Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer (841642)
The information in this article applies to:
- Microsoft Internet Information Services 5.0, when used with:
- the operating system: Microsoft Windows 2000 SP3
- the operating system: Microsoft Windows 2000 SP2
- the operating system: Microsoft Windows 2000 SP1
- the operating system: Microsoft Windows 2000
SYMPTOMSWhen you access a Web site that is set to require client certificates, you may receive the following HTTP error message, even if you are sure that the client certificate has not been revoked: 403.13 Client Certificate Revoked You receive this error message when all the following conditions are true: - Your computer is running Microsoft Windows 2000 Service Pack 3.
- You have applied MS04-011.
- The version of the Infocomm.dll file is earlier than 5.0.2195.6709.
- Your certificate chain includes an intermediate certification authority, and you are using certificates that do not have a Certificate Distribution Point (CDP) extension.
- You are using a Certificate Revocation List (CRL) that has a critical Issuer Distribution Point (IDP) extension.
CAUSEThe problem occurs if you have applied MS04-011 and both the following conditions are true: - Your certificate chain includes an intermediate certification authority, and you are using certificates that do not have a Certificate Distribution Point (CDP) extension.
- You are using a Certificate Revocation List (CRL) that has a critical Issuer Distribution Point (IDP) extension.
Internet Information Services (IIS) rejects the chain when the first condition is true because the certificate cannot be validated. If you have not applied MS04-011, the chain is trusted if both the first and the second conditions are true. However, if you have applied MS04-011, the chain fails because the revocation status is unknown.
RESOLUTIONTo resolve this problem, install the May 2003 cumulative update for IIS.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
811114
MS03-018: May 2003 cumulative patch for Internet Information Services (IIS)
WORKAROUNDTo work around this problem, use one of the following methods: - If you do not want revocation checking on the intermediate certification authority certificates, issue an empty Certificate Revocation List (CRL) that has a very long expiration period from the parent certification authority. Install the CRL in the local computer certificate store on the IIS computer.
- Reissue the intermediate certification authority certificate. Make sure that all the following are true:
- The certificate has a CDP extension with a working URL.
- The new certificate has the same name and the same key as the certificate that it replaces.
- The validity time for the notBefore component and notAfter component of the new certificate is newer than the validity time for these components on the original certificate.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
| Modification Type: | Major | Last Reviewed: | 5/24/2004 |
|---|
| Keywords: | kbWebServices kbWebServer kbhttp kbprb KB841642 kbAudDeveloper |
|---|
|