Microsoft KB Archive/164627

= SGC-Enabled Clients Have Trouble Connecting to SGC-Enabled IIS =

Article ID: 164627

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 3.0

-



This article was previously published under Q164627



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
On an IIS 3.0 server with the Server Gated Cryptography (SGC) Schannel.dll update and a valid SGC certificate installed, SGC-enabled clients either cannot connect at 128-bit strength or they cannot connect at all.

Specifically, Internet Explorer 3.02 with the SGC update installed only connects using a 40-bit key strength, while Internet Explorer 4.0 clients cannot connect at all, and get the following error:

Internet Explorer cannot open the Internet site http://www.xxxxxxx.yyy.

The supplied certificate is invalid.

Netscape Communicator 4.0x always makes the encryption with a 40-bit key instead of a 128-bit key.



CAUSE
The name on the SGC certificate does not match the name of the server on which the certificate is installed. SGC certificates have the name of the machine on which they should be installed embedded in the certificate. If the name in the SGC certificate does not match the name of the server, the SGC clients are not able to negotiate 128-bit encryption and may completely fail any connect attempt.



RESOLUTION
Obtain an SGC certificate for your server that was generated for your machine name. Or you can rename your server to match the name on the certificate.



MORE INFORMATION
For more information on how to obtain the updated version of Schannel.dll, please see the following article in the Microsoft Knowledge Base:

148427 : Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products

For more information on the Server Gated Cryptography (SGC) version of Schannel.dll, please go to the following Microsoft web site:

http://www.microsoft.com/technet/security/prodtech.asp

NOTE: Because the Microsoft Web site is regularly updated, the site address may change without notice. If this occurs, link to the Microsoft home page at the following address:

http://www.microsoft.com/

Additional query words: ie

Keywords: kbinterop KB164627

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.