IIS returns a "403.13 Client Certificate Revoked" error message after you install MS04-011 because of Wininet proxy settings (841641)

SYMPTOMS

When you access a Web site that is set to require client certificates, you may receive the following HTTP error message, even if you are sure that the client certificate has not been revoked:

403.13 Client Certificate Revoked

CAUSE

Winhttp.dll may prevent the retrieval of the Wininet proxy settings if all the following conditions are true:

The server is configured with Internet Information Services (IIS) services.
The server is running under the Local System account.
The browser (Wininet) proxy settings have been manually configured.

If you do not have the Web Proxy Auto-Discovery (WPAD) configured, Microsoft Cryptography API (CAPI) cannot download Certificate Revocation Lists (CRLs) because CAPI cannot find proxy settings. Also, after you apply the MS04-011 security update, CAPI uses the Winhttp.dll file instead of the Wininet.dll file. Therefore, CAPI does not support WPAD when you use scripts that are not based on JavaScript.

RESOLUTION

To resolve this problem, you can use the Proxycfg.exe file to manually configure the proxy settings for the computer. For example, run either of the following commands to import from the user's browser settings:

proxycfg.exe -p itgproxy:80

proxycfg.exe -u

The Proxycfg.exe file is available from the Platform Software Development Kit (SDK).

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

841642 Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer

841632 You receive a "403.13 client certificate revoked" error message after you install the MS04-11 security update

IIS returns a "403.13 Client Certificate Revoked" error message after you install MS04-011 because of Wininet proxy settings (841641)

SYMPTOMS

CAUSE

RESOLUTION

STATUS

REFERENCES