Microsoft KB Archive/247098

From BetaArchive Wiki

Article ID: 247098

Article Last Modified on 11/21/2006



APPLIES TO

  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 5.1



This article was previously published under Q247098

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

SUMMARY

This step-by-step article describes how to install or reload the Secure Sockets Layer (SSL) filter to turn on SSL for Web sites.

back to the top

Install the Filter

The Web sites must have the Sspifilt.dll file loaded. By default, this filter is installed with the Microsoft Windows NT 4.0 Option Pack for Internet Information Server (IIS) 4.0, when you install Internet Information Services (IIS) 5.0 on Microsoft Windows 2000, and when you install IIS 5.1 on Microsoft Windows XP Professional. To find this filter, enumerate the master properties in the Microsoft Management Console (MMC).

To verify the status of Sspifilt.dll, follow these steps:

back to the top

IIS 4.0 and 5.0

  1. In the MMC, under Internet Information Services, right-click server_name and then click Properties.
  2. In the Master Properties section, click WWW Service, and then click Edit.
  3. On the ISAPI Filters tab, notice the direction and color of the arrow:
    • If the arrow is green and pointing up, the filter is loaded correctly.
    • If the arrow is red and pointing down, the filter is not loaded. SSL will not work on this server until this problem is corrected.

back to the top

IIS 5.1

  1. In the MMC, under Internet Information Services, right-click Web Sites and then click Properties.
  2. On the ISAPI Filters tab, notice the direction and color of the arrow:
    • If the arrow is green and pointing up, the filter is loaded correctly.
    • If the arrow is red and pointing down, the filter is not loaded. SSL will not work on this server until this problem is corrected.

If you find that the filter is not loaded, follow the steps in the Reload section to correct this problem.

back to the top

Reload the Filter

To reload the Sspifilt.dll filter, follow these steps:

  1. Remove Sspifilt.dll from the master properties. (To access the master properties, see the steps in the Installation section).
  2. At a command prompt, type the following command to stop IIS and its dependent services:

    net stop iisadmin /y

  3. At a command prompt, type the following command to restart IIS and its dependent services:

    net start w3svc

  4. Open the master properties for the IIS server.
  5. On the ISAPI filters tab, click Add. Type SSPIFILT for the name and C:\%Systemroot%\System32\Inetsrv\Sspifilt.dll for the path. By default, the status shows Unknown.
  6. Stop and restart IIS and its dependent services (see steps 2 and 3).

If these steps prove unsuccessful, see the steps in the Troubleshooting section.

back to the top

Troubleshooting

  1. Check the permissions on the C:\%Systemroot%\System32\Intersrv folder. By default, Everyone has Change permissions; the Creator, Owner, Administrators, and System have Full Control permissions.
  2. At a command prompt, use the cd command to change to the C:\%systemroot%\System32\Inetsrv\Adminsamples directory, and then type the following command to check the values that are stored in the metabase:

    adsutil enum\filters

    The following output is returned:

    KeyType               :(String)  "IISFilters"
    FilterLoadOrder       :(String)  "sspifilt"
    [/w3svc/filters/sspifilt]
                            
  3. If this output is correct, check the values on the specific location, W3svc/Filters/Sspifilt. To do this, type the following command at a command prompt to enumerate the metabase:

    adsutil enum w3svc/filters/sspifilt

    This returns the following output:

    FilterState           :(Integer) 1 (this state shows the filter enabled)
                            

If this procedure is not successful:

For IIS 3.0: Remove and then reinstall IIS 3.0. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

184309 How to Install IIS Without Rerunning Windows NT Setup


For IIS 4.0: Remove and then reinstall the Windows NT 4.0 Option Pack. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

187870 How To How to Remove and Reinstall the Windows NT 4.0 Option Pack


For IIS 5.0 and 5.1: Remove and then reinstall IIS. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

325889 How To Remove and Reinstall IIS 5.0 and 5.1


NOTE: For IIS 4.0, 5.0 and 5.1, you must back up the configuration of IIS before you remove it, so that you can restore that configuration after the reinstallation. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

302573 How To Back Up and Restore IIS


back to the top

REFERENCES

For additional information about SSL, click the article numbers below to view the articles in the Microsoft Knowledge Base:

292296 'Cannot find server' or 'DNS' Errors When Using SSL (Q and A)


289582 HTTPS Connections Fail After You Upgrade to Windows NT 4.0 Option Pack (IIS 4.0) and Enable SSL


197306 How to Troubleshoot SSL in Internet Information Server 4.0


324839 Cannot Open SSL-Enabled Web Site


back to the top

Keywords: kbhowto kbhowtomaster KB247098