> just in case.
>
> Any ideas?
>
> It's still requesting certs, since on one PC it prompted for the VeriSign
> cert I had installed.
>
> Help! This is urgent!
>
> Soon'ish
> Craig
>
>

---

quote:

---

>Hi,
>
>our WinNT4 SP6a, IIS4 server has suddenly stopped requesting/accepting
>client certificates issued by our CA.
>The only things that have changed since I last saw it work (pre Christmas)
>are:
>
>A bunch of patches:
>Root Certificates Update
>Enabling the PIP_CREATE_INSTANCE flag for non-admin users (823492)
>Cumulative Security Update for Internet Explorer 6 SP1 (KB824145)
>Security update for Microsoft Windows (KB823182)
>
>and we've gone from 2003 to 2004
>
>The CA's public key is valid until 2005 and appears to be still installed
>(CA is on same server) correctly, though I followed
>(http://support.microsoft.com/defaul...788&Product=iis)
>just in case.
>
>Any ideas?
>
>It's still requesting certs, since on one PC it prompted for the VeriSign
>cert I had installed.
>
>Help! This is urgent!
>
>Soon'ish
>Craig
>

---

quote:

---

> Does this apply ?
> The VeriSign Global Server Intermediate Root CA for IIS expires on January
> 7, 2004
> http://support.microsoft.com/?id=834438

---

quote:

---

> Craig,
>
> The Verisign Intermediate Root CA on your server has expired. Update
> it by following this link :
>
> Expiration of VeriSign Global Server ID Intermediate Root CA on
> 1/7/2004
> http://www.verisign.com/support/ven...p-gsid-ssl.html
>
> This link is also quite useful :
>
> How to Determine the Intermediate CA Version Currently Active on your
> IIS 5.0/IIS 6.0 Server
> https://www.verisign.com/support/site/iis5check.html
>
>
> Regards,
>
> Paul Lynch
> MCSE

---

quote:

---

> Hi Craig,
>
> Thank you for posting in MSDN managed newsgroup!
>
> It will be appreciated you tell us whether this issue still remains. I'd
> suggest you can try the methods from Bernard and Paul. If it remains,
> please feel free to let me know.
>
> Thank you for using Microsoft NewsGroup!
>
> Wei-Dong Xu
> Microsoft Product Support Services
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no

---

quote:

---

>

---

quote:

---

> Hi Bernard,
>
> thanks for that. I hadn't updated the VeriSign certs (we use our own CA

---

quote:

---

> this server and it's client certs) and even after I followed VeriSign's
> instructions.... it sill doesn't work.
>
> Normal HTTPS traffic is fine, it's only when a cert is required that the
> server fails.
> It fails in two ways:
> 1. It doesn't prompt the user for any client certs issued by our CA and
> 2. You then either get a server not found error (if you supply say a
> VeriSign client cert) or cert required (if you supply no cert).
>
> The server not found error is interesting, since in the webserver's log,
> there is an HTTP 500 error, with no additional info:
>
> #Software: Microsoft Internet Information Server 4.0
> #Version: 1.0
> #Date: 2004-01-10 02:25:26
> #Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem

---

quote:

---

> sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
> cs(User-Agent) cs(Cookie) cs(Referer)
> 2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
> HTTP/1.1
>

---

quote:

---

> NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKE
GLHCA
> https://host.com/oldpath
>
> It looks like it's lost (or invalidated) our CA's public key.
>
> Any more ideas?
>
> Thanks
> Craig
>
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:%23XQrFIq1DHA.2896@TK2MSFTNGP09.phx.gbl...
January[QUOTE][color=darkred]
>
>

---

quote:

---

> Disabled IE friend error msgs, post the error msgs here.
> http://support.microsoft.com/?id=294807
>
> Win32 status 87 = the parameter is incorrect.
>
> Not much clue now, hopefully the full error msgs will tell us what's

---

quote:

---

>Hi Paul,
>
>thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
>this server and it's client certs) and even after I followed VeriSign's
>instructions.... it sill doesn't work.
>
>Normal HTTPS traffic is fine, it's only when a cert is required that the
>server fails.
>It fails in two ways:
>1. It doesn't prompt the user for any client certs issued by our CA and
>2. You then either get a server not found error (if you supply say a
>VeriSign client cert) or cert required (if you supply no cert).
>
>The server not found error is interesting, since in the webserver's log,
>there is an HTTP 500 error, with no additional info:
>
>#Software: Microsoft Internet Information Server 4.0
>#Version: 1.0
>#Date: 2004-01-10 02:25:26
>#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
>sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
>cs(User-Agent) cs(Cookie) cs(Referer)
>2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
>HTTP/1.1
>Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
>NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKE
GLHCA
>https://host.com/oldpath
>
>It looks like it's lost (or invalidated) our CA's public key.
>
>Any more ideas?
>
>Thanks
>Craig

---

quote:

---

>Hi Paul,
>
>thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
>this server and it's client certs) and even after I followed VeriSign's
>instructions.... it sill doesn't work.
>
>Normal HTTPS traffic is fine, it's only when a cert is required that the
>server fails.
>It fails in two ways:
>1. It doesn't prompt the user for any client certs issued by our CA and
>2. You then either get a server not found error (if you supply say a
>VeriSign client cert) or cert required (if you supply no cert).
>
>The server not found error is interesting, since in the webserver's log,
>there is an HTTP 500 error, with no additional info:
>
>#Software: Microsoft Internet Information Server 4.0
>#Version: 1.0
>#Date: 2004-01-10 02:25:26
>#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
>sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
>cs(User-Agent) cs(Cookie) cs(Referer)
>2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
>HTTP/1.1
>Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
>NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKE
GLHCA
>https://host.com/oldpath
>
>It looks like it's lost (or invalidated) our CA's public key.
>
>Any more ideas?
>
>Thanks
>Craig

---

quote:

---

>
> Craig,
>
> Don't know what else to suggest. I did see a post in another group by
> someone who said that the instructions in this link worke for them on
> IIS4 :
>
> http://www.safescrypt.com/faq/faqIn...teCAforGSID.htm
>
> Hope this helps.
>
>
> Regards,
>
> Paul Lynch
> MCSE

---

quote:

---

> Craig,
>
> As a follow-up I just found this article which seems to indicate that
> the effects of the recent Verisign cert expiry are more far-reaching
> than may have been previously considered.
>
> This *could* help explain your problems :
>
> http://service1.symantec.com/SUPPOR...004010810205113
>
>
> Regards,
>
> Paul Lynch
> MCSE

---

quote:

---

> Thanks again Paul, still no dice, though of course, it's only confirming
> that the browser has the right CA certs. I need to hunt the meta base I
> think...

---

quote:

---

> Hi Craig,
>
> Thank you for replying and the detailed information about the
> troubleshooting!
>
> I'd suggest you can use the SSL diagnostic utility to test the server SSL
> configuration. It will provide some information for us to locate the
> culprit. This utility is available from the link:
> SSL Diagnostics Version 1.0 (x86)
>

---

quote:

---

> 83d4-06c814265282&DisplayLang=en
>
> Please feel free to let me know if you have any questions.
>
> Thank you for using Microsoft NewsGroup!

---

quote:

---

> Hi Craig,
>
> Thank you for replying!
>
> I'd suggest you can use the WFetch utility to test the client request. You
> can run this utility in the client side and then specify the client
> certificate and send one request to the server. The WFetch log will help
> some.
>
> You can download this utility from the link:
> 284285 HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
>

---

quote:

---

> 80/support/kb/articles/Q284/2/85.ASP&NoWebContent=1
>
> Please feel free to let me know if you have any further questions.
>
> Does this answer your question? Thank you for using Microsoft NewsGroup!
>
> Wei-Dong Xu
> Microsoft Product Support Services
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no

---

quote:

---

>

---

quote:

---

> Hi Bernard,
>
> no change, still get the "Cannot find server or DNS Error" when a VeriSign
> cert is supplied or
> the "403.7 Forbidden: Client certificate required" (as expected) if I

---

quote:

---

> supply a cert.
>
> I need a way to get more info out of the HTTP 500 error on the server.
>
> I tried all three methods in 294807, but it looks like the client gets
> disconnected from the server (hence the "Cannot find server or DNS Error")
> before the HTTP 500 gets sent to the client. And there's still nothing

---

quote:

---

> than the 500 in the log... <sigh>
>
> Hopefully Wei-Dong Xu can find something at MS...
>
> I'll try not to pull my hair out... though it would be nice to get this
> running again by Monday...
>
> Soon'ish
> Craig
>
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:eElzdZy1DHA.2324@TK2MSFTNGP09.phx.gbl...
> wrong.
>
>

---

quote:

---

> Ya. got no more ideas. let wait for Wei-Dong's response.
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
> Please respond to newsgroups only ...

---

quote:

---

>
> Hi Craig,
>
> Did you see 403.7 or 403.16 error on the client side? Also, from the

---

quote:

---

> side, do you "require client certificates" or just "accept certificates" ?
> (I assume it is IIS4.0 machine on NT)
> - Open IIS manager
> - highlight website and right click mouse
> - go to properties
> - directory security
> - Secure communications.
>
> Please let me know the exact error message from client side if you

---

quote:

---

> client certificates".
>
> 2 suggestions to try at this moment:
>
> 1) Install the certificate trust hotfix 831225, which will fix an existing
> issue for CA trust. The link below is for English NT4.0 server version. If
> you are using the other version, please let me know.
> Package:
> -----------------------------------------------------------
> KB Article Number(s): 831225
> Language: English
> Platform: i386
> Location:
>

---

quote:

---

> /free/148706_ENU_i386_zip.exe)
> Password: LFuu99vHF
> Password Changes On: 12/16/2003
> Next Password: sa3Qt3%II
>
> 2) 2 Verisign intermediate CAs expired on 1/07 and 01/06. We also need to
> address on that.
> Follow the instructions on Verisign
> https://www.verisign.com/support/si...eplacement.html
> Remove the expired Intermediate CA:
> Open Internet Explorer and select Tools > Internet Options from the menu
> bar
> Click on the Content tab
> Click on the Certificates button
> Click on the Intermediate Certificate Authorities tab
> Select the "www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
> VeriSign" certificate that expires on 1/7/04 and click on the Remove

---

quote:

---

>
> Install the new Verisign Intermediate CA.
> http://www.safescrypt.com/faq/faqIn...teCAforGSID.htm
>
> Thank you for choosing Microsoft
>
> Hugh Zhu (MCSE, MCSD, MCAD .Net)
> Developer Support Engineer (IIS)
>
> This posting is provided "AS IS" with no warranties, and confers no

---

quote:

---

> You assume all risk for your use. © 2002 Microsoft Corporation. All rights
> reserved.
>
>

---

quote:

---

> Hi Craig,
>
> Here is the more information about this hotfix 831225.
>

---

quote:

---

> /free/148706_ENU_i386_zip.exe)
>
> After installing security patch MS03-041 in NT 4.0 OptionPack + SP6a (IIS
> 4.0) box, some CA Root Certificates became unrecognizable, in result
> clients could not get through SSL access by using "client certificate
> mapping" or "client certificates required".
>
> The issue is related to MS03-041 installed on some certain NT4 OS with the
> customer CA configured.
> MS03-041 addressed some security vulnerability.
>

---

quote:

---

> bulletin/ms03-041.asp
> Vulnerability in Authenticode Verification Could Allow Remote Code
> Execution (823182)
>
> We need to install 831225 to test it or remove Q823182 to see whether it

---

quote:

---

> working. But removing 823182 (MS03-041) will cause some security issue.
>
> I hope the info above is helpful.
>
> Thank you for choosing Microsoft
>
> Hugh Zhu (MCSE, MCSD, MCAD .Net)
> Developer Support Engineer (IIS)
>
> This posting is provided "AS IS" with no warranties, and confers no

---

quote:

---

> You assume all risk for your use. © 2002 Microsoft Corporation. All rights
> reserved.
>
>

---