Article ID: 324839
Article Last Modified on 11/21/2006
APPLIES TO
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Server 4.0
This article was previously published under Q324839
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
When you try to open a Web site that has Secure Sockets Layer (SSL) enabled in Internet Information Server (IIS) 4.0 or Internet Information Services (IIS) 5.0 with https, the browser stops responding (hangs) after the SSL handshake. The system log shows the following event:
CAUSE
To enable SSL for Web sites in IIS 4.0 and IIS 5.0, the Web sites must have the Sspifilt.dll global filter loaded from the Internet Service Manager instead of from the registry.
RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
- Make sure that Sspifilt.dll is not loaded in the legacy W3SVC registry entry:
- Click Start, click Run, and then type regedt32.
- In the left pane of Registry Editor, locate the HKEY_Local_Machine\System\CurrentControlSet\Services\W3SVC\Parameters registry key.
- In the right pane, double-click Filter DLLs to display the string value.
- Delete the path entry for Sspifilt.dll. By default, this is
Windows directory
\System32\Inetsrv\Sspifilt.dll. - Click OK to close Registry Editor.
- Reload the Sspifilt filter:
- Open the Internet Services Manager.
- In the left pane, right-click the server name, and then click Properties.
- Under Master Properties, select WWW Service, and then click Edit.
- Click the ISAPI Filters tab.
- In the list of installed filters, look for Sspifilt. If it is listed, you can skip the remaining steps.
- If Sspifilt is not listed, click Add.
- In the Filter Properties dialog box, type sspifilt for Filter Name and
Windows directory
\system32\Inetsrv\Sspifilt.dll for Executable. Then click OK three times to return to the Internet Services Manager window. - At a command prompt, type net stop iisadmin /y. This stops IIS and its dependent services.
- At a command prompt, type net start w3svc. This starts the IIS Admin service and the World Wide Web Publishing service. You may have to start other dependent services manually.
- Repeat steps a-e and verify that the status of the Sspifilt filter is now shown with a green upward-pointing arrow. Also, verify that the filter has a high priority. If it is not the first filter listed, use the up arrow to the left of the filter list to move it to the top.
REFERENCES
For additional information about this problem when you are using IIS 4.0, click the article number below to view the article in the Microsoft Knowledge Base:
289582 HTTPS Connections Fail After You Upgrade to Windows NT 4.0 Option Pack (IIS 4.0) and Enable SSL
Additional query words: iis 5
Keywords: kbprb kbpending KB324839