Talk Root - PC Hardware, Software and Web Development forums - View Single Post - IIS4 no longer requests client certs issued by our CA!

01-15-2004, 01:36 PM

Hi Hugh,

I've already applied the VeriSign fix.

I see 403.7 when no certificate is supplied.
When a VeriSign cert is supplied, the client is disconnected, while the
server logs an HTTP 500 error (win32 error 87). Note: the VeriSign cert is
not mapped to any account.

The server is set to Require certs. Yes, it's WinNT4Sp6a, scheduled for
replacement with Win2003/IIS6, but we're not ready yet....

Before I apply the MS patch, can you point me at more documentation about
it? As I can't find anything about it on microsoft.com (or anywhere for
that matter).

Thanks
Craig

"hugh Z. [MS]" <huizhu@online.microsoft.com> wrote in message
news:iuFny152DHA.3892@cpmsftngxa08.phx.gbl...
>
> Hi Craig,
>
> Did you see 403.7 or 403.16 error on the client side? Also, from the
server
> side, do you "require client certificates" or just "accept certificates" ?
> (I assume it is IIS4.0 machine on NT)
> - Open IIS manager
> - highlight website and right click mouse
> - go to properties
> - directory security
> - Secure communications.
>
> Please let me know the exact error message from client side if you
"require
> client certificates".
>
> 2 suggestions to try at this moment:
>
> 1) Install the certificate trust hotfix 831225, which will fix an existing
> issue for CA trust. The link below is for English NT4.0 server version. If
> you are using the other version, please let me know.
> Package:
> -----------------------------------------------------------
> KB Article Number(s): 831225
> Language: English
> Platform: i386
> Location:
>
(http://hotfixv4.microsoft.com/Window.../PKG66582/1381
> /free/148706_ENU_i386_zip.exe)
> Password: LFuu99vHF
> Password Changes On: 12/16/2003
> Next Password: sa3Qt3%II
>
> 2) 2 Verisign intermediate CAs expired on 1/07 and 01/06. We also need to
> address on that.
> Follow the instructions on Verisign
> https://www.verisign.com/support/sit...placement.html
> Remove the expired Intermediate CA:
> Open Internet Explorer and select Tools > Internet Options from the menu
> bar
> Click on the Content tab
> Click on the Certificates button
> Click on the Intermediate Certificate Authorities tab
> Select the "www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
> VeriSign" certificate that expires on 1/7/04 and click on the Remove
button
>
> Install the new Verisign Intermediate CA.
> http://www.safescrypt.com/faq/faqInt...eCAforGSID.htm
>
> Thank you for choosing Microsoft
>
> Hugh Zhu (MCSE, MCSD, MCAD .Net)
> Developer Support Engineer (IIS)
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> You assume all risk for your use. © 2002 Microsoft Corporation. All rights
> reserved.
>
>

01-15-2004, 01:36 PM	#22
Craig Humphrey Posts: n/a	Re: IIS4 no longer requests client certs issued by our CA! Hi Hugh, I've already applied the VeriSign fix. I see 403.7 when no certificate is supplied. When a VeriSign cert is supplied, the client is disconnected, while the server logs an HTTP 500 error (win32 error 87). Note: the VeriSign cert is not mapped to any account. The server is set to Require certs. Yes, it's WinNT4Sp6a, scheduled for replacement with Win2003/IIS6, but we're not ready yet.... Before I apply the MS patch, can you point me at more documentation about it? As I can't find anything about it on microsoft.com (or anywhere for that matter). Thanks Craig "hugh Z. [MS]" <huizhu@online.microsoft.com> wrote in message news:iuFny152DHA.3892@cpmsftngxa08.phx.gbl... > > Hi Craig, > > Did you see 403.7 or 403.16 error on the client side? Also, from the server > side, do you "require client certificates" or just "accept certificates" ? > (I assume it is IIS4.0 machine on NT) > - Open IIS manager > - highlight website and right click mouse > - go to properties > - directory security > - Secure communications. > > Please let me know the exact error message from client side if you "require > client certificates". > > 2 suggestions to try at this moment: > > 1) Install the certificate trust hotfix 831225, which will fix an existing > issue for CA trust. The link below is for English NT4.0 server version. If > you are using the other version, please let me know. > Package: > ----------------------------------------------------------- > KB Article Number(s): 831225 > Language: English > Platform: i386 > Location: > (http://hotfixv4.microsoft.com/Window.../PKG66582/1381 > /free/148706_ENU_i386_zip.exe) > Password: LFuu99vHF > Password Changes On: 12/16/2003 > Next Password: sa3Qt3%II > > 2) 2 Verisign intermediate CAs expired on 1/07 and 01/06. We also need to > address on that. > Follow the instructions on Verisign > https://www.verisign.com/support/sit...placement.html > Remove the expired Intermediate CA: > Open Internet Explorer and select Tools > Internet Options from the menu > bar > Click on the Content tab > Click on the Certificates button > Click on the Intermediate Certificate Authorities tab > Select the "www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 > VeriSign" certificate that expires on 1/7/04 and click on the Remove button > > Install the new Verisign Intermediate CA. > http://www.safescrypt.com/faq/faqInt...eCAforGSID.htm > > Thank you for choosing Microsoft > > Hugh Zhu (MCSE, MCSD, MCAD .Net) > Developer Support Engineer (IIS) > > This posting is provided "AS IS" with no warranties, and confers no rights. > You assume all risk for your use. © 2002 Microsoft Corporation. All rights > reserved. > >