KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q184311: Remote Key Request Generation Affected by Schannel.dll

Article: Q184311
Product(s): Internet Information Server
Version(s): WINNT:1.0,2.0,3.0,4.0
Operating System(s): 
Keyword(s): 
Last Modified: 06-MAY-1999

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0 
-------------------------------------------------------------------------------

SYMPTOMS
========

When you install a certificate to a Microsoft Internet Information Server
computer generated by the HTML-based Key Manager, there will be no indication of
an error. However, HTTPS access will not be possible. Turning off the "Require
secure channel SSL" option in the Microsoft Internet Service Manager, and
stopping and restarting the service, will enable access via HTTP.

CAUSE
=====

The security strength of the Schannel.dll file that exists on the remote
computer where the key request was generated does not match the security
strength of the server on which the certificate is installed.

RESOLUTION
==========

The security strength of the Schannel.dll file on the remote HTML requesting
computer must match the security strength of the Schannel.dll file on the server
that will use the generated certificate.

WORKAROUND
==========

Although it is possible to generate a functional key request from a computer
other than the one on which it will be used, using the computer that will
eventually use the key to create the request will avoid security mismatches.
When you use remote HTML management, it is imperative to check and match the
versions of Schannel.dll. To do this, use the following procedure:

1. Open Windows NT Explorer on the computer creating the request file.

2. Go to the <System root>\System32 subdirectory.

3. Highlight the file and open the Properties page. If the file is not found,
  then go to the Tools menu, check the Options and make sure that the View All
  Files option is checked.

4. Click the Version tab on the Schannel.dll properties page.

5. Security strength is easiest defined by the description. If the description
  references "(Export)," then the DLL is the 40-bit encryption version. If the
  description references "(US and Canada," then the DLL is the 128-bit
  encryption version. (Note: The missing right bracket on the US and Canada
  version is not a typographical error.)

======================================================================
Keywords          :  
Technology        : kbiisSearch kbiis400 kbiis300 kbiis200 kbiis100
Version           : WINNT:1.0,2.0,3.0,4.0
Issue type        : kbprb

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.