Microsoft KB Archive/190542

{|
 * width="100%"|

INFO: Using WinInet APIs in a System Service to access SSL sites

 * }

-

The information in this article applies to:


 * Microsoft Internet Server Application Programming Interface (API)
 * Internet Client SDK, versions 4.0, 4.01

-

SUMMARY
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

On machines with Internet Explorer 3.x installed, it is possible for a System Service (like an ISAPI filter) to access SSL servers using the WinInet APIs, while the same code will break on machines with Internet Explorer 4.x and later installed.

This is because the certificates for the SSL servers are no longer stored in the same place when Internet Explorer is installed. Internet Explorer stores the certificate information under the HKEY_CURRENT_USER hive. A System Service by default has as its HKEY_CURRENT_USER the contents of HKEY_USERS\.DEFAULT. Therefore, a System Service does not have access to the necessary certificate information to establish a secure connection. A typical error is 12045 - ERROR_INTERNET_INVALID_CA (which means the certificate authority is not recognized).

MORE INFORMATION
At this time using WININET APIs within the context of a System Service is not supported. However, an unsupported workaround is available. It should be noted that Microsoft does not support this workaround and the user must be aware that future releases of Windows NT and/or Internet Explorer may break this workaround.

The workaround requires manually copying the content of the certificate information to the System Service's HKEY_CURRENT_USER (or the equivalent thereof).

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

To use WININET for SSL connections under the context of a System Service, you must copy the contents of the following key:

  HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ SystemCertificates\ To the following key:

  HKEY_USERS\ .DEFAULT\ SOFTWARE\ Microsoft\ SystemCertificates\ NOTE: If the machine on which WININET is being used is sitting behind a firewall or a proxy, the configuration information for these settings are also stored in the HKEY_CURRENT_USER and may need to be copied. The setting information is stored in:

  HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ InternetSettings\ And needs to be copied over to:

  HKEY_USER\ .DEFAULT\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ InternetSettings\ Similarly, this workaround is not supported by Microsoft.

It may also be possible to programmatically recover from the 12045 error. For additional information, please see the following article in the Microsoft Knowledge Base:

"Q182888 HOWTO: Handle Invalid Certificate Authority Error with WinInet" This article describes how to use InternetSetOption to ignore the 12045 error and resubmit the request. As with the method of copying registry entries, this is unsupported in a service; that is, it may not prevent the 12045 error or may cause a different error to be returned that cannot be recovered from.