IIS4 no longer requests client certs issued by our CA!

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Sat, 10 Jan 2004 20:00:16


Hi,

our WinNT4 SP6a, IIS4 server has suddenly stopped requesting/accepting
client certificates issued by our CA.
The only things that have changed since I last saw it work (pre Christmas)
are:

A bunch of patches:
Root Certificates Update
Enabling the PIP_CREATE_INSTANCE flag for non-admin users (823492)
Cumulative Security Update for Internet Explorer 6 SP1 (KB824145)
Security update for Microsoft Windows (KB823182)

and we've gone from 2003 to 2004 :)

The CA's public key is valid until 2005 and appears to be still installed
(CA is on same server) correctly, though I followed
( http://www.yqcomputer.com/ ;en-us;194788&Product=iis)
just in case.

Any ideas?

It's still requesting certs, since on one PC it prompted for the VeriSign
cert I had installed.

Help! This is urgent!

Soon'ish
Craig
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Bernar » Sat, 10 Jan 2004 20:16:27

Does this apply ?
The VeriSign Global Server Intermediate Root CA for IIS expires on January
7, 2004
http://www.yqcomputer.com/

--
Regards,
Bernard Cheah
http://www.yqcomputer.com/
Please respond to newsgroups only ...



"Craig Humphrey" < XXXX@XXXXX.COM > ????

( http://www.yqcomputer.com/ ;en-us;194788&Product=iis)

 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Paul Lync » Sat, 10 Jan 2004 21:43:30

On Sat, 10 Jan 2004 00:00:16 +1300, "Craig Humphrey"



Craig,

The Verisign Intermediate Root CA on your server has expired. Update
it by following this link :

Expiration of VeriSign Global Server ID Intermediate Root CA on
1/7/2004
http://www.yqcomputer.com/

This link is also quite useful :

How to Determine the Intermediate CA Version Currently Active on your
IIS 5.0/IIS 6.0 Server
https://www.verisign.com/support/site/iis5check.html


Regards,

Paul ***
MCSE
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by v-wdx » Sun, 11 Jan 2004 11:34:05

Hi Craig,

Thank you for posting in MSDN managed newsgroup!

It will be appreciated you tell us whether this issue still remains. I'd
suggest you can try the methods from Bernard and Paul. If it remains,
please feel free to let me know.

Thank you for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Sun, 11 Jan 2004 11:49:24

Hi Bernard,

thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
this server and it's client certs) and even after I followed VeriSign's
instructions.... it sill doesn't work.

Normal HTTPS traffic is fine, it's only when a cert is required that the
server fails.
It fails in two ways:
1. It doesn't prompt the user for any client certs issued by our CA and
2. You then either get a server not found error (if you supply say a
VeriSign client cert) or cert required (if you supply no cert).

The server not found error is interesting, since in the webserver's log,
there is an HTTP 500 error, with no additional info:

#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 2004-01-10 02:25:26
#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
cs(User-Agent) cs(Cookie) cs(Referer)
2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
https://host.com/oldpath

It looks like it's lost (or invalidated) our CA's public key.

Any more ideas?

Thanks
Craig
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Sun, 11 Jan 2004 11:50:21

Hi Paul,

thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
this server and it's client certs) and even after I followed VeriSign's
instructions.... it sill doesn't work.

Normal HTTPS traffic is fine, it's only when a cert is required that the
server fails.
It fails in two ways:
1. It doesn't prompt the user for any client certs issued by our CA and
2. You then either get a server not found error (if you supply say a
VeriSign client cert) or cert required (if you supply no cert).

The server not found error is interesting, since in the webserver's log,
there is an HTTP 500 error, with no additional info:

#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 2004-01-10 02:25:26
#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
cs(User-Agent) cs(Cookie) cs(Referer)
2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
https://host.com/oldpath

It looks like it's lost (or invalidated) our CA's public key.

Any more ideas?

