IIS4 no longer requests client certs issued by our CA!

On Sat, 10 Jan 2004 00:00:16 +1300, "Craig Humphrey"
<craig.humphrey DeleteThis @nospam.chapmantripp.com> wrote:

 >Hi,
 >
 >our WinNT4 SP6a, IIS4 server has suddenly stopped requesting/accepting
 >client certificates issued by our CA.
 >The only things that have changed since I last saw it work (pre Christmas)
 >are:
 >
 >A bunch of patches:
 >Root Certificates Update
 >Enabling the PIP_CREATE_INSTANCE flag for non-admin users (823492)
 >Cumulative Security Update for Internet Explorer 6 SP1 (KB824145)
 >Security update for Microsoft Windows (KB823182)
 >
 >and we've gone from 2003 to 2004
 >
 >The CA's public key is valid until 2005 and appears to be still installed
 >(CA is on same server) correctly, though I followed
 >(http://support.microsoft.com/default.aspx?scid=kb;en-us;194788&Product=iis)
 >just in case.
 >
 >Any ideas?
 >
 >It's still requesting certs, since on one PC it prompted for the VeriSign
 >cert I had installed.
 >
 >Help! This is urgent!
 >
 >Soon'ish
 >Craig
 >

Craig,

The Verisign Intermediate Root CA on your server has expired. Update
it by following this link :

Expiration of VeriSign Global Server ID Intermediate Root CA on
1/7/2004
<a style='text-decoration: underline;' href="http://www.verisign.com/support/vendors/exp-gsid-ssl.html" target="_blank">http://www.verisign.com/support/vendors/exp-gsid-ssl.html</a>

This link is also quite useful :

How to Determine the Intermediate CA Version Currently Active on your
IIS 5.0/IIS 6.0 Server
<a style='text-decoration: underline;' href="https://www.verisign.com/support/site/iis5check.html" target="_blank">https://www.verisign.com/support/site/iis5check.html</a>


Regards,

Paul Lynch
MCSE<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hi Craig,

Thank you for posting in MSDN managed newsgroup!

It will be appreciated you tell us whether this issue still remains. I'd
suggest you can try the methods from Bernard and Paul. If it remains,
please feel free to let me know.

Thank you for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hi Bernard,

thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
this server and it's client certs) and even after I followed VeriSign's
instructions.... it sill doesn't work.

Normal HTTPS traffic is fine, it's only when a cert is required that the
server fails.
It fails in two ways:
1. It doesn't prompt the user for any client certs issued by our CA and
2. You then either get a server not found error (if you supply say a
VeriSign client cert) or cert required (if you supply no cert).

The server not found error is interesting, since in the webserver's log,
there is an HTTP 500 error, with no additional info:

#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 2004-01-10 02:25:26
#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
cs(User-Agent) cs(Cookie) cs(Referer)
2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
<a style='text-decoration: underline;' href="https://host.com/oldpath" target="_blank">https://host.com/oldpath</a>

It looks like it's lost (or invalidated) our CA's public key.

Any more ideas?

Thanks
Craig


"Bernard" <qbernard.RemoveThis@hotmail.com.discuss> wrote in message
news:%23XQrFIq1DHA.2896@TK2MSFTNGP09.phx.gbl...
 > Does this apply ?
 > The VeriSign Global Server Intermediate Root CA for IIS expires on January
 > 7, 2004
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=834438</font" target="_blank">http://support.microsoft.com/?id=834438</font</a>><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Disabled IE friend error msgs, post the error msgs here.
<a style='text-decoration: underline;' href="http://support.microsoft.com/?id=294807" target="_blank">http://support.microsoft.com/?id=294807</a>

Win32 status 87 = the parameter is incorrect.

Not much clue now, hopefully the full error msgs will tell us what's wrong.

--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...



