Microsoft KB Archive/254047

= Using SSL with Internet Information Server May Cause Browser Error =

Article ID: 254047

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q254047



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When a user connects to an IIS site that uses SSL, the browser may encounter a problem. Specifically, Internet Explorer may generate an error message (usually a Dr. Watson in Windows NT or a General Protection Fault in Windows 95/98) for the Schannel.dll file.

Note: Netscape Navigator does not use the standard Windows Schannel.dll file. When you are connecting with Netscape, you are notified that an error occurred in the secure communication.



CAUSE
This problem can be caused when the server certificate (intermediate, non-root certificate) installed on IIS has the same Subject and Issuer. For example, if the certificate's Issued to: and Issued by: fields both contain "Microsoft."

When Schannel processes the request, it sees this certificate as being self-signed (in other words, a root Certificate Authority certificate). Schannel does not allow these to be sent out, and therefore sends the client no server key. The client, not expecting this, does not know how to process this error.



RESOLUTION
This problem in the Schannel.dll file has been corrected in Internet Information Services 5.0 for Windows 2000.

Note: The server certificate must be deleted and re-installed.



WORKAROUND
To work around this problem, delete the server certificate, and then create a new server certificate with a different Subject and Issuer. You can delete the existing certificate, by doing the following:
 * 1) Start Internet Explorer on the IIS computer.
 * 2) From the Internet Options menu, click the Content tab.
 * 3) In the Intermediate Certification Authorities list, remove the server certificate.

For additional information how to install a new certificate, click the article number below to view the article in the Microsoft Knowledge Base:

218445 How to Configure Certificate Server for Use with SSL on IIS



MORE INFORMATION
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Additional query words: iis 5 ssl certificate ie

Keywords: kbprb kbpending KB254047

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.