Thanks
Craig
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Sun, 11 Jan 2004 11:50:59

Hi Wei-Dong Xu,

I hadn't updated the VeriSign certs (we use our own CA for this server and
it's client certs) and even after I followed VeriSign's instructions.... it
sill doesn't work.

Normal HTTPS traffic is fine, it's only when a cert is required that the
server fails.
It fails in two ways:
1. It doesn't prompt the user for any client certs issued by our CA and
2. You then either get a server not found error (if you supply say a
VeriSign client cert) or cert required (if you supply no cert).

The server not found error is interesting, since in the webserver's log,
there is an HTTP 500 error, with no additional info:

#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 2004-01-10 02:25:26
#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
cs(User-Agent) cs(Cookie) cs(Referer)
2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
https://host.com/oldpath

It looks like it's lost (or invalidated) our CA's public key.

Any more ideas?

Thanks
Craig


rights.
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Bernar » Sun, 11 Jan 2004 12:03:43

Disabled IE friend error msgs, post the error msgs here.
http://www.yqcomputer.com/

Win32 status 87 = the parameter is incorrect.

Not much clue now, hopefully the full error msgs will tell us what's wrong.

--
Regards,
Bernard Cheah
http://www.yqcomputer.com/
Please respond to newsgroups only ...



"Craig Humphrey" < XXXX@XXXXX.COM > ????

for
cs-uri-query
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.


January
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Sun, 11 Jan 2004 18:16:47

Hi Bernard,

no change, still get the "Cannot find server or DNS Error" when a VeriSign
cert is supplied or
the "403.7 Forbidden: Client certificate required" (as expected) if I don't
supply a cert.

I need a way to get more info out of the HTTP 500 error on the server.

I tried all three methods in 294807, but it looks like the client gets
disconnected from the server (hence the "Cannot find server or DNS Error")
before the HTTP 500 gets sent to the client. And there's still nothing more
than the 500 in the log... <sigh>

Hopefully Wei-Dong Xu can find something at MS...

I'll try not to pull my hair out... though it would be nice to get this
running again by Monday...

Soon'ish
Craig




wrong.
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Paul Lync » Sun, 11 Jan 2004 19:58:58

On Sat, 10 Jan 2004 15:50:21 +1300, "Craig Humphrey"



Craig,

Don't know what else to suggest. I did see a post in another group by
someone who said that the instructions in this link worke for them on
IIS4 :

http://www.yqcomputer.com/

Hope this helps.


Regards,

Paul ***
MCSE
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Paul Lync » Sun, 11 Jan 2004 23:43:00

On Sat, 10 Jan 2004 15:50:21 +1300, "Craig Humphrey"



Craig,

As a follow-up I just found this article which seems to indicate that
the effects of the recent Verisign cert expiry are more far-reaching
than may have been previously considered.

This *could* help explain your problems :

http://www.yqcomputer.com/


Regards,

Paul ***
MCSE
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Mon, 12 Jan 2004 11:08:46

Hi Paul,

those instructions are basically the same as VeriSign's. But I don't think
VeriSign is the problem, since my server's SSL cert is issued by our CA and
all the client certs that I want to use are also issued by our CA.

I'll keep trying.

Thanks
Craig
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Mon, 12 Jan 2004 11:17:23

Thanks again Paul, still no dice, though of course, it's only confirming
that the browser has the right CA certs. I need to hunt the meta base I
think...
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by Craig Hump » Mon, 12 Jan 2004 12:47:44

Hmm... MetaEdit 2.2 doesn't reveal any CA Cert info... <sigh>
 
 
 

IIS4 no longer requests client certs issued by our CA!

Post by v-wdx » Tue, 13 Jan 2004 09:52:55

Hi Craig,

Thank you for replying and the detailed information about the
troubleshooting!

I'd suggest you can use the SSL diagnostic utility to test the server SSL
configuration. It will provide some information for us to locate the
culprit. This utility is available from the link:
SSL Diagnostics Version 1.0 (x86)
http://www.yqcomputer.com/
83d4-06c814265282&DisplayLang=en

Please feel free to let me know if you have any questions.

Thank you for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.