"Craig Humphrey" <craig.humphrey RemoveThis @nospam.chapmantripp.com> ????
news:eY24ZSy1DHA.2448@TK2MSFTNGP12.phx.gbl...
 > Hi Bernard,
 >
 > thanks for that. I hadn't updated the VeriSign certs (we use our own CA
for
 > this server and it's client certs) and even after I followed VeriSign's
 > instructions.... it sill doesn't work.
 >
 > Normal HTTPS traffic is fine, it's only when a cert is required that the
 > server fails.
 > It fails in two ways:
 > 1. It doesn't prompt the user for any client certs issued by our CA and
 > 2. You then either get a server not found error (if you supply say a
 > VeriSign client cert) or cert required (if you supply no cert).
 >
 > The server not found error is interesting, since in the webserver's log,
 > there is an HTTP 500 error, with no additional info:
 >
 > #Software: Microsoft Internet Information Server 4.0
 > #Version: 1.0
 > #Date: 2004-01-10 02:25:26
 > #Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem
cs-uri-query
 > sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
 > cs(User-Agent) cs(Cookie) cs(Referer)
 > 2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
 > HTTP/1.1
 >
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
 > NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
<font color=purple> > <a style='text-decoration: underline;' href="https://host.com/oldpath</font" target="_blank">https://host.com/oldpath</font</a>>
 >
 > It looks like it's lost (or invalidated) our CA's public key.
 >
 > Any more ideas?
 >
 > Thanks
 > Craig
 >
 >
 > "Bernard" <qbernard RemoveThis @hotmail.com.discuss> wrote in message
 > news:%23XQrFIq1DHA.2896@TK2MSFTNGP09.phx.gbl...
  > > Does this apply ?
  > > The VeriSign Global Server Intermediate Root CA for IIS expires on
January
  > > 7, 2004
<font color=green>  > > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=834438</font" target="_blank">http://support.microsoft.com/?id=834438</font</a>>
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hi Paul,

thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
this server and it's client certs) and even after I followed VeriSign's
instructions.... it sill doesn't work.

Normal HTTPS traffic is fine, it's only when a cert is required that the
server fails.
It fails in two ways:
1. It doesn't prompt the user for any client certs issued by our CA and
2. You then either get a server not found error (if you supply say a
VeriSign client cert) or cert required (if you supply no cert).

The server not found error is interesting, since in the webserver's log,
there is an HTTP 500 error, with no additional info:

#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 2004-01-10 02:25:26
#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
cs(User-Agent) cs(Cookie) cs(Referer)
2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
<a style='text-decoration: underline;' href="https://host.com/oldpath" target="_blank">https://host.com/oldpath</a>

It looks like it's lost (or invalidated) our CA's public key.

Any more ideas?

Thanks
Craig

"Paul Lynch" <paul.lynch.TakeThisOut@nospam.com> wrote in message
news:oc8tvvkk1qq8imnt5l1c3isg84gfvclnkh@4ax.com...
 > Craig,
 >
 > The Verisign Intermediate Root CA on your server has expired. Update
 > it by following this link :
 >
 > Expiration of VeriSign Global Server ID Intermediate Root CA on
 > 1/7/2004
<font color=purple> > <a style='text-decoration: underline;' href="http://www.verisign.com/support/vendors/exp-gsid-ssl.html</font" target="_blank">http://www.verisign.com/support/vendors/exp-gsid-ssl.html</font</a>>
 >
 > This link is also quite useful :
 >
 > How to Determine the Intermediate CA Version Currently Active on your
 > IIS 5.0/IIS 6.0 Server
<font color=purple> > <a style='text-decoration: underline;' href="https://www.verisign.com/support/site/iis5check.html</font" target="_blank">https://www.verisign.com/support/site/iis5check.html</font</a>>
 >
 >
 > Regards,
 >
 > Paul Lynch
 > MCSE<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

On Sat, 10 Jan 2004 15:50:21 +1300, "Craig Humphrey"
<craig.humphrey.DeleteThis@nospam.chapmantripp.com> wrote:

 >Hi Paul,
 >
 >thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
 >this server and it's client certs) and even after I followed VeriSign's
 >instructions.... it sill doesn't work.
 >
 >Normal HTTPS traffic is fine, it's only when a cert is required that the
 >server fails.
 >It fails in two ways:
 >1. It doesn't prompt the user for any client certs issued by our CA and
 >2. You then either get a server not found error (if you supply say a
 >VeriSign client cert) or cert required (if you supply no cert).
 >
 >The server not found error is interesting, since in the webserver's log,
 >there is an HTTP 500 error, with no additional info:
 >
 >#Software: Microsoft Internet Information Server 4.0
 >#Version: 1.0
 >#Date: 2004-01-10 02:25:26
 >#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
 >sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
 >cs(User-Agent) cs(Cookie) cs(Referer)
 >2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
 >HTTP/1.1
 >Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
 >NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
 >https://host.com/oldpath
 >
 >It looks like it's lost (or invalidated) our CA's public key.
 >
 >Any more ideas?
 >
 >Thanks
 >Craig

Craig,

Don't know what else to suggest. I did see a post in another group by
someone who said that the instructions in this link worke for them on
IIS4 :

<a style='text-decoration: underline;' href="http://www.safescrypt.com/faq/faqIntermediateCAforGSID.htm" target="_blank">http://www.safescrypt.com/faq/faqIntermediateCAforGSID.htm</a>

Hope this helps.


Regards,

Paul Lynch
MCSE<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

On Sat, 10 Jan 2004 15:50:21 +1300, "Craig Humphrey"
<craig.humphrey.DeleteThis@nospam.chapmantripp.com> wrote:

 >Hi Paul,
 >
 >thanks for that. I hadn't updated the VeriSign certs (we use our own CA for
 >this server and it's client certs) and even after I followed VeriSign's
 >instructions.... it sill doesn't work.
 >
 >Normal HTTPS traffic is fine, it's only when a cert is required that the
 >server fails.
 >It fails in two ways:
 >1. It doesn't prompt the user for any client certs issued by our CA and
 >2. You then either get a server not found error (if you supply say a
 >VeriSign client cert) or cert required (if you supply no cert).
 >
 >The server not found error is interesting, since in the webserver's log,
 >there is an HTTP 500 error, with no additional info:
 >
 >#Software: Microsoft Internet Information Server 4.0
 >#Version: 1.0
 >#Date: 2004-01-10 02:25:26
 >#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
 >sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
 >cs(User-Agent) cs(Cookie) cs(Referer)
 >2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
 >HTTP/1.1
 >Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
 >NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
 >https://host.com/oldpath
 >
 >It looks like it's lost (or invalidated) our CA's public key.
 >
 >Any more ideas?
 >
 >Thanks
 >Craig

Craig,

As a follow-up I just found this article which seems to indicate that
the effects of the recent Verisign cert expiry are more far-reaching
than may have been previously considered.

This *could* help explain your problems :

<a style='text-decoration: underline;' href="http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004010810205113" target="_blank">http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004010810205113</a>


Regards,

Paul Lynch
MCSE<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hi Wei-Dong Xu,

I hadn't updated the VeriSign certs (we use our own CA for this server and
it's client certs) and even after I followed VeriSign's instructions.... it
sill doesn't work.

Normal HTTPS traffic is fine, it's only when a cert is required that the
server fails.
It fails in two ways:
1. It doesn't prompt the user for any client certs issued by our CA and
2. You then either get a server not found error (if you supply say a
VeriSign client cert) or cert required (if you supply no cert).

The server not found error is interesting, since in the webserver's log,
there is an HTTP 500 error, with no additional info:

#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 2004-01-10 02:25:26
#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version
cs(User-Agent) cs(Cookie) cs(Referer)
2004-01-10 02:25:53 X.X.X.X - X.X.X.X GET /path - 500 87 0 563 47 443
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461;+Hot+Lingo+2.0;+.
NET+CLR+1.1.4322) ASPSESSIONIDQRTCSDTQ=NBOLEBLDKFMBGACMBKEGLHCA
<a style='text-decoration: underline;' href="https://host.com/oldpath" target="_blank">https://host.com/oldpath</a>

It looks like it's lost (or invalidated) our CA's public key.

Any more ideas?

Thanks
Craig
"Wei-Dong Xu [MSFT]" <v-wdxu.TakeThisOut@online.microsoft.com> wrote in message
news:v0lo7Iy1DHA.2900@cpmsftngxa07.phx.gbl...
 > Hi Craig,
 >
 > Thank you for posting in MSDN managed newsgroup!
 >
 > It will be appreciated you tell us whether this issue still remains. I'd
 > suggest you can try the methods from Bernard and Paul. If it remains,
 > please feel free to let me know.
 >
 > Thank you for using Microsoft NewsGroup!
 >
 > Wei-Dong Xu
 > Microsoft Product Support Services
<font color=purple> > Get Secure! - <a style='text-decoration: underline;' href="http://www.microsoft.com/security</font" target="_blank">www.microsoft.com/security</font</a>>
 > This posting is provided "AS IS" with no warranties, and confers no
rights.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hi Bernard,

no change, still get the "Cannot find server or DNS Error" when a VeriSign
cert is supplied or
the "403.7 Forbidden: Client certificate required" (as expected) if I don't
supply a cert.

I need a way to get more info out of the HTTP 500 error on the server.

I tried all three methods in 294807, but it looks like the client gets
disconnected from the server (hence the "Cannot find server or DNS Error")
before the HTTP 500 gets sent to the client. And there's still nothing more
than the 500 in the log... <sigh>

Hopefully Wei-Dong Xu can find something at MS...

I'll try not to pull my hair out... though it would be nice to get this
running again by Monday...

Soon'ish
Craig


"Bernard" <qbernard DeleteThis @hotmail.com.discuss> wrote in message
news:eElzdZy1DHA.2324@TK2MSFTNGP09.phx.gbl...
 > Disabled IE friend error msgs, post the error msgs here.
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=294807</font" target="_blank">http://support.microsoft.com/?id=294807</font</a>>
 >
 > Win32 status 87 = the parameter is incorrect.
 >
 > Not much clue now, hopefully the full error msgs will tell us what's
wrong.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hi Paul,

those instructions are basically the same as VeriSign's. But I don't think
VeriSign is the problem, since my server's SSL cert is issued by our CA and
all the client certs that I want to use are also issued by our CA.

I'll keep trying.

Thanks
Craig

"Paul Lynch" <paul.lynch.DeleteThis@nospam.com> wrote in message
news:fkmvvv08p7b097r7amtqcb8r8611271aa0@4ax.com...
 >
 > Craig,
 >
 > Don't know what else to suggest. I did see a post in another group by
 > someone who said that the instructions in this link worke for them on
 > IIS4 :
 >
<font color=purple> > <a style='text-decoration: underline;' href="http://www.safescrypt.com/faq/faqIntermediateCAforGSID.htm</font" target="_blank">http://www.safescrypt.com/faq/faqIntermediateCAforGSID.htm</font</a>>
 >
 > Hope this helps.
 >
 >
 > Regards,
 >
 > Paul Lynch
 > MCSE<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Thanks again Paul, still no dice, though of course, it's only confirming
that the browser has the right CA certs. I need to hunt the meta base I
think...


"Paul Lynch" <paul.lynch RemoveThis @nospam.com> wrote in message
news:3k3000tcgi7sqheltpl6r6jrp1e3nduhrg@4ax.com...
 > Craig,
 >
 > As a follow-up I just found this article which seems to indicate that
 > the effects of the recent Verisign cert expiry are more far-reaching
 > than may have been previously considered.
 >
 > This *could* help explain your problems :
 >
<font color=purple> > <a style='text-decoration: underline;' href="http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004010810205113</font" target="_blank">http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/200401081020...3</f</a>>
 >
 >
 > Regards,
 >
 > Paul Lynch
 > MCSE<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hmm... MetaEdit 2.2 doesn't reveal any CA Cert info... <sigh>

"Craig Humphrey" <craig.humphrey.RemoveThis@nospam.chapmantripp.com> wrote in message
news:OA7vTk%231DHA.2156@TK2MSFTNGP12.phx.gbl...
 > Thanks again Paul, still no dice, though of course, it's only confirming
 > that the browser has the right CA certs. I need to hunt the meta base I
 > think...<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA! 

Hi Craig,

Thank you for replying and the detailed information about the
troubleshooting!

I'd suggest you can use the SSL diagnostic utility to test the server SSL
configuration. It will provide some information for us to locate the
culprit. This utility is available from the link:
SSL Diagnostics Version 1.0 (x86)
http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-
83d4-06c814265282&DisplayLang=en

Please feel free to let me know if you have any questions.

Thank you for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: IIS4 no longer requests client certs issued by our CA!