Article ID: 937687 - Last Review: July 11, 2007 - Revision: 1.0

Web clients cannot resume SSL sessions or TLS sessions with IIS 6.0

View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows registry
Expand all | Collapse all

SYMPTOMS

Web clients intermittently cannot resume Secure Sockets Layer/Transport Layer Security (SSL/TLS) sessions with Internet Information Services (IIS) 6.0. When the failure occurs, clients must renegotiate the SSL/TLS session, and a new session ID is assigned.

This issue primarily affects Web server farms if the following conditions are true:
  • The Web server farms are behind SSL load balancers.
  • The SSL load balancers use the SSL/TLS session ID to route traffic to specific servers.
Single Web server scenarios experience minimal effect.
Back to the top

CAUSE

This problem occurs because IIS 6.0 purges SSL/TLS session IDs from the session ID cache table.

IIS 6.0 maintains objects in memory to track each incoming Web connection. After five minutes of idle time, these objects are destroyed to reclaim resources. During this process, IIS purges the SSL/TLS session ID that the operating system caches from the session ID cache table. IIS also purges all the connection information that is negotiated between the client and the server. When a client tries to resume an SSL/TLS session by using the previous session ID, the server cannot locate the connection information in the cache. Therefore, the client must renegotiate the connection. Additionally, the client must obtain a new session ID.
Back to the top

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this problem, enable Kernel Mode SSL on each server that is running IIS 6.0. To do this, follow these steps:
  1. Start Registry Editor.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
  3. Create the following registry entry under this subkey:
    • Name: EnableKernelSSL
    • Value type: REG_DWORD
    • Value data: 0x1
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

The Windows operating system maintains an SSL/TLS Session ID cache table. Windows maintains this table as a First In/First Out (FIFO) list. The default value is 10,000 entries. Entries have a maximum lifetime of ten hours if the entries are not purged from the list in favor of newer entries. The Session ID cache table has the following configurable settings:
  • To change the maximum number of entries in the Session ID cache table, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    Create the following registry entry under this subkey:
    • Name: MaximumCacheSize
    • Value type: REG_DWORD
    When you set the value for the MaximumCacheSize registry key to 0, the server-side session cache is disabled. Therefore, Web clients cannot reconnect to an SSL/TLS session. When you set the value of the MaximumCacheSize registry key to a number that is larger than the default value of 10,000, the Lsass.exe file consumes additional memory. Each session cache element typically requires 2-4 kilobytes (KB) of memory.
  • To change the maximum lifetime of the cache entries, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    Create the following registry entry under this subkey:
    • Name: ServerCacheTime
    • Value type: REG_DWORD
    • Value data: The number of milliseconds that you want the cache entries to exist
    When you set the value for the ServerCacheTime registry key to 0, the server-side session cache is disabled. Therefore, Web clients cannot reconnect to a SSL/TLS session. When you set the value of the ServerCacheTime registry key to a number that is larger than the default value of 36,000,000 milliseconds (ten hours), the Lsass.exe file consumes additional memory. Each session cache element typically requires 2-4 KB of memory.
Back to the top

REFERENCES

For more information about SSL/TLS registry settings and tools, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/3f98fdd9-ed64-49f7-9c20-a2d4581dfbea1033.mspx?mfr=true (http://technet2.microsoft.com/windowsserver/en/library/3f98fdd9-ed64-49f7-9c20-a2d4581dfbea1033.mspx?mfr=true)
For more information about Kernel-Mode SSL in IIS 6.0, visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d5521f19-4f73-48b2-a6e7-fc5a88880d1b.mspx?mfr=true (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d5521f19-4f73-48b2-a6e7-fc5a88880d1b.mspx?mfr=true)
Back to the top
APPLIES TO
  • Microsoft Internet Information Services 6.0
Back to the top
Keywords: 
kbtshoot kbprb KB937687
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers