Microsoft KB Archive/946401

= Description of the changes to network retrieval functionality in Windows Vista SP1 and in Windows Server 2008 =

Article ID: 946401

Article Last Modified on 12/27/2007

-

APPLIES TO


 * Windows Vista Service Pack 1
 * Windows Server 2008 Datacenter
 * Windows Server 2008 Enterprise
 * Windows Server 2008 Standard

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista



SUMMARY
During certificate path validation, Windows Vista Service Pack 1 (SP1) and Windows Server 2008 may retrieve objects such as certificates and certificate revocation lists (CRLs) from the network. Windows Vista SP1 and Windows Server 2008 support this network retrieval functionality by using the FILE protocol, the HTTP protocol, and the LDAP protocol.

By default, the FILE protocol for network retrieval of public key infrastructure (PKI) objects is disabled to improve security during the network retrieval process. Additionally, the network retrieval process that uses the LDAP protocol or the HTTP protocol is modified in Windows Vista SP1 and in Windows Server 2008. For more information about these changes, see the “More Information” section.



MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Changes in the network retrieval process that uses the FILE protocol
By default, the network retrieval process that uses the FILE protocol is disabled for certificate operations. If you want to enable this feature, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate the following registry subkey, and then click it:

 Right-click Config, point to New, and then click DWORD Value. Type AllowFileUrlScheme, and then press ENTER. Right-click AllowFileUrlScheme, and then click Modify. In the Value Data box, type 0x01, and then click OK. On the File menu, click Exit.</li></ol>

This setting reverts the computer to the behavior of Windows XP Service Pack 2 (SP2), of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the LDAP protocol
By default, the PKI client in Windows Vista SP1 and in Windows Server 2008 signs and encrypts all LDAP traffic for PKI objects. Additionally, if authentication is required only for network retrieval, Kerberos authentication is performed. For testing, you may want to disable the functionality in Windows Vista SP1 and in Windows Server 2008 that signs and encrypts LDAP traffic. To do this, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Locate the following registry subkey, and then click it:

</li> Right-click Config, point to New, and then click DWORD Value.</li> Type DisableLDAPSignAndEncrypt, and then press ENTER.</li> Right-click DisableLDAPSignAndEncrypt, and then click Modify.</li> In the Value Data box, type 0x01, and then click OK.</li> On the File menu, click Exit.</li></ol>

After you apply this setting, either NTLM credentials or Kerberos credentials are used for authentication. Additionally, the Sign flag and the Encrypt flag are not set in the LDAP requests. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.

Changes in the network retrieval process that uses the HTTP protocol
In the PKI client in Windows Vista SP1 and in Windows Server 2008, the network retrieval process that uses the HTTP protocol performs authentication only for the proxies that are locally configured. Whether authentication is performed depends on the error message that is returned from the proxy. If the proxy returns the following error message, authentication is performed:

HTTP 407: Proxy Authentication required

If the proxy returns the following error message, authentication is not performed:

HTTP 401: Access Denied no authentication is performed.

Note If proxy authentication is required, both Kerberos authentication and NTLM authentication will be performed.

If you want to change this default behavior, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Locate the following registry subkey, and then click it:

</li> Right-click Config, point to New, and then click DWORD Value.</li> Type EnableInetUnknownAuth, and then press ENTER.</li> Right-click EnableInetUnknownAuth, and then click Modify.</li> In the Value Data box, type 0x01, and then click OK.</li> On the File menu, click Exit.</li></ol>

After you apply this setting, authentication is now performed when the proxy returns an &quot;HTTP 401&quot; error message. This setting reverts the computer to the behavior of Windows XP SP2, of Windows Server 2003 SP1, and of the release version of Windows Vista.

Keywords: kbexpertiseinter kbhowto kbinfo KB946401

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.