DOCUMENT:Q249863 08-MAY-2002 [winnt] TITLE :SGC Connections May Fail from Domestic Clients PRODUCT :Microsoft Windows NT PROD/VER::2000,4.0,5,5.01 OPER/SYS: KEYWORDS:kbSecurity kbWin2000PreSP1Fix kbWinNT400PreSP7Fix ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 - Microsoft Internet Information Server version 4.0 - Microsoft Internet Explorer versions 5, 5.01 for Windows NT 4.0 - Microsoft Internet Explorer version 5.01 for Windows 98 Second Edition - Microsoft Internet Explorer versions 5, 5.01 for Windows 98 - Microsoft Windows 98 Second Edition - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server ------------------------------------------------------------------------------- SYMPTOMS ======== Web clients may fail to connect to Web sites that use Server Gated Cryptography (SGC) for strong encryption when a secure connection is required. If either the Internet server or Web client is running Microsoft products, then the connection may fail. If the Internet server and Web client are both running Microsoft products, then no problem occurs. CAUSE ===== This problem occurs in the security provider Schannel.dll file, which is used in Microsoft Internet Information Server (IIS) and Microsoft Internet Explorer, when you connect to a site that uses SGC to do high encryption, and the export cipher suite uses one hash algorithm and the domestic cipher suite uses another. In this situation, the Schannel.dll file occasionally selects the wrong algorithm, which results in a failed connection. RESOLUTION ========== Windows 2000 ------------ To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, please see the following article in the Microsoft Knowledge Base: Q260910 How to Obtain the Latest Windows 2000 Service Pack Windows NT 4.0 -------------- To resolve this problem, obtain the Windows NT 4.0 Security Rollup Package. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q299444 Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP) The English version of this fix should have the following file attributes or later: Date Time Size File name Platform ------------------------------------------------------------- 01/26/2000 06:15p 154,384 Schannel.dll NT x86 40bit 01/26/2000 07:40p 267,536 Schannel.dll NT Alpha 40bit 01/26/2000 07:40p 123,664 Schannel.dll NT x86 128bit 01/26/2000 07:40p 226,576 Schannel.dll NT Alpha 28bit This hotfix has been posted to the following Internet locations: http://www.microsoft.com/ntserver/nts/downloads/critical/schannel/default.asp Microsoft Windows NT Server version 4.0, Terminal Server Edition ---------------------------------------------------------------- To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base: Q317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package Windows 9x ---------- A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem. To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The English version of this fix should have the following file attributes or later: Date Time Size File name Platform ------------------------------------------------------- 01/26/2000 03:15p 154,384 Schannel.dll Win95 40bit 01/26/2000 04:40p 123,664 Schannel.dll Win95 128bit 01/26/2000 03:15p 154,384 Schannel.dll Win98 40bit 01/26/2000 04:40p 123,664 Schannel.dll Win98 128bit This hotfix has been posted to the following Internet locations: http://www.microsoft.com/windows98/downloads/contents/WUCritical/schannel/Default.asp http://www.microsoft.com/windows95/downloads/contents/WUCritical/Schannel/ STATUS ====== Windows 2000 ------------ Microsoft has confirmed that this problem could result in some degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 1. Windows NT 4.0 -------------- Microsoft has confirmed that this problem could result in some degree of security vulnerability in Windows NT 4.0. Windows 9x ---------- Microsoft has confirmed that this problem could result in some degree of security vulnerability in Windows 95, Windows 98, and Windows 98 Second Edition. MORE INFORMATION ================ This fix should be applied based on the following scenarios: - If the server is running IIS and the clients are not running Microsoft Internet Explorer, then apply the Microsoft Windows NT patch on the server. - If the server is running Microsoft Personal Web Server (PWS) for Windows 95 or 98 and the clients are not running Microsoft Internet Explorer, then apply the appropriate Microsoft Windows 95 or 98 patch on the PWS computer. - If the server is not running IIS or PWS and the client is running Microsoft Internet Explorer, then apply the appropriate Microsoft Windows NT, Microsoft Windows 95, or Microsoft Windows 98 patch on the client. Note: If the Internet server and Web client are Microsoft products, then there is no issue. In most Windows 95 and Windows 98 cases, Windows is used as a client, and the fix should be applied on the client side. Additional query words: security_patch tsesrp kbfaqw2knet ====================================================================== Keywords : kbSecurity kbWin2000PreSP1Fix kbWinNT400PreSP7Fix Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Serv kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search kbWinNTS400 kbwin2000ServSearch kbwin2000Search kbwin2000ProSearch kbwin2000Pro kbiisSearch kbIEsearch kbWin95search kbWin98search kbWin98SEsearch kbiis400 kbZNotKeyword2 kbIENT400Search kbIE500Search kbWinAdvServSearch kbZNotKeyword3 kbIE98Search kbWin98 kbIE500Win98 kbIE501Win98 kbIE501Win98SE kbIE500WinNT400 kbIE501WinNT400 kbWin98SE kbIE98SESearch Version : :2000,4.0,5,5.01 Hardware : ALPHA x86 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.