IIS Server Security - Can't test SSL enabled website

Author

Can't test SSL enabled website

Nishi

2004-08-16, 7:58 am

I was installing a CMS server 2002. I have checked all the
hardware and software prerequisites. For your information
I have a Windows 2000 Adv. Server(with SP-4),
IIS 6.0.

MCMS Server is running fine but when I try to open
the "Site Manager" from another computer in the network I
get the message that I should use "SSL". So I also
installed "CA" and enabled "SSL" for that website as
described
in the Microsoft Knowledge Base Articles. Now when I try
to access the site "http://servername/NRConfig" I got the
error "HTTP 403.4 - Forbidden: SSL required Internet
Information Services", which was expected. However
when I try to access using the
URL "https://servername/NRConfig", I only saw a blank
screen with the status bar showing "Opening page
https://servername/NRConfig...". I'm in fix. would be
really helpfull if someone had any such prob or knows a
solution.

Thanking you all

Nishi

Miha Pihler

2004-08-16, 7:58 am

Hi Nishi,

Dis you mean you are running Windows 2000 Adv. server (with SP-4), IIS 5?

If your client doesn't trust your root certificate it can take a while (e.g.
about 30 seconds, but it depends on key size) before SSL page will load.

Mike

"Nishi" <project_nishi@hotmail.com> wrote in message
news:6b5501c4838e$6c9b5390$a501280a@phx.gbl...
> I was installing a CMS server 2002. I have checked all the
> hardware and software prerequisites. For your information
> I have a Windows 2000 Adv. Server(with SP-4),
> IIS 6.0.
>
> MCMS Server is running fine but when I try to open
> the "Site Manager" from another computer in the network I
> get the message that I should use "SSL". So I also
> installed "CA" and enabled "SSL" for that website as
> described
> in the Microsoft Knowledge Base Articles. Now when I try
> to access the site "http://servername/NRConfig" I got the
> error "HTTP 403.4 - Forbidden: SSL required Internet
> Information Services", which was expected. However
> when I try to access using the
> URL "https://servername/NRConfig", I only saw a blank
> screen with the status bar showing "Opening page
> https://servername/NRConfig...". I'm in fix. would be
> really helpfull if someone had any such prob or knows a
> solution.
>
> Thanking you all
>
> Nishi
>

2004-08-17, 2:59 am

Hi Mike,

Thanks, but my problem is that it does not shows anything
even after 30 mins !!

Nishi

>-----Original Message-----
>Hi Nishi,
>
>Dis you mean you are running Windows 2000 Adv. server
(with SP-4), IIS 5?
>
>If your client doesn't trust your root certificate it can
take a while (e.g.
>about 30 seconds, but it depends on key size) before SSL
page will load.
>
>Mike
>
>"Nishi" <project_nishi@hotmail.com> wrote in message
>news:6b5501c4838e$6c9b5390$a501280a@phx.gbl...
the[vbcol=seagreen]
information[vbcol=seagreen]
I[vbcol=seagreen]
the[vbcol=seagreen]
>
>
>.
>

Miha Pihler

2004-08-17, 2:59 am

Hi,

Can you run this tool on your server.

SSL Diagnostics Version 1.0 (x86)
http://www.microsoft.com/downloads/...&DisplayLang=en

It will check the configuration. Post back with result for more help.

Mike

<anonymous@discussions.microsoft.com> wrote in message
news:75c401c48417$9385f300$a401280a@phx.gbl...[vbcol=seagreen]
> Hi Mike,
>
> Thanks, but my problem is that it does not shows anything
> even after 30 mins !!
>
> Nishi
>
> (with SP-4), IIS 5?
> take a while (e.g.
> page will load.
> the
> information
> I
> the

Nishi

2004-08-17, 7:53 am

Hi Mike
As U have told I ran that tool and here is the result.
----
System time: Tue, 17 Aug 2004 12:09:31 GMT
ModuleFileName: C:\Program Files\Microsoft\SSL
Diagnostics\SSLDiag.exe
OS: Windows 2000 Service Pack 4
IIS5 - World Wide Web Publishing (W3SVC) service is
installed

[
HKLM\System\CurrentControlSet\Services\I
netInfo\Parameters
]
CertChainCacheOnlyUrlRetrieval = True(default)
CheckCertRevocation = False(default)
CertChainCheckUsage = False(default)
sspifilt.dll loaded into process 1224 (inetinfo.exe)

[ SChannel Info ]
CacheSize = 10000
Entries = 10
ActiveEntries = 2

[ W3SVC/1 ]
ServerComment = Default Web Site
ServerAutoStart = True
ServerState = Server started

[ W3SVC/1/Root/_vti_bin ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/2 ]
ServerComment = Administration Web Site
ServerAutoStart = True
ServerState = Server started

[ W3SVC/3 ]
ServerComment = MCMS SCA
ServerAutoStart = True
ServerState = Server started
#Could not impersonate server account
SSLCertHash = e2 c2 d0 cf ed 75 d7 b0 95 76 cb b3 1f a3 fd
62 80 8d a5 f9
SSLStoreName = MY
#CertName = sap:8080
#You have a private key that corresponds to this
certificate
#ContainerName='4c07d9169db1d2e09c5af826
015293f5_05d68fec-
b3cf-40f1-93cd-9862fe26d6ba'
#ProvName='Microsoft RSA SChannel Cryptographic Provider'
ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: C=IN, S=Delhi, L=New Delhi, O=Globalsoft, OU=GS,
CN=sap:8080
#Issuer: C=IN, S=Delhi, L=New Delhi, O=GS, OU=GS, CN=MCMS
#Validity: From 8/17/2004 4:11:43 PM To 8/12/2006 5:34:06
PM
SecureBindings = 192.168.0.1:443:

[ W3SVC/3/Root ]
AccessSSLFlags = 8 (0x8)
AccessSSL = True
AccessSSL128 = False
AccessSSLNegotiateCert = False
AccessSSLRequireCert = False
AccessSSLMapCert = False

----

Thanks again

Nishi

>-----Original Message-----
>Hi,
>
>Can you run this tool on your server.
>
>SSL Diagnostics Version 1.0 (x86)
>http://www.microsoft.com/downloads/details.aspx?
FamilyID=cabea1d0-5a10-41bc-83d4-
06c814265282&DisplayLang=en
>
>It will check the configuration. Post back with result
for more help.
>
>Mike
>
><anonymous@discussions.microsoft.com> wrote in message
>news:75c401c48417$9385f300$a401280a@phx.gbl...
anything[vbcol=seagreen]
can[vbcol=seagreen]
SSL[vbcol=seagreen]
all[vbcol=seagreen]
network[vbcol=seagreen]
try[vbcol=seagreen]
knows a[vbcol=seagreen]
>
>
>.
>

Nishi

2004-08-17, 7:53 am

Hi Mike

I forgot to paste the "Simulate Handshake" result
--
System time: Tue, 17 Aug 2004 12:43:19 GMT
Connecting to 192.168.0.1:443
Connected
Handshake: 108 bytes sent
Handshake: 1329 bytes received
Handshake: 118 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
Server certificate name: sap:8080
Server certificate subject: C=IN, S=Delhi, L=New Delhi,
O=Globalsoft, OU=GS, CN=sap:8080
Server certificate issuer: C=IN, S=Delhi, L=New Delhi,
O=GS, OU=GS, CN=MCMS
Server certificate validity: From 8/17/2004 4:11:43 PM To
8/12/2006 5:34:06 PM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
Accept:*/*
HTTPS: 72 bytes of encrypted data sent
HTTPS: 4667 bytes of encrypted data received
Status:
HTTP/1.1 401 Access Denied
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Tue, 17 Aug 2004 12:43:19 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 4431
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html dir=ltr>
<head>
<style>
a:link {font:8pt/11pt verdana;
color:FF0000}
a:visited {font:8pt/11pt verdana;
color:#4e4e4e}
</style>
<META NAME="ROBOTS" CONTENT="NOINDEX">
<title>You are not authorized to view this page</title>
<META HTTP-EQUIV="Content-Type" Content="text-html;
charset=Windows-1252">
</head>
<script>
function Homepage(){

</script>
<body bgcolor="FFFFFF">
<table width="410" cellpadding="3" cellspacing="5">
<tr>
<td align="left" valign="middle" width="360">
<h1 style="COLOR:000000; FONT: 13pt/15pt
verdana">You are not authorized to view this
page</h1>
</td>
</tr>

<tr>
<td width="400" colspan="2">
<font style="COLOR:000000; FONT: 8pt/11pt
verdana">You do not have permission to view this directory
or page using the credentials you supplied.</font></td>
</tr>

<tr>
<td width="400" colspan="2">
<font style="COLOR:000000; FONT: 8pt/11pt verdana">
<hr color="#C0C0C0" noshade>

<p>Please try the following:</p>

<ul>
<li>Click the <a href="java script:location.reload
()">Refresh</a> button to try again with different
credentials.</li>
<li>If you believe you should be able to view this
directory or page, please contact the Web site
administrator by using the e-mail address or phone number
listed on the
<script>

</script>
home page.</li>
</ul>
<h2 style="font:8pt/11pt verdana; color:000000">HTTP
401.2 - Unauthorized: Logon failed due to server
configuration<br>
Internet Information Services</h2>
<hr color="#C0C0C0" noshade>

<p>Technical Information (for support personnel)
</p>
<ul>

<li>Background:<br>
This is usually caused by a server-side script not
sending the proper WWW-Authenticate header field. Using
Active Server Pages scripting this is done by using the
<strong>AddHeader</strong> method of the
<strong>Response</strong> object to request that the c
<p>
<li>More information:<br>
<a href="http://www.microsoft.com/ContentRedirect.asp?
prd=iis&sbp=&pver=5.0&pid=&ID=401.2&cat=web&os=&over=&hrd=&
Opt1=&Opt2=&Opt3=" target="_blank">Microsoft Support</a>
</li>
</p>
</ul>
</font></td>
</tr>

</table>
</body>
</html>
HTTPS: server disconnected
Final handshake: 23 bytes sent successfully
-----

>-----Original Message-----
>Hi Mike
>As U have told I ran that tool and here is the result.
> ----
>System time: Tue, 17 Aug 2004 12:09:31 GMT
>ModuleFileName: C:\Program Files\Microsoft\SSL
>Diagnostics\SSLDiag.exe
>OS: Windows 2000 Service Pack 4
>IIS5 - World Wide Web Publishing (W3SVC) service is
>installed
>
>[
> HKLM\System\CurrentControlSet\Services\I
netInfo\Parameters

>]
>CertChainCacheOnlyUrlRetrieval = True(default)
>CheckCertRevocation = False(default)
>CertChainCheckUsage = False(default)
>sspifilt.dll loaded into process 1224 (inetinfo.exe)
>
>[ SChannel Info ]
>CacheSize = 10000
>Entries = 10
>ActiveEntries = 2
>
>[ W3SVC/1 ]
>ServerComment = Default Web Site
>ServerAutoStart = True
>ServerState = Server started
>
>[ W3SVC/1/Root/_vti_bin ]
>AccessSSLFlags = 0 (0x0)
>
>[ W3SVC/2 ]
>ServerComment = Administration Web Site
>ServerAutoStart = True
>ServerState = Server started
>
>[ W3SVC/3 ]
>ServerComment = MCMS SCA
>ServerAutoStart = True
>ServerState = Server started
>#Could not impersonate server account
>SSLCertHash = e2 c2 d0 cf ed 75 d7 b0 95 76 cb b3 1f a3
fd
>62 80 8d a5 f9
>SSLStoreName = MY
>#CertName = sap:8080
>#You have a private key that corresponds to this
>certificate
> #ContainerName='4c07d9169db1d2e09c5af826
015293f5_05d68fec-
>b3cf-40f1-93cd-9862fe26d6ba'
>#ProvName='Microsoft RSA SChannel Cryptographic Provider'
>ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
>#Subject: C=IN, S=Delhi, L=New Delhi, O=Globalsoft,
OU=GS,
>CN=sap:8080
>#Issuer: C=IN, S=Delhi, L=New Delhi, O=GS, OU=GS, CN=MCMS
>#Validity: From 8/17/2004 4:11:43 PM To 8/12/2006 5:34:06
>PM
>SecureBindings = 192.168.0.1:443:
>
>[ W3SVC/3/Root ]
>AccessSSLFlags = 8 (0x8)
>AccessSSL = True
>AccessSSL128 = False
>AccessSSLNegotiateCert = False
>AccessSSLRequireCert = False
>AccessSSLMapCert = False
>
> ----
>
>Thanks again
>
>Nishi
>
>
>
>FamilyID=cabea1d0-5a10-41bc-83d4-
>06c814265282&DisplayLang=en
>for more help.
>anything
>can
>SSL
>all
>network
I[vbcol=seagreen]
>try
got[vbcol=seagreen]
blank[vbcol=seagreen]
be[vbcol=seagreen]
>knows a
>.
>

ripnrow

2004-08-17, 5:54 pm

Nishi,

I am having the same problem. If you find a fix please post it.

Thanks.

"Miha Pihler" wrote:

> It looks like everything here is OK. Check what is your authentication
> setting (do you have anonymous enabled or e.g. Basic auth.). Also enter
> complete path in browser e.g. https://server/default.asp It this doesn't
> work try https://10.10.10.10/default.asp (where 10.10.10.10 is IP of your
> server). On server also try https://localhost/ does this work?
>
> Mike
>
> "Nishi" <project_nishi@hotmail.com> wrote in message
> news:053801c48459$12d548e0$a301280a@phx.gbl...
>
>
>

2004-08-18, 2:48 am

Hi Mike,

The default page(in my case "https://servername:8080"
has "Anonymous access" and "Integrated Windows
authentication" checked.
And in the MCMS Site Manager
page "https://servername:8080/NRConfig" we have "Basic
authentication" and "Integrated Windows authentication"
checked. I have tried full path,IP and localhost but after
many mins what I get is a blank page . However SSL is not
enabled in the default web site. It is only enabled in the
MCMS site for which I'm using port 8080.

Here is the latest SSL Handshake simulation result
---
System time: Wed, 18 Aug 2004 06:05:22 GMT
Connecting to 192.168.0.1:443
Connected
Handshake: 108 bytes sent
Handshake: 1329 bytes received
Handshake: 118 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
Server certificate name: sap:8080
Server certificate subject: C=IN, S=Delhi, L=New Delhi,
O=Globalsoft, OU=GS, CN=sap:8080
Server certificate issuer: C=IN, S=Delhi, L=New Delhi,
O=GS, OU=GS, CN=MCMS
Server certificate validity: From 8/17/2004 4:11:43 PM To
8/12/2006 5:34:06 PM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
Accept:*/*
HTTPS: 72 bytes of encrypted data sent
HTTPS: 173 bytes of encrypted data received
HTTP/1.1 200 Ok
Server: Microsoft-IIS/5.0
Date: Wed, 18 Aug 2004 06:05:22 GMT
X-Powered-By: ASP.NET
Content-Type: text/html
HTTPS: 3916 bytes of encrypted data received
<head><title>192.168.0.1 -
/</title></head><body><H1>192.168.0.1 - /</H1><hr>
HTTPS: server disconnected
Sunday, March 28, 2004 11:00 AM <dir> <A
HREF="/wmpub/">wmpub</A><br></pre><hr></body>
Final handshake: 23 bytes sent successfully
---

Nishi

>-----Original Message-----
>Nishi,
>
>I am having the same problem. If you find a fix please
post it.
>
>Thanks.
>
>"Miha Pihler" wrote:
>
authentication[vbcol=seagreen]
auth.). Also enter[vbcol=seagreen]
https://server/default.asp It this doesn't[vbcol=seagreen]
10.10.10.10 is IP of your[vbcol=seagreen]
this work?[vbcol=seagreen]
Delhi,[vbcol=seagreen]
PM To[vbcol=seagreen]
Final//EN">[vbcol=seagreen]
page</title>[vbcol=seagreen]
this:[vbcol=seagreen]
res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.ht[vbcol=seagreen]
= "res://shdocvw.dll/http_404.htm#https://www.microsoft.com[vbcol=seagreen]
marker.[vbcol=seagreen]
inner){[vbcol=seagreen]
3 );[vbcol=seagreen]
this[vbcol=seagreen]
directory[vbcol=seagreen]
supplied.</font></td>[vbcol=seagreen]
number[vbcol=seagreen]
== "2")))[vbcol=seagreen]
color:000000">HTTP[vbcol=seagreen]
Using[vbcol=seagreen]
the[vbcol=seagreen]
prd=iis&sbp=&pver=5.0&pid=&ID=401.2&cat=web&os=&over=&hrd=&[vbcol=seagreen]
Support</a>[vbcol=seagreen]
result.[vbcol=seagreen]
> HKLM\System\CurrentControlSet\Services\I
netInfo\Parameters
a3[vbcol=seagreen]
> #ContainerName='4c07d9169db1d2e09c5af826
015293f5_05d68fec-
Provider'[vbcol=seagreen]
CN=MCMS[vbcol=seagreen]
5:34:06[vbcol=seagreen]
result[vbcol=seagreen]
message[vbcol=seagreen]
server[vbcol=seagreen]
certificate it[vbcol=seagreen]
before[vbcol=seagreen]
message[vbcol=seagreen]
checked[vbcol=seagreen]
open[vbcol=seagreen]
also[vbcol=seagreen]
website as[vbcol=seagreen]
when[vbcol=seagreen]
site "http://servername/NRConfig" I[vbcol=seagreen]
Internet[vbcol=seagreen]
However[vbcol=seagreen]
page[vbcol=seagreen]
would[vbcol=seagreen]
>.
>

Nishi

2004-08-18, 2:48 am

Miha Pihler

2004-08-18, 2:48 am

Hi,

If you will run your website (SSL website) on port 8080 you will have to
change SSL port to 8080. You can do this under properties of default
website -> General page.

Why do you need to run the page on port 8080?

Mike

"Nishi" <project_nishi@hotmail.com> wrote in message
news:81c201c484ea$d049aec0$a401280a@phx.gbl...[vbcol=seagreen]
> Hi Mike,
>
> The default page(in my case "https://servername:8080"
> has "Anonymous access" and "Integrated Windows
> authentication" checked.
> And in the MCMS Site Manager
> page "https://servername:8080/NRConfig" we have "Basic
> authentication" and "Integrated Windows authentication"
> checked. I have tried full path,IP and localhost but after
> many mins what I get is a blank page . However SSL is not
> enabled in the default web site. It is only enabled in the
> MCMS site for which I'm using port 8080.
>
> Here is the latest SSL Handshake simulation result
> ---
> System time: Wed, 18 Aug 2004 06:05:22 GMT
> Connecting to 192.168.0.1:443
> Connected
> Handshake: 108 bytes sent
> Handshake: 1329 bytes received
> Handshake: 118 bytes sent
> Handshake: 43 bytes received
> Handshake succeeded
> Verifying server certificate, it might take a while...
> Server certificate name: sap:8080
> Server certificate subject: C=IN, S=Delhi, L=New Delhi,
> O=Globalsoft, OU=GS, CN=sap:8080
> Server certificate issuer: C=IN, S=Delhi, L=New Delhi,
> O=GS, OU=GS, CN=MCMS
> Server certificate validity: From 8/17/2004 4:11:43 PM To
> 8/12/2006 5:34:06 PM
> HTTPS request:
> GET / HTTP/1.0
> User-Agent: SSLDiag
> Accept:*/*
> HTTPS: 72 bytes of encrypted data sent
> HTTPS: 173 bytes of encrypted data received
> HTTP/1.1 200 Ok
> Server: Microsoft-IIS/5.0
> Date: Wed, 18 Aug 2004 06:05:22 GMT
> X-Powered-By: ASP.NET
> Content-Type: text/html
> HTTPS: 3916 bytes of encrypted data received
> <head><title>192.168.0.1 -
> /</title></head><body><H1>192.168.0.1 - /</H1><hr>
> HTTPS: server disconnected
> Sunday, March 28, 2004 11:00 AM <dir> <A
> HREF="/wmpub/">wmpub</A><br></pre><hr></body>
> Final handshake: 23 bytes sent successfully
> ---
>
> Nishi
>
>
> post it.
> authentication
> auth.). Also enter
> https://server/default.asp It this doesn't
> 10.10.10.10 is IP of your
> this work?
> Delhi,
> PM To
> Final//EN">
> page</title>
> this:
> res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.ht
> = "res://shdocvw.dll/http_404.htm#https://www.microsoft.com
> marker.
> inner){
> 3 );
> this
> directory
> supplied.</font></td>
> number
> == "2")))
> color:000000">HTTP
> Using
> the
> prd=iis&sbp=&pver=5.0&pid=&ID=401.2&cat=web&os=&over=&hrd=&
> Support</a>
> result.
> a3
> Provider'
> CN=MCMS
> 5:34:06
> result
> message
> server
> certificate it
> before
> message
> checked
> open
> also
> website as
> when
> site "http://servername/NRConfig" I
> Internet
> However
> page
> would

Nishi

2004-08-18, 2:48 am

Hi Mike,

We cannot give the same number to both the website port
and the SSL port. And moreover 443 was recomended in some
literature.

Actually my default website is using the port 80(default)
so I used 8080 for my MCMS site(SSL is enabled in this
site). Is it a problem?

Nishi

>-----Original Message-----
>Hi,
>
>If you will run your website (SSL website) on port 8080
you will have to
>change SSL port to 8080. You can do this under properties
of default[vbcol=seagreen]
>website -> General page.
>
>Why do you need to run the page on port 8080?
>
>Mike
>
>"Nishi" <project_nishi@hotmail.com> wrote in message
>news:81c201c484ea$d049aec0$a401280a@phx.gbl...
after[vbcol=seagreen]
not[vbcol=seagreen]
the[vbcol=seagreen]
To[vbcol=seagreen]

Miha Pihler

2004-08-18, 2:48 am

I agree on using 443 for SSL, but then you can't use URL

https://server:8080 then you have to use just https://server

Mike

"Nishi" <project_nishi@hotmail.com> wrote in message
news:84f201c484fc$c07eb190$a601280a@phx.gbl...
> Hi Mike,
>
> We cannot give the same number to both the website port
> and the SSL port. And moreover 443 was recomended in some
> literature.
>
> Actually my default website is using the port 80(default)
> so I used 8080 for my MCMS site(SSL is enabled in this
> site). Is it a problem?
>
> Nishi
>
> you will have to
> of default
> after
> not
> the
> To
>