Microsoft KB Archive/841642

= Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer =

Article ID: 841642

Article Last Modified on 11/21/2006

-

APPLIES TO

 Microsoft Internet Information Services 5.0, when used with:  Microsoft Windows 2000 Service Pack 3

 Microsoft Windows 2000 Service Pack 2

 Microsoft Windows 2000 Service Pack 1

 Microsoft Windows 2000 Standard Edition</li></ul> </li></ul>

-

<div class="symptoms_section">

SYMPTOMS
When you access a Web site that is set to require client certificates, you may receive the following HTTP error message, even if you are sure that the client certificate has not been revoked:

403.13 Client Certificate Revoked

You receive this error message when all the following conditions are true:
 * Your computer is running Microsoft Windows 2000 Service Pack 3.
 * You have applied MS04-011.
 * The version of the Infocomm.dll file is earlier than 5.0.2195.6709.
 * Your certificate chain includes an intermediate certification authority, and you are using certificates that do not have a Certificate Distribution Point (CDP) extension.
 * You are using a Certificate Revocation List (CRL) that has a critical Issuer Distribution Point (IDP) extension.

<div class="cause_section">

CAUSE
The problem occurs if you have applied MS04-011 and both the following conditions are true:
 * Your certificate chain includes an intermediate certification authority, and you are using certificates that do not have a Certificate Distribution Point (CDP) extension.
 * You are using a Certificate Revocation List (CRL) that has a critical Issuer Distribution Point (IDP) extension.

Internet Information Services (IIS) rejects the chain when the first condition is true because the certificate cannot be validated. If you have not applied MS04-011, the chain is trusted if both the first and the second conditions are true. However, if you have applied MS04-011, the chain fails because the revocation status is unknown.

<div class="resolution_section">

RESOLUTION
To resolve this problem, install the May 2003 cumulative update for IIS. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

811114 MS03-018: May 2003 cumulative patch for Internet Information Services (IIS)

<div class="workaround_section">

WORKAROUND
To work around this problem, use one of the following methods:
 * If you do not want revocation checking on the intermediate certification authority certificates, issue an empty Certificate Revocation List (CRL) that has a very long expiration period from the parent certification authority. Install the CRL in the local computer certificate store on the IIS computer.
 * Reissue the intermediate certification authority certificate. Make sure that all the following are true:
 * The certificate has a CDP extension with a working URL.
 * The new certificate has the same name and the same key as the certificate that it replaces.
 * The validity time for the notBefore component and notAfter component of the new certificate is newer than the validity time for these components on the original certificate.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbhttp kbwebserver kbprb kbwebservices KB841642

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.