Microsoft KB Archive/290208

= PRB: SQL Server CE Replication or RDA Fails When IIS Uses SHA1 Hashing Algorithm =

Article ID: 290208

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft SQL Server 2000 Windows CE Edition

-



This article was previously published under Q290208



SYMPTOMS
Microsoft SQL Server 2000 for Windows CE Edition replication or Remote Date Access (RDA) fails when you use a secure Web site where the Microsoft Internet Information Services (IIS) server certificate uses the Secure Hash Algorithm 1 (SHA1) algorithm. The merge process returns the following error message using the Secure Sockets Layer (SSL) site:

28037 SSCE_M_HTTPSENDREQUESTFAILED : HttpSendRequest failed; HRESULT has more detail



CAUSE
The VeriSign Certificate Authority (CA) has changed the hashing algorithm that is used for the new SSL server certificates from Message Digest 5 (MD-5) to SHA1.

Windows CE devices that are running Microsoft Windows CE 3.0, or earlier, do not recognize IIS server certificates that are signed with either the MD4 or RSA/SHA1 signature algorithms.

WORKAROUND
To work around the problem for Pocket PC, install the 128-bit SSL Add-on that is described in the following Microsoft Knowledge Base article:

266695 Cannot Connect to Security-Enhanced Web Pages with Pocket Internet Explorer

HPC Pro and Palm PC (Windows CE 2.1x) do not support the SHA1 hashing algorithm that is used by certificate authorities such as Verisign. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

274999 Windows CE 2.11 Cannot Connect to Security-Enhanced Web Pages



MORE INFORMATION
For a more detailed description of this problem, see the following article in the Microsoft Knowledge Base:

266695 Cannot Connect to Security-Enhanced Web Pages with Pocket Internet Explorer

Pocket Internet Explorer
Try to connect Pocket IE on an HPC Pro device to an HTTPS site that uses Verisign.

-or-

SQL Server CE

 * 1) Set up a SSL site and use Verisign as the Certificate Authority (CA).
 * 2) Run a SQL Server CE Replication application and attempt a merge by using the SSL site you created in step 1.

RESULT: This error message displays:

28037 SSCE_M_HTTPSENDREQUESTFAILED : HttpSendRequest failed; HRESULT has more detail

The SQL Server CE Books Online topic &quot;Obtaining a Server Certificate&quot; contains this description for the issue:

Windows CE devices running Windows CE 3.0 or earlier do not recognize IIS server certificates signed using either the MD4 or RSA/SHA1 signature algorithms. Windows CE devices reject such certificates with the error ERROR_INTERNET_SECURITY_CHANNEL_ERROR. To be acceptable to a Windows CE device, your IIS server certificate must be signed using either the MD2 or MD5 signature algorithm.

If you want to generate IIS server certificates by using your own standalone certification authority, you must choose the Advanced option when you install Windows 2000 Certificate Services. Then select the MD2 or MD5 signature algorithm for the certificates your certification authority issues.

By default, Windows 2000 certification authorities generate RSA/SHA1 certificates. If your standalone certification authority was installed using the default RSA/SHA1 signature algorithm, you must remove the certification authority, re-install it using the Advanced option, specify the MD2 or MD5 signature algorithm, and issue a new IIS server certificate.

