Few days back, one of my colleague faced the above error when he accessed the web site that was hosted on a Windows Server 2008 SP2 machine which had IIS 7 installed and configured. Not sure what changed, but the error was very crude and didn’t give any information on what was causing it.
This is a simple web service application which required client certificate authentication. With little or no information about what caused the issue we started troubleshooting the issue right from the scratch.
Steps performed:
- Checked if Web Site works fine without SSL Certificate. [Works]
- Checked if Web Site works with SSL with Client Certificate – Ignore [Works]
- Checked if Web Site works with SSL with Client Certificate – Accept [Fails]
This confirmed that the issue was with iisClientCertificateMappingAuthentication configured on the Web Site.
IIS logfile shows:
2010-07-21 08:57:11 2001:4898:7020:3013:9c3f:99d:bf63:f5eb GET / - 443 - 2001:4898:7020:100f:b8e3:e41a:f1bf:bef5 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+InfoPath.3;+MS-RTC+LM+8;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 500 0 64 1071
Failed Request Tracing shows:
HTTPErr logfile shows:
2010-07-21 09:25:20 fe80::9c3f:99d:bf63:f5eb%12 55231 fe80::9c3f:99d:bf63:f5eb%12 443 HTTP/1.1 GET / - 1 Timer_SslRenegotiation DefaultAppPool
The issue now looks more like as stated in the article KB977377, and it does states.
<snip>
Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.
Internet Explorer: When you browse Web sites that require client certificate authentication, but not site-wide client certificate authentication, you may not successfully be able to connect.
</snip>
Checked the registry keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnServer 1
Resolution:
Since we wanted the application to work, we changed the value of DisableRenegoOnServer from 1 to 0. Restarted the server and client certificate authentication started working fine. On client machines if the patch is installed, you will need to change DisableRenegoOnClient from 1 to 0.
<UPDATE>
The issue with KB977377 is now fixed. Check out the updated security bulletin MS10-049, you will need to install KB980436 to handle SChannel vulnerability.
Hope this helps,
Vivek Kumbhar
Quote of the day:
College isn't the place to go for ideas. - Helen Keller
Subscribe