Microsoft KB Archive/841641

= IIS returns a &quot;403.13 Client Certificate Revoked&quot; error message after you install MS04-011 because of Wininet proxy settings =

Article ID: 841641

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



SYMPTOMS
When you access a Web site that is set to require client certificates, you may receive the following HTTP error message, even if you are sure that the client certificate has not been revoked:

403.13 Client Certificate Revoked



CAUSE
Winhttp.dll may prevent the retrieval of the Wininet proxy settings if all the following conditions are true:
 * The server is configured with Internet Information Services (IIS) services.
 * The server is running under the Local System account.
 * The browser (Wininet) proxy settings have been manually configured.

If you do not have the Web Proxy Auto-Discovery (WPAD) configured, Microsoft Cryptography API (CAPI) cannot download Certificate Revocation Lists (CRLs) because CAPI cannot find proxy settings. Also, after you apply the MS04-011 security update, CAPI uses the Winhttp.dll file instead of the Wininet.dll file. Therefore, CAPI does not support WPAD when you use scripts that are not based on JavaScript.



RESOLUTION
To resolve this problem, you can use the Proxycfg.exe file to manually configure the proxy settings for the computer. For example, run either of the following commands to import from the user's browser settings:

proxycfg.exe -p itgproxy:80

proxycfg.exe -u

The Proxycfg.exe file is available from the Platform Software Development Kit (SDK).



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

