Craig Humphrey

Hi Wei-Dong Xu,

I've already tried this tool... It's OK for testing HTTPS, but no good for
testing client certificate requests (since it can't supply a certificate and
it hides the client certificate request handshake).

Any other ideas?

Thanks
Craig

"Wei-Dong Xu [MSFT]" <v-wdxu@online.microsoft.com> wrote in message
news:b9XlwZK2DHA.2900@cpmsftngxa07.phx.gbl...
> Hi Craig,
>
> Thank you for replying and the detailed information about the
> troubleshooting!
>
> I'd suggest you can use the SSL diagnostic utility to test the server SSL
> configuration. It will provide some information for us to locate the
> culprit. This utility is available from the link:
> SSL Diagnostics Version 1.0 (x86)
>
http://www.microsoft.com/downloads/d...1d0-5a10-41bc-
> 83d4-06c814265282&DisplayLang=en
>
> Please feel free to let me know if you have any questions.
>
> Thank you for using Microsoft NewsGroup!

Wei-Dong Xu [MSFT]

Hi Craig,

Thank you for replying!

I'd suggest you can use the WFetch utility to test the client request. You
can run this utility in the client side and then specify the client
certificate and send one request to the server. The WFetch log will help
some.

You can download this utility from the link:
284285 HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default...microsoft.com:
80/support/kb/articles/Q284/2/85.ASP&NoWebContent=1

Please feel free to let me know if you have any further questions.

Does this answer your question? Thank you for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Craig Humphrey

OK, this is getting weird!

WFetch 1.3 works! (Win2003)
WFetch 1.2 works! (Win2000)
IE 6sp1 doesn't work (Win2000, WinXP)
IE 5.5sp1 doesn't work (WinNT4)
Netscape 4.7 doesn't work (Win2000)

On further investigation....
If I supply an incorrect certificate to WFetch:
0x8009030d [slib]: Could not AcquireCredentialsHandle
0x8009030d Failed to AcquireCredentials()

It would appear that WFetch works, because regardless of what CA issued
certs IIS asks for, it forcibly supplies the correct one (no authentication
handshake appears to take place, though that may be hidden in the SSL
handshake)

If I use any of the other certs built into WFetch, I get an HTTP 403.7
(since I don't have the root CA info for "jaroslad's test certificate
server". The "valid" test cert from VeriSign doesn't work (WFetch 1.2 gets
HTTP 403.7) as it has expired.


Help!

Soon'ish
Craig


"Wei-Dong Xu [MSFT]" <v-wdxu@online.microsoft.com> wrote in message
news:8RJZsWN2DHA.3564@cpmsftngxa07.phx.gbl...
> Hi Craig,
>
> Thank you for replying!
>
> I'd suggest you can use the WFetch utility to test the client request. You
> can run this utility in the client side and then specify the client
> certificate and send one request to the server. The WFetch log will help
> some.
>
> You can download this utility from the link:
> 284285 HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
>
http://support.microsoft.com/default...microsoft.com:
> 80/support/kb/articles/Q284/2/85.ASP&NoWebContent=1
>
> Please feel free to let me know if you have any further questions.
>
> Does this answer your question? Thank you for using Microsoft NewsGroup!
>
> Wei-Dong Xu
> Microsoft Product Support Services
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>

Bernard

Ya. got no more ideas. let wait for Wei-Dong's response.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...



"Craig Humphrey" <craig.humphrey@nospam.chapmantripp.com> ????
news:enzV$p11DHA.1188@TK2MSFTNGP11.phx.gbl...
> Hi Bernard,
>
> no change, still get the "Cannot find server or DNS Error" when a VeriSign
> cert is supplied or
> the "403.7 Forbidden: Client certificate required" (as expected) if I
don't
> supply a cert.
>
> I need a way to get more info out of the HTTP 500 error on the server.
>
> I tried all three methods in 294807, but it looks like the client gets
> disconnected from the server (hence the "Cannot find server or DNS Error")
> before the HTTP 500 gets sent to the client. And there's still nothing
more
> than the 500 in the log... <sigh>
>
> Hopefully Wei-Dong Xu can find something at MS...
>
> I'll try not to pull my hair out... though it would be nice to get this
> running again by Monday...
>
> Soon'ish
> Craig
>
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:eElzdZy1DHA.2324@TK2MSFTNGP09.phx.gbl...
> > Disabled IE friend error msgs, post the error msgs here.
> > http://support.microsoft.com/?id=294807
> >
> > Win32 status 87 = the parameter is incorrect.
> >
> > Not much clue now, hopefully the full error msgs will tell us what's
> wrong.
>
>

Craig Humphrey

Thanks for your help anyway.

I've also got Microsoft Professional Support now looking at it.

Later'ish
Craig

"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:ORWrEcZ2DHA.1188@TK2MSFTNGP11.phx.gbl...
> Ya. got no more ideas. let wait for Wei-Dong's response.
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
> Please respond to newsgroups only ...

hugh Z. [MS]

Hi Craig,

Did you see 403.7 or 403.16 error on the client side? Also, from the server
side, do you "require client certificates" or just "accept certificates" ?
(I assume it is IIS4.0 machine on NT)
- Open IIS manager
- highlight website and right click mouse
- go to properties
- directory security
- Secure communications.

Please let me know the exact error message from client side if you "require
client certificates".

2 suggestions to try at this moment:

1) Install the certificate trust hotfix 831225, which will fix an existing
issue for CA trust. The link below is for English NT4.0 server version. If
you are using the other version, please let me know.
Package:
-----------------------------------------------------------
KB Article Number(s): 831225
Language: English
Platform: i386
Location:
(http://hotfixv4.microsoft.com/Window.../PKG66582/1381
/free/148706_ENU_i386_zip.exe)
Password: LFuu99vHF
Password Changes On: 12/16/2003
Next Password: sa3Qt3%II

2) 2 Verisign intermediate CAs expired on 1/07 and 01/06. We also need to
address on that.
Follow the instructions on Verisign
https://www.verisign.com/support/sit...placement.html
Remove the expired Intermediate CA:
Open Internet Explorer and select Tools > Internet Options from the menu
bar
Click on the Content tab
Click on the Certificates button
Click on the Intermediate Certificate Authorities tab
Select the "www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign" certificate that expires on 1/7/04 and click on the Remove button

Install the new Verisign Intermediate CA.
http://www.safescrypt.com/faq/faqInt...eCAforGSID.htm

Thank you for choosing Microsoft

Hugh Zhu (MCSE, MCSD, MCAD .Net)
Developer Support Engineer (IIS)

This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2002 Microsoft Corporation. All rights
reserved.

Craig Humphrey

Hi Hugh,

I've already applied the VeriSign fix.

I see 403.7 when no certificate is supplied.
When a VeriSign cert is supplied, the client is disconnected, while the
server logs an HTTP 500 error (win32 error 87). Note: the VeriSign cert is
not mapped to any account.

The server is set to Require certs. Yes, it's WinNT4Sp6a, scheduled for
replacement with Win2003/IIS6, but we're not ready yet....

Before I apply the MS patch, can you point me at more documentation about
it? As I can't find anything about it on microsoft.com (or anywhere for
that matter).

Thanks
Craig


"hugh Z. [MS]" <huizhu@online.microsoft.com> wrote in message
news:iuFny152DHA.3892@cpmsftngxa08.phx.gbl...
>
> Hi Craig,
>
> Did you see 403.7 or 403.16 error on the client side? Also, from the
server
> side, do you "require client certificates" or just "accept certificates" ?
> (I assume it is IIS4.0 machine on NT)
> - Open IIS manager
> - highlight website and right click mouse
> - go to properties
> - directory security
> - Secure communications.
>
> Please let me know the exact error message from client side if you
"require
> client certificates".
>
> 2 suggestions to try at this moment:
>
> 1) Install the certificate trust hotfix 831225, which will fix an existing
> issue for CA trust. The link below is for English NT4.0 server version. If
> you are using the other version, please let me know.
> Package:
> -----------------------------------------------------------
> KB Article Number(s): 831225
> Language: English
> Platform: i386
> Location:
>
(http://hotfixv4.microsoft.com/Window.../PKG66582/1381
> /free/148706_ENU_i386_zip.exe)
> Password: LFuu99vHF
> Password Changes On: 12/16/2003
> Next Password: sa3Qt3%II
>
> 2) 2 Verisign intermediate CAs expired on 1/07 and 01/06. We also need to
> address on that.
> Follow the instructions on Verisign
> https://www.verisign.com/support/sit...placement.html
> Remove the expired Intermediate CA:
> Open Internet Explorer and select Tools > Internet Options from the menu
> bar
> Click on the Content tab
> Click on the Certificates button
> Click on the Intermediate Certificate Authorities tab
> Select the "www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
> VeriSign" certificate that expires on 1/7/04 and click on the Remove
button
>
> Install the new Verisign Intermediate CA.
> http://www.safescrypt.com/faq/faqInt...eCAforGSID.htm
>
> Thank you for choosing Microsoft
>
> Hugh Zhu (MCSE, MCSD, MCAD .Net)
> Developer Support Engineer (IIS)
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> You assume all risk for your use. © 2002 Microsoft Corporation. All rights
> reserved.
>
>

hugh Z. [MS]

Hi Craig,

Here is the more information about this hotfix 831225.
(http://hotfixv4.microsoft.com/Window.../PKG66582/1381
/free/148706_ENU_i386_zip.exe)

After installing security patch MS03-041 in NT 4.0 OptionPack + SP6a (IIS
4.0) box, some CA Root Certificates became unrecognizable, in result
clients could not get through SSL access by using "client certificate
mapping" or "client certificates required".

The issue is related to MS03-041 installed on some certain NT4 OS with the
customer CA configured.
MS03-041 addressed some security vulnerability.
http://www.microsoft.com/technet/tre...hnet/security/
bulletin/ms03-041.asp
Vulnerability in Authenticode Verification Could Allow Remote Code
Execution (823182)

We need to install 831225 to test it or remove Q823182 to see whether it is
working. But removing 823182 (MS03-041) will cause some security issue.

I hope the info above is helpful.

Thank you for choosing Microsoft

Hugh Zhu (MCSE, MCSD, MCAD .Net)
Developer Support Engineer (IIS)

This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2002 Microsoft Corporation. All rights
reserved.