DOCUMENT:Q254047 11-MAR-2000 [iis] TITLE :Using SSL with Internet Information Server May Cause Browser Err PRODUCT :Internet Information Server PROD/VER:winnt:4.0,5.0 OPER/SYS: KEYWORDS:kbOSWin2000 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server 4.0 - Microsoft Internet Information Services version 5.0 ------------------------------------------------------------------------------- SYMPTOMS ======== When a user connects to an IIS site that uses SSL, the browser may encounter a problem. Specifically, Internet Explorer may generate an error message (usually a Dr. Watson in Windows NT or a General Protection Fault in Windows 95/98) for the Schannel.dll file. Note: Netscape Navigator does not use the standard Windows Schannel.dll file. When you are connecting with Netscape, you are notified that an error occurred in the secure communication. CAUSE ===== This problem can be caused when the server certificate (intermediate, non-root certificate) installed on IIS has the same Subject and Issuer. For example, if the certificate's Issued to: and Issued by: fields both contain "Microsoft." When Schannel processes the request, it sees this certificate as being self-signed (in other words, a root Certificate Authority certificate). Schannel does not allow these to be sent out, and therefore sends the client no server key. The client, not expecting this, does not know how to process this error. RESOLUTION ========== This problem in the Schannel.dll file has been corrected in Internet Information Services 5.0 for Windows 2000. Note: The server certificate must be deleted and re-installed. WORKAROUND ========== To work around this problem, delete the server certificate, and then create a new server certificate with a different Subject and Issuer. You can delete the existing certificate, by doing the following: 1. Start Internet Explorer on the IIS computer. 2. From the Internet Options menu, click the Content tab. 3. In the Intermediate Certification Authorities list, remove the server certificate. For additional information how to install a new certificate, click the article number below to view the article in the Microsoft Knowledge Base: Q218445 How to Configure Certificate Server for Use with SSL on IIS MORE INFORMATION ================ The third-party products discussed in this article are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability. Additional query words: iis 5 ssl certificate ie ====================================================================== Keywords : kbOSWin2000 Technology : kbiisSearch kbiis500 kbiis400 Version : winnt:4.0,5.0 Issue type : kbprb Solution Type : kbpending ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2000.