ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a Smart Card in Internet Explorer (330211)


The information in this article applies to:

  • Microsoft Internet Explorer 5.5 for Windows NT 4.0
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0
  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition
  • Microsoft Internet Explorer 5.0 for Windows 98 Second Edition
  • Microsoft Internet Explorer 5.5 for Windows 98
  • Microsoft Internet Explorer 5.01 for Windows 98
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 5.5 for Windows 2000
  • Microsoft Internet Explorer 5.01 for Windows 2000
  • Microsoft Internet Explorer version 6 for Windows 98
  • Microsoft Internet Explorer version 6 for Windows 98 Second Edition
  • Microsoft Internet Explorer version 6 for Windows Millennium Edition
  • Microsoft Internet Explorer version 6 for Windows NT 4.0
  • Microsoft Internet Explorer version 6 for Windows 2000
  • Microsoft Internet Explorer version 6 for Windows XP
  • Microsoft Internet Explorer version 6 for Windows XP 64-Bit Edition
This article was previously published under Q330211

SYMPTOMS

You may receive the following error message after the "Downloading ActiveX Control" message appears in the progress bar when you try to use a Microsoft Windows Certificate Server to enroll a smart card:
The proper version of the ActiveX Control failed to download and install. You may not have sufficient permissions. Please ask your system administrator for assistance.
When this occurs, you cannot continue to use the Smartcard Enrollment Station Web page (Certsces.asp).

CAUSE

This behavior occurs if the Microsoft Windows Certificate Server is not in the Trusted Sites zone in Internet Explorer.

When a client computer for which the updated control has not been applied tries to enroll with a Web server that has been updated, the Web server downloads the updated control to the client computer. This occurs if the Web server that hosts the Certificate Services Web enrollment pages is in the Trusted Sites zone in Internet Explorer and if you click Yes in the first warning message as indicated later in this article.

RESOLUTION

To work around this issue, add the Microsoft Windows Certificate Server computer to the Trusted Sites zone in Internet Explorer:
  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. On the Security tab, click Trusted sites.
  3. Click Sites.
  4. In the Add this Web site to this zone box, type the address for the Microsoft Windows Certificate Server. If the Microsoft Windows Certificate Server (or your computer) is not configured to use SSL, click to clear the Require server verification (https:) for all sites in this zone check box.
  5. Click Add, and then click OK.
  6. Click OK.
After you follow these steps, you receive the following warning message when you use a Microsoft Windows Certificate Server to enroll a smart card:
An Active control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?
Click Yes to continue to use the Smartcard Enrollment Station Web pages.

STATUS

This behavior is by design.

MORE INFORMATION

You can use Microsoft Windows 2000-based and Microsoft Windows XP-based client computers in conjunction with the Web enrollment services pages on Microsoft Internet Information Services (IIS) and a Windows 2000 certification authority (CA) to enroll smart cards on behalf of other users. The Smartcard Enrollment station works through Internet Explorer on the client computer and IIS on the server that is hosting the CA Web enrollment pages. This is an optional component during CA installation. The new version of the Smartcard Enrollment control on an updated Web site is not marked "Safe for scripting." You must manually configure Internet Explorer to add the Web server computer that is hosting the Web enrollment pages to the list of trusted sites on the Security tab in Internet Explorer options. If you do not do so, the Smartcard Enrollment control is not downloaded and cannot be used.

After you apply this update to a client computer, the client cannot enroll with a Web server for which the update has not been applied. If you are using a client computer that has installed the fix, Web pages may stop responding, you may receive error messages that state that the ActiveX control could not be downloaded, or enrollment may not be successful. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

330389 Internet Explorer Stops Responding at "Downloading ActiveX Control" Message When You Try to Use a Certificate Server

NOTE: Even if a Web site has been updated and client enrollment is successful, you must update the client computer to remove this vulnerability. Netscape browsers do not use the Certificate Enrollment control to enroll with a Microsoft Windows Certificate Server. However, the client computers must be updated to remove this vulnerability.
Modification Type:MajorLast Reviewed:12/5/2003
Keywords:kbprb KB330211
©2003 Microsoft Corporation. All rights reserved.