Microsoft KB Archive/842735

From BetaArchive Wiki

Article ID: 842735

Article Last Modified on 11/14/2007


APPLIES TO

  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional


Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista


SYMPTOMS

You have a Windows XP-based computer that has security update 835732 installed. When you connect the Windows XP-based computer to a Windows Server 2003-based computer that is running Internet Information Services (IIS) 6.0, you receive the following error message after you select a certificate:

403.13 Client Certificate Revoked

You may receive this error message if mutual authentication is enabled.

Note This problem also occurs when you connect the Windows XP-based computer that has security update 835732 installed to a computer that is running Microsoft Windows 2000 and Internet Information Services (IIS) 5.0.

CAUSE

This problem occurs because of a retrieval time-out in the certificate revocation list (CRL).

Security update 835732 introduces a new CryptoAPI behavior for network time-outs. This change was first made to address the problem of long delays that occur because of CryptoAPI blocking during CRL retrievals when the target URL is inaccessible.

In Windows XP, the default time-out value is 15 seconds. Windows XP includes a feature that retries the download on a background thread with a default time-out value of 60 seconds. CRLs that reside on a Lightweight Directory Access Protocol (LDAP) URL may be especially affected because of a reduced throughput.

RESOLUTION

Hotfix information

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows XP service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451


Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support


Prerequisites

You must have one of the following service packs installed to apply this hotfix:

  • Windows XP Service Pack 1 (SP1)
  • Windows XP Service Pack 2 (SP2)

Restart requirement

You must restart the DHCP service after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Registry information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

After you apply this hotfix, configure the URL retrieval time-out values by modifying the registry. To do this, follow these steps:

  1. Click Start, click Run, type regedit, and then press ENTER.
  2. Click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config

  3. On the Edit menu, point to New, and then click Key.
  4. Type the following name for the new key, and then press ENTER:

    ChainUrlRetrievalTimeoutMilliseconds

  5. On the Edit menu, point to New, and then click DWORD Value.
  6. Type the time-out value, and then click OK.

    Notes
    • The ChainUrlRetrievalTimeoutMilliseconds entry is the default URL time-out value for authority information access (AIA) retrievals and for non-accumulative CRL retrievals.
    • This value represents the time-out period in milliseconds. If this value is set to zero (0) or if it does not exist, a default value of 15,000 milliseconds is used.
  7. On the Edit menu, point to New, and then click Key.
  8. Type the following name for the new key, and then press ENTER:

    ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds

  9. On the Edit menu, point to New, and then click DWORD Value.
  10. Type the time-out value, and then click OK.

    Notes
    • The ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds entry is the default revocation accumulative URL time-out value. The first revocation URL retrieval uses half of this time-out value.
    • This value represents the time-out period in milliseconds. If this value is set to zero (0) or if it does not exist, a default value of 20,000 milliseconds is used.
  11. Exit Registry Editor.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows XP with SP1, x86-based versions
File name File version File size Date Time Platform SP requirement
Crypt32.dll 5.131.2600.1596 580,608 01-Oct-2004 23:44 x86 SP1
Cryptnet.dll 5.131.2600.1596 58,368 01-Oct-2004 23:44 x86 SP1
Winhttp.dll 5.1.2600.1592 331,776 01-Oct-2004 08:44 x86 SP1
Wintrust.dll 5.131.2600.1592 167,424 01-Oct-2004 23:44 x86 SP1
Efsadu.dll 5.1.2600.1592 24,576 01-Oct-2004 23:44 x86 SP1
Windows XP with SP2, x86-based versions
File name File version File size Date Time Platform SP requirement
Crypt32.dll 5.131.2600.2524 598,016 01-Oct-2004 23:34 x86 SP2
Cryptnet.dll 5.131.2600.2524 64,512 01-Oct-2004 23:34 x86 SP2


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about the server-side cause on a Windows Server 2003-based server, click the following article number to view the article in the Microsoft Knowledge Base:

884115 You receive a "403.13 client certificate revoked" error message when you connect to a computer that is running Windows Server 2003 and Internet Information Services 6.0


For more information about the server-side cause on a Windows 2000-based server, click the following article number to view the article in the Microsoft Knowledge Base:

841632 You receive the "403.13 client certificate revoked" error message after you install the MS04-11 security update


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates


Keywords: kbexpertiseadvanced kbfix kbpubtypekc kbqfe kbhotfixserver KB842735



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/842735&oldid=205749
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki