Remote key request generation affected by Schannel.dll (184311)


The information in this article applies to:

  • Microsoft Internet Information Server 1.0
  • Microsoft Internet Information Server 2.0
  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Server 4.0
This article was previously published under Q184311
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

When you install a certificate to a Microsoft Internet Information Server computer generated by the HTML-based Key Manager, there will be no indication of an error. However, HTTPS access will not be possible. Turning off the "Require secure channel SSL" option in the Microsoft Internet Service Manager, and stopping and restarting the service, will enable access via HTTP.

CAUSE

The security strength of the Schannel.dll file that exists on the remote computer where the key request was generated does not match the security strength of the server on which the certificate is installed.

RESOLUTION

The security strength of the Schannel.dll file on the remote HTML requesting computer must match the security strength of the Schannel.dll file on the server that will use the generated certificate.

WORKAROUND

Although it is possible to generate a functional key request from a computer other than the one on which it will be used, using the computer that will eventually use the key to create the request will avoid security mismatches. When you use remote HTML management, it is imperative to check and match the versions of Schannel.dll. To do this, use the following procedure:
  1. Open Windows NT Explorer on the computer creating the request file.
  2. Go to the <System root>\System32 subdirectory.
  3. Highlight the file and open the Properties page. If the file is not found, then go to the Tools menu, check the Options and make sure that the View All Files option is checked.
  4. Click the Version tab on the Schannel.dll properties page.
  5. Security strength is easiest defined by the description. If the description references "(Export)," the DLL is the 40-bit encryption version. If the description references "(US and Canada use only )", the DLL is the 128-bit encryption version.
Modification Type:MinorLast Reviewed:3/31/2006
Keywords:kbprb KB184311
©2004 Microsoft Corporation. All rights reserved.