Microsoft KB Archive/314324

= IIS generates an HTTP 500 error when &quot;Accept client certificates&quot; is enabled =

Article ID: 314324

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q314324



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
A server that is running Internet Information Server with Secure Sockets Layer (SSL) enabled can either ignore or accept client certificates. By default, the server is set up to ignore these certificates; however, if you decide to accept client certificates and to still use Anonymous authentication on your Web server, IIS generates harmless HTTP 500 error messages in the Web site log files. This is expected behavior.

The HTTP 500 error is part of the negotiation process of the client and server. The immediate cause of the HTTP 500 error is that the client closed the connection when the server was searching for additional data from the request. Because the socket is closed, IIS cancels the request and logs an HTTP 500 error. When the server sends a request for a client certificate, the browser processes this as a fatal error and disconnects the connection. It then starts a new session based on the assumption that the server is a &quot;non-anonymous server.&quot;



MORE INFORMATION
The following note is documented in the SSL 3.0 Protocol Specifications paper, Section 7.6.4, &quot;Certificate Request:&quot;

Note: It is a fatal handshake_failure alert for an anonymous server to request client identification.

