Microsoft KB Archive/260266

= Netscape users cannot access Web pages with 128-bit certificate authentication =

Article ID: 260266

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q260266



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
You may not be able to gain access to Web pages after upgrading a 40-bit Secure Sockets Layer (SSL) certificate to a 128-bit SSL certificate (VeriSign). When you attempt to connect with a Netscape 40-bit browser, the following error message is displayed and no connection is made:

The security library has experienced an error. You will probably be unable to connect to this site securely.



CAUSE
The 128-bit VeriSign certificate is a Server Gated Cryptography (SGC) certificate; it causes secure connections between Netscape clients and Microsoft Internet Information Services (IIS) servers not to work. When the SGC renegotiation is performed, handshaking does not succeed.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Instructions for Installation
After you apply the hotfix and restart your computer, run the following command to provide 128-bit high encryption non-export support:

%systemroot%\system32\export\encinst

When you run this command, the command prompt returns with no message displayed. After you restart your computer, the hotfixes for Crypt32.dll and Schannel.dll are installed.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Windows 2000 Service Pack 1.



MORE INFORMATION
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

The best way to determine if a certificate is an SGC certificate is to view the certificate by using the Certificates tool. In the Details pane, if the Enhanced Key Usages line contains one or both of the following entries, the certificate is SGC-enabled:

Unknown Key Usage(2.16.840.1.113730.4.1)

Unknown Key Usage(1.3.6.1.4.1.311.10.3.3)

Additional query words: IIS5 IIS

Keywords: kbbug kbfix kbqfe kbwin2000sp1fix KB260266

